On Fri, 2009-05-22 at 18:06 +1000, Barney Desmond wrote: > 2009/5/22 Ralf Hildebrandt <ralf.hildebra...@charite.de>: > >> 2. Rate/Anti DNS control > >> a. If IP X is seen more than 50 times in 30 minutes block it. > > > > Postfix can do that using anvil > > I'd just like to add to that; the answer here on the list is almost > always, "ANVIL IS NOT FOR DOING THAT" (whatever you think you can use > it for). > Which kind of begs the question what is it for ? :-)
The appliance I took apart had a nice rate control feature. The crux of it was the ability to set connection limit on a per IP basis in 30 minutes. You could *NOT* change this time window, but could change the limit thus; 50 connections in 30 minutes, 60 connections in 30 minutes ... 200 connections in 30 minutes etc. What it would do is something like this: Connection 51 come in, it defers with a 45x error (temp) and starts a new timer. If that IP presents another '50' connections in the new window of 30 minutes - say connections 51-101 - they will also be given 45x errors. If connection 102 falls inside this period it then starts giving 55x errors to that IP. It will reset when it sees nothing from that IP in 30 minutes. It's very useful - but I suspect there is a better way to do this with iptables. It's a UCE/Protection feature at the end of the day - not an MTA feature.
