On 8/26/2012 11:49 PM, li...@sbt.net.au wrote: > On Mon, August 27, 2012 6:27 am, Reindl Harald wrote: > >>> Aug 27 06:00:03 postfix/anvil[4396]: statistics: max connection rate >>> 15/1800s for (smtp:27.115.112.50) at Aug 27 05:59:14 >>> Aug 27 06:00:03 postfix/anvil[4396]: statistics: max connection count 1 >>> for (smtp:27.115.112.50) at Aug 27 05:50:26 Aug 27 06:00:03 >>> postfix/anvil[4396]: statistics: max cache size 51 at Aug >>> 27 05:59:47 >>> >> >> why do you niot read what you post? >> >> ONE connection from 27.115.112.50 >> where do you see excess? > > Reindl, thanks > > sorry, doesn't this mean to warn me of 'high-er' connect rates: 15/1800s ? > > "max connection rate 15/1800s "
15 connections in 30 minutes hardly constitutes an attack. Most likely just a broken spam-bot. Reasonable choices are: 1) just ignore it. A few extra one-at-a-time connections are unlikely to have any noticeable effect on postfix. Eventually the client will stop trying. 2) block the IP via firewall or null-route. Understand that blocking them is more about not seeing this in your logs, and less about protecting your system. Postfix doesn't really care. > so what do I look for in anvil output ? The anvil "statistics:" log entries show the peak rate during the last $anvil_status_update_time. Look for numbers *far* greater than normal. "Normal" will vary by site and mail load. Low-volume sites may benefit from a higher anvil_status_update_time instead of the default 10m, to reduce the noise in the log. Also look for log entries containing "limit exceeded:", which indicates anvil throttled the client. Note these messages don't necessarily indicate abuse, rather it could be that client has a lot of legit mail to deliver, and/or your limits are set too low. If you frequently see these from legit clients, raise your limits. -- Noel Jones
