rate limiting mail server

eculp eculp at encontacto.net
Tue Feb 24 04:33:52 PST 2009

Quoting Doug Hardie <bc979 at lafn.org>:

> On Feb 23, 2009, at 21:13, Mark E Doner wrote:
>> Greetings,
>>  I am running a fairly large mail server, FreeBSD, of course. It is  
>> predominantly for residential customers, so educating the end users  
>> to not fall for the scams is never going to happen. Whenever we  
>> have a customer actually hand over their login credentials, we  
>> quickly see a huge flood of inbound connections from a small  
>> handful of IP addresses on ports 25 and 587, all authenticate as  
>> whatever customer fell for the scam du jour, and of course, load  
>> goes through the roof as I get a few thousand extra junk messages  
>> to process in a matter of minutes.
>> Thinking about using PF to rate limit inbound connections, stuff  
>> the hog wild connection rates into a table and drop them quickly.  
>> My question is, I know how to do this, PF syntax is easy, but has  
>> anyone ever tried this? How many new connections per minute from a  
>> single source are acceptable, and what is blatantly malicious? And,  
>> once I have determined that, how long should I leave the offenders  
>> in the blocklist?
> The Book of PF has in chapter 6 a similar setup although its used  
> for ssh and not smtp.  The questions are not directly answered, but  
> it does discuss the issues.  If you do implement it, you will need  
> to monitor the situation to see if they blocking period is long  
> enough.  If they come back right after you remove the block, then  
> the period is too short.  I am using pf and spamd to block drive-by  
> spammers.  Its a bit different in that it blocks everyone and only  
> allows those through I want.  The retention time for an IP address  
> is 72 days.  As a result it has taken over 4 months for the tables  
> to stabilize.  However, it is effective.  I have cut out about 90%  
> of the received spam.

I am also a big fan of spamd (unrelated to SpamAssassin) with pf and  
also keep using connection limiting even though the spamd setup has  
really put them under control.  My pf config lines are:

   pass in on $wan_if inet proto tcp from any to ($wan_if) port smtp  
flags S/SA keep state \
     (max-src-conn 30, max-src-conn-rate 30/90, overload <blocksmtp>  
flush global)

obviously you can play with the number of connections and the rate.

> _______________________________________________
> freebsd-isp at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-isp
> To unsubscribe, send any mail to "freebsd-isp-unsubscribe at freebsd.org"

More information about the freebsd-isp mailing list