rate limiting bad-bot HANGUPs in postscreen?

Sat, 09 Apr 2016 07:45:11 -0700 

With postscreen in place, bad bots arr getting fended off.

Many give up and go away after a couple of tries.

Some, these days mostly 'ymlf-pc' bots, are more persistent.

Eg, this one 

        Apr  8 04:17:20 mail01 postfix/postscreen[20412]: CONNECT from 
[37.49.226.17]:52066 to [192.0.2.17]:25
        Apr  8 04:17:20 mail01 postfix/dnsblog[20417]: addr 37.49.226.17 listed 
by domain zen.spamhaus.org as 127.0.0.4
        Apr  8 04:17:21 mail01 postfix/postscreen[20412]: PREGREET 14 after 
0.14 from [37.49.226.17]:52066: EHLO ylmf-pc\r\n
        Apr  8 04:17:21 mail01 postfix/postscreen[20412]: DNSBL rank 6 for 
[37.49.226.17]:52066
        Apr  8 04:17:21 mail01 postfix/postscreen[20412]: HANGUP after 0.85 
from [37.49.226.17]:52066 in tests after SMTP handshake
        Apr  8 04:17:21 mail01 postfix/postscreen[20412]: DISCONNECT 
[37.49.226.17]:52066
        Apr  8 04:17:22 mail01 postfix/postscreen[20412]: CONNECT from 
[37.49.226.17]:54974 to [192.0.2.17]:25
        Apr  8 04:17:22 mail01 postfix/dnsblog[20415]: addr 37.49.226.17 listed 
by domain zen.spamhaus.org as 127.0.0.4
        Apr  8 04:17:22 mail01 postfix/postscreen[20412]: PREGREET 14 after 
0.15 from [37.49.226.17]:54974: EHLO ylmf-pc\r\n
        Apr  8 04:17:22 mail01 postfix/postscreen[20412]: DNSBL rank 6 for 
[37.49.226.17]:54974
        Apr  8 04:17:23 mail01 postfix/postscreen[20412]: HANGUP after 0.77 
from [37.49.226.17]:54974 in tests after SMTP handshake
        Apr  8 04:17:23 mail01 postfix/postscreen[20412]: DISCONNECT 
[37.49.226.17]:54974
        Apr  8 04:17:25 mail01 postfix/postscreen[20412]: CONNECT from 
[37.49.226.17]:58871 to [192.0.2.17]:25
        ...

conitinues on for a total of (in this case) 237 attempts in one continuous 
string over a few minutes.

These do not appear as multiple CONCURRENT connection, which I think I can 
limit with ' postscreen_client_connection_count_limit'.

Instead, they look like SEQUENTIAL connections.

IIUC, this is a pretty efficient disconnection by postscreen, so not a huge 
load on the server.

But, it's still making connections.

I can rate limit these in fail2ban+firewall (e.g., 
http://shorewall.net/ConnectionRate.html), but would prefer to keep this 
re-action in Postfix.

Is there a postscreen_ parameter to rate limit these "bursts"? Maybe dropping 
the connection sooner?

Jason

Reply via email to