rate limiting mail server

Mon Mar 2 05:12:06 PST 2009

Barney Cordoba escreveu:
> 
> 
> 
> --- On Tue, 2/24/09, Mark E Doner <nuintari at amplex.net> wrote:
> 
>> From: Mark E Doner <nuintari at amplex.net>
>> Subject: rate limiting mail server
>> To: freebsd-isp at freebsd.org
>> Date: Tuesday, February 24, 2009, 12:13 AM
>> Greetings,
>>    I am running a fairly large mail server, FreeBSD, of
>> course. It is predominantly for residential customers, so
>> educating the end users to not fall for the scams is never
>> going to happen. Whenever we have a customer actually hand
>> over their login credentials, we quickly see a huge flood of
>> inbound connections from a small handful of IP addresses on
>> ports 25 and 587, all authenticate as whatever customer fell
>> for the scam du jour, and of course, load goes through the
>> roof as I get a few thousand extra junk messages to process
>> in a matter of minutes.
>>
>> Thinking about using PF to rate limit inbound connections,
>> stuff the hog wild connection rates into a table and drop
>> them quickly. My question is, I know how to do this, PF
>> syntax is easy, but has anyone ever tried this? How many new
>> connections per minute from a single source are acceptable,
>> and what is blatantly malicious? And, once I have determined
>> that, how long should I leave the offenders in the
>> blocklist?
>>
>> Any thoughts appreciated,
>> Mark
> 
> A better strategy is to identify the spam source and just block it. The
> way we do it is that we look for unusual domain traffic from a single 
> source and then block the source. I haven't figured out a way to automate
> it yet but it works very well. 
> 
> You don't really want to rate limit mail spammers. They go on for many hours .
> 
> BC

IMHO, what you could potentially do is adding maximum recipients' limit 
per SMTP session, for your customers (relay access IPs), combining it 
with tarpiting, while on the firewall side, all you do (my suggestion) 
is just limiting the simultaneous access per source IP. Remember that 
you might have NATed customers so limiting per IP dont do it way too 
limited (2 to 5 simultaneous sessions is probably enough due to your 
"residential" usage profile).

Finally, you didnt mention your MTA. If its Qmail there is a great 
plugins framework called qmail-spp and it already has a rate control 
plugin to be used. While qmail-spp is not (yet) available in the Ports 
Collection I have working patches for qmail-ldap and qmail-spamassassin, 
which can both be applied from Ports directly (will send-pr(1) to garga@ 
in the near future...).

Those are usually my own approaches to slow down my users' message 
floods. If you mention your MTA maybe we can be of further assistance.

-- 
Patrick Tracanelli

FreeBSD Brasil LTDA.
Tel.: (31) 3516-0800
316601 at sip.freebsdbrasil.com.br
http://www.freebsdbrasil.com.br
"Long live Hanin Elias, Kim Deal!"