how best to block this port 25 traffic/spam?

Thu, 31 May 2007 09:41:08 -0700 

hi,

i use fbsd 6.2-release/p5's pf + spamd v4.1.1 to manage port 25 traffic.

in my pf.conf, i've

 ...
 set require-order no
 ...
 nat on $extif from $intif:network to any -> ($extif)
 ...
 no rdr on $extif from <MXbl> to any tag MXbl
 block log quick tagged MXbl label "(MXbl)"
 ...
 rdr      on $extif proto tcp from  <MXwl>        to $MXwan   port 25
-> $MXlan    port 25
 rdr pass on $extif proto tcp from  <spamd>       to ($extif) port 25
-> 127.0.0.1 port 8025
 rdr pass on $extif proto tcp from !<spamd-white> to ($extif) port 25
-> 127.0.0.1 port 8025
 rdr      on $extif proto tcp from  <spamd-white> to $MXwan   port 25
-> $MXlan    port 25
 ...
 pass in  log quick on $extif proto tcp from { <MXwl>, <spamd-white>
} to $MXlan port 25 keep-state
 pass out log quick on $extif proto tcp from any
to any    port 25 keep-state
 pass out log quick on $intif proto tcp from $MXlan
to any    port 25 keep-state
 ...

all works great!

in my spamd logs, i'm seeing lots of

 May 31 09:29:27 edge6 spamd[416]: (GREY) 208.104.144.37:
<[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>
 May 31 09:29:27 edge6 spamd[416]: (GREY) 208.104.144.37:
<[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>
 May 31 09:29:27 edge6 spamd[416]: (GREY) 208.104.144.37:
<[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>

characterized by,

(1) forged FROM: @hotmail.com
(2) multiple connections per second from a given IP
(3) 100% of the IPs are in Spamhaus PBL &/or CBL dnsbls; anything that
_does_ sneak past the spamd stutter etc gets dropped anyway.

i'd LIKE to simply BLOCK, with NO logging, these nosiy, [EMAIL PROTECTED]
connections at the fw PRIOR to spamd ever seeing them.

iiuc, my options to do so include:

(a) install a small SMTP server on the router to ONLY reject at CBL
*prior* to passing on to spamd
(b) use the same SMTP server to reject FROM: == [EMAIL PROTECTED]
(b) DL/rsync the whole CBL into a local pf/spamd table
(c) throttle # of connections / second, and add to pf block element
if match/exceed

thoughts/comments on the 'best' approach?

thanks!
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to