In message <1460213048.1937714.573722321.23756...@webmail.messagingengine.com>
[email protected] writes:
> With postscreen in place, bad bots arr getting fended off.
>
> Many give up and go away after a couple of tries.
>
> Some, these days mostly 'ymlf-pc' bots, are more persistent.
>
> Eg, this one
>
> Apr 8 04:17:20 mail01 postfix/postscreen[20412]: CONNECT from
> [37.49.226.17]:52066 to [192.0.2.17]:25
> Apr 8 04:17:20 mail01 postfix/dnsblog[20417]: addr 37.49.226.17 listed
> by domain zen.spamhaus.org as 127.0.0.4
> Apr 8 04:17:21 mail01 postfix/postscreen[20412]: PREGREET 14 after
> 0.14 from [37.49.226.17]:52066: EHLO ylmf-pc\r\n
> Apr 8 04:17:21 mail01 postfix/postscreen[20412]: DNSBL rank 6 for
> [37.49.226.17]:52066
> Apr 8 04:17:21 mail01 postfix/postscreen[20412]: HANGUP after 0.85
> from [37.49.226.17]:52066 in tests after SMTP handshake
> Apr 8 04:17:21 mail01 postfix/postscreen[20412]: DISCONNECT
> [37.49.226.17]:52066
> Apr 8 04:17:22 mail01 postfix/postscreen[20412]: CONNECT from
> [37.49.226.17]:54974 to [192.0.2.17]:25
> Apr 8 04:17:22 mail01 postfix/dnsblog[20415]: addr 37.49.226.17 listed
> by domain zen.spamhaus.org as 127.0.0.4
> Apr 8 04:17:22 mail01 postfix/postscreen[20412]: PREGREET 14 after
> 0.15 from [37.49.226.17]:54974: EHLO ylmf-pc\r\n
> Apr 8 04:17:22 mail01 postfix/postscreen[20412]: DNSBL rank 6 for
> [37.49.226.17]:54974
> Apr 8 04:17:23 mail01 postfix/postscreen[20412]: HANGUP after 0.77
> from [37.49.226.17]:54974 in tests after SMTP handshake
> Apr 8 04:17:23 mail01 postfix/postscreen[20412]: DISCONNECT
> [37.49.226.17]:54974
> Apr 8 04:17:25 mail01 postfix/postscreen[20412]: CONNECT from
> [37.49.226.17]:58871 to [192.0.2.17]:25
> ...
>
> conitinues on for a total of (in this case) 237 attempts in one continuous
> string over a few minutes.
>
> These do not appear as multiple CONCURRENT connection, which I think I can
> limit with ' postscreen_client_connection_count_limit'.
>
> Instead, they look like SEQUENTIAL connections.
>
> IIUC, this is a pretty efficient disconnection by postscreen, so not a huge
> load on the server.
>
> But, it's still making connections.
>
> I can rate limit these in fail2ban+firewall (e.g.,
> http://shorewall.net/ConnectionRate.html), but would prefer to keep this
> re-action in Postfix.
>
> Is there a postscreen_ parameter to rate limit these "bursts"? Maybe dropping
> the connection sooner?
>
> Jason
Jason,
An excerpt below from a shell script to generate a access file for
postscreen. I haven't automated running it but will probably zcat a
day or two of prior maillog files plus the current day (for example,
using "zcat /var/log/maillog.0.bz2 | cat - /var/log/maillog | ...").
It gets rid of lots of PREGREET or HANGUP in under 1 sec. The
threshhold of 5 is quite low but I don't think it will catch any legit
mail servers. Still playing with this.
Note that the big space before reject is three tabs.
Curtis
echo "# HANGUP after <1 more than 5 times in one day"
grep postfix/postscreen /var/log/maillog \
| grep 'HANGUP after 0\.' \
| sed -e 's,^.*HANGUP after [0-9\.]* from ,,' \
-e 's,:[0-9]* in tests after SMTP handshake$,,' \
| sort | uniq -c | sort -n \
| egrep '^ *[6-9] |^ *[1-9][0-9][0-9]* ' \
| sed -e 's,^ *[0-9]* *\[,,' -e 's,\]$, reject,'
echo "# PREGREET after <1 more than 5 times"
grep postfix/postscreen /var/log/maillog \
| grep 'PREGREET [0-9]* after 0\.[0-9]* ' \
| sed -e 's,^.*PREGREET [0-9]* after 0\.[0-9]* from ,,' \
-e 's,:[0-9]*: [HE]*LO .*,,' \
| sort | uniq -c | sort -n \
| egrep '^ *[6-9] |^ *[1-9][0-9][0-9]* ' \
| sed -e 's,^ *[0-9]* *\[,,' -e 's,\]$, reject,'
