Stan Hoeppner wrote:
brian put forth on 5/26/2010 8:28 PM:
On 10-05-26 09:03 PM, Stan Hoeppner wrote:
brian put forth on 5/26/2010 1:53 PM:
FWIW, aside from aliases for the usual postmaster, abuse, and webmaster
addresses, this domain has just 2 actual addresses to be maintained. So,
might a whitelist approach be the way to go? Or, is this something i
should leave to iptables/fail2ban?
Care to share some of the spammer IP address info? Is this botnet
traffic or
snowshoe? If snowshoe, I might be able to provide you with a complete
list of
netblocks to blacklist, solving your problem with a simple edit or two.
Here you go:
http://pastebin.com/DMgZsNCc
I dunno about snowshoe. That was the first I'd seen the term. But it
looks like it could be, as I understand it. I'm really not knowledgable
enough to say.
I checked out a sampling of those IPs. They're a combination of bot and
snowshoe, mostly bot. Typical spam stream, but apparently at a higher rate
than what your VPS can effectively handle via standard Postfix smtpd
restrictions. As others have stated, Postscreen should be a big help to you
given that most of this is bot spam--exactly what Postscreen was designed to
address.
How does rate limiting work in conjunction with postscreen? Can the
various rate limits be applied to postscreen or would rate limiting no
longer be necessary? I run in a vmware virtual machine which used to
fall on its knees from both bot and snowshoe attacks and since I added
the rate limits that I previously posted, I haven't had any major
problems (been running with the rate limits for several years). I often
see attacks like the one below where it will log these rate limit
exceeded messages over the course of several minutes before the
attackers go away. And yes, I do see attacks that come from multiple IP's.
May 26 15:55:42 aspen postfix/smtpd[19600]: warning: Connection rate
limit exceeded: 22 from 74-218-134-95.pool.ukrtel.net[95.134.218.74] for
service smtp
May 26 15:55:42 aspen postfix/smtpd[19600]: disconnect from
74-218-134-95.pool.ukrtel.net[95.134.218.74]
May 26 15:55:42 aspen postfix/smtpd[17267]: connect from
74-218-134-95.pool.ukrtel.net[95.134.218.74]
May 26 15:55:42 aspen postfix/smtpd[17267]: warning: Connection rate
limit exceeded: 23 from 74-218-134-95.pool.ukrtel.net[95.134.218.74] for
service smtp
May 26 15:55:42 aspen postfix/smtpd[17267]: disconnect from
74-218-134-95.pool.ukrtel.net[95.134.218.74]
May 26 15:56:17 aspen postfix/smtpd[21694]: connect from
114-26-181-192.dynamic.hinet.net[114.26.181.192]
Nataraj
