Am 06.01.2014 16:43, schrieb Roland Plüss: > > On 01/06/2014 04:32 PM, li...@rhsoft.net wrote: >> >> Am 06.01.2014 16:29, schrieb Robert Schetterer: >>> Am 06.01.2014 16:24, schrieb li...@rhsoft.net: >>>> Am 06.01.2014 16:12, schrieb Roland Plüss: >>>>> A couple of days ago my mail server got attacked by a spammer. As it >>>>> looks like he managed to compromise the password of one of the users on >>>>> the system and SASL authenticated using the account to send spam. I >>>>> blocked the attacking IP and changed the password of the affected user. >>>>> Still the spammer managed to send out quite a lot of mails because due >>>>> to permit_sasl_authenticated letting him pass by. Now to deal with this >>>>> situation in the future I would like to automatically lock down an >>>>> account if an unusual amount of mails are sent like 60 per minute or so. >>>>> I could though not figure out if postfix is able to do this or how to >>>>> get this done. Any ideas? >>>> anvil_rate_time_unit = 1800s >>>> smtpd_client_connection_rate_limit = 50 >>>> smtpd_client_recipient_rate_limit = 400 >>>> smtpd_recipient_limit = 100 >>>> >>>> this way at least not more than 400 messages from the same IP >>>> can be sent within 30 minutes, independent of how many connections >>>> while these are limited to 50 and a single message must not have >>>> more than 100 CRPT >>> yeah, but some spambots simple will fire again, so it might not fix the >>> problem, it may only limiting impacts >> correct, the problem itself can only be fixed manually in any case >> but the difference between 400 or 400000 messages by one spambot >> makes the difference get blacklisted everywhere or not :-) > Follow question. How is the block working? Is it permanent or temporary? > If permanent how can I remove the block after changing the password?
temporary - until the client IP is below the limits it can send again if you send 400 messages you need to wait at least 30 minutes for the next
