Re: spamd and TLS on port 25

Fri, 11 Aug 2006 07:28:55 -0700 

> For those servicing larger networks such as universities' ResNets or
> campus networks, using a mandatory smarthost can be an excellent
> detection tool to see which users/stations need to end up in a
> quarantine.
> 
> Granted, the largest customer base for this sort of thing are likely
> to be Windows users. A few exception lists (for those capable
> administrators running valid mail servers that push a lot of traffic)
> should keep the Unix folks happy.
> 

        Speaking as someone who does this, for the truly big university
there are a lot of clueless idiots, and even the mandatory smarthost is
a bit of a pita because you have to explain it so many times to so many  

        Far better (because it covers more than just port 25) for this
is to use pf and the overload table feature, then you conveniently
redirect the idiots to a web page telling them to get help removing
the virus or cease their portscanning activity.

i.e. soemthing like

ext_if=em1
BOZO_NET=129.128.11.0/24
SERVERS = {129.128.11.10, 129.128.11.43}

# use dhcpd -C BONED to give out BOZO_NET addresses on this machine...
table <BONED> persist

# web server running on port 80 returns an error page for everything that
# is a nice html page of "Your machine has a virus, go here to get help"
rdr pass on $int_if int proto tcp from <BONED> to any port 80 -> 127.0.0.1 port 
80

pass out quick on $ext_if inet from $SERVERS to any keep state
block out quick on $ext_if  from <BONED> to any 
block out on $ext_if from $BOZO_NET to any
pass on $ext_if proto icmp from $BOZO_NET to any icmp-type 8 code 0 keep state
pass out on $ext_if proto udp from $BOZO_NET to any port domain keep state
pass out on $ext_if proto tcp from $BOZO_NET to any flags S/SA keep state 
(max-src-states 100, max-src-conn-rate 60/10, overload <BONED> flush global)
pass out on $ext_if proto tcp from $BOZO_NET os "Windows" to any port smtp 
(max-src-states 5, max-src-conn-rate 10/10, overload <BONED> flush global)


and so on. adjust example for authpf, incoming filter rules, etc. etc.

        -Bob
--
#!/usr/bin/perl
if ((not 0 && not 1) !=  (! 0 && ! 1)) {
   print "Larry and Tom must smoke some really primo stuff...\n"; 
}

Reply via email to