how best to block this port 25 traffic/spam?
snowcrash
schneecrash+pf at gmail.com
Thu May 31 16:41:04 UTC 2007
hi,
i use fbsd 6.2-release/p5's pf + spamd v4.1.1 to manage port 25 traffic.
in my pf.conf, i've
...
set require-order no
...
nat on $extif from $intif:network to any -> ($extif)
...
no rdr on $extif from <MXbl> to any tag MXbl
block log quick tagged MXbl label "(MXbl)"
...
rdr on $extif proto tcp from <MXwl> to $MXwan port 25
-> $MXlan port 25
rdr pass on $extif proto tcp from <spamd> to ($extif) port 25
-> 127.0.0.1 port 8025
rdr pass on $extif proto tcp from !<spamd-white> to ($extif) port 25
-> 127.0.0.1 port 8025
rdr on $extif proto tcp from <spamd-white> to $MXwan port 25
-> $MXlan port 25
...
pass in log quick on $extif proto tcp from { <MXwl>, <spamd-white>
} to $MXlan port 25 keep-state
pass out log quick on $extif proto tcp from any
to any port 25 keep-state
pass out log quick on $intif proto tcp from $MXlan
to any port 25 keep-state
...
all works great!
in my spamd logs, i'm seeing lots of
May 31 09:29:27 edge6 spamd[416]: (GREY) 208.104.144.37:
<kinnavysou at hotmail.com> -> <aa at mydomain.com>
May 31 09:29:27 edge6 spamd[416]: (GREY) 208.104.144.37:
<kinnavysou at hotmail.com> -> <bb at mydomain.com>
May 31 09:29:27 edge6 spamd[416]: (GREY) 208.104.144.37:
<kinnavysou at hotmail.com> -> <cc at mydomain.com>
characterized by,
(1) forged FROM: @hotmail.com
(2) multiple connections per second from a given IP
(3) 100% of the IPs are in Spamhaus PBL &/or CBL dnsbls; anything that
_does_ sneak past the spamd stutter etc gets dropped anyway.
i'd LIKE to simply BLOCK, with NO logging, these nosiy, from- at -hotmail
connections at the fw PRIOR to spamd ever seeing them.
iiuc, my options to do so include:
(a) install a small SMTP server on the router to ONLY reject at CBL
*prior* to passing on to spamd
(b) use the same SMTP server to reject FROM: == *@hotmail
(b) DL/rsync the whole CBL into a local pf/spamd table
(c) throttle # of connections / second, and add to pf block element
if match/exceed
thoughts/comments on the 'best' approach?
thanks!
More information about the freebsd-pf
mailing list