rate limiting mail server
Barney Cordoba
barney_cordoba at yahoo.com
Sun Mar 1 13:57:54 PST 2009
--- On Tue, 2/24/09, Mark E Doner <nuintari at amplex.net> wrote:
> From: Mark E Doner <nuintari at amplex.net>
> Subject: rate limiting mail server
> To: freebsd-isp at freebsd.org
> Date: Tuesday, February 24, 2009, 12:13 AM
> Greetings,
> I am running a fairly large mail server, FreeBSD, of
> course. It is predominantly for residential customers, so
> educating the end users to not fall for the scams is never
> going to happen. Whenever we have a customer actually hand
> over their login credentials, we quickly see a huge flood of
> inbound connections from a small handful of IP addresses on
> ports 25 and 587, all authenticate as whatever customer fell
> for the scam du jour, and of course, load goes through the
> roof as I get a few thousand extra junk messages to process
> in a matter of minutes.
>
> Thinking about using PF to rate limit inbound connections,
> stuff the hog wild connection rates into a table and drop
> them quickly. My question is, I know how to do this, PF
> syntax is easy, but has anyone ever tried this? How many new
> connections per minute from a single source are acceptable,
> and what is blatantly malicious? And, once I have determined
> that, how long should I leave the offenders in the
> blocklist?
>
> Any thoughts appreciated,
> Mark
A better strategy is to identify the spam source and just block it. The
way we do it is that we look for unusual domain traffic from a single
source and then block the source. I haven't figured out a way to automate
it yet but it works very well.
You don't really want to rate limit mail spammers. They go on for many hours .
BC
More information about the freebsd-net
mailing list