how best to block this port 25 traffic/spam?

snowcrash schneecrash+pf at gmail.com
Thu May 31 16:41:04 UTC 2007 

hi,

i use fbsd 6.2-release/p5's pf + spamd v4.1.1 to manage port 25 traffic.

in my pf.conf, i've

  ...
  set require-order no
  ...
  nat on $extif from $intif:network to any -> ($extif)
  ...
  no rdr on $extif from <MXbl> to any tag MXbl
  block log quick tagged MXbl label "(MXbl)"
  ...
  rdr      on $extif proto tcp from  <MXwl>        to $MXwan   port 25
-> $MXlan    port 25
  rdr pass on $extif proto tcp from  <spamd>       to ($extif) port 25
-> 127.0.0.1 port 8025
  rdr pass on $extif proto tcp from !<spamd-white> to ($extif) port 25
-> 127.0.0.1 port 8025
  rdr      on $extif proto tcp from  <spamd-white> to $MXwan   port 25
-> $MXlan    port 25
  ...
  pass in  log quick on $extif proto tcp from { <MXwl>, <spamd-white>
} to $MXlan port 25 keep-state
  pass out log quick on $extif proto tcp from any
 to any    port 25 keep-state
  pass out log quick on $intif proto tcp from $MXlan
 to any    port 25 keep-state
  ...

all works great!

in my spamd logs, i'm seeing lots of

  May 31 09:29:27 edge6 spamd[416]: (GREY) 208.104.144.37:
<kinnavysou at hotmail.com> -> <aa at mydomain.com>
  May 31 09:29:27 edge6 spamd[416]: (GREY) 208.104.144.37:
<kinnavysou at hotmail.com> -> <bb at mydomain.com>
  May 31 09:29:27 edge6 spamd[416]: (GREY) 208.104.144.37:
<kinnavysou at hotmail.com> -> <cc at mydomain.com>

characterized by,

(1) forged FROM: @hotmail.com
(2) multiple connections per second from a given IP
(3) 100% of the IPs are in Spamhaus PBL &/or CBL dnsbls; anything that
_does_ sneak past the spamd stutter etc gets dropped anyway.

i'd LIKE to simply BLOCK, with NO logging, these nosiy, from- at -hotmail
connections at the fw PRIOR to spamd ever seeing them.

iiuc, my options to do so include:

 (a) install a small SMTP server on the router to ONLY reject at CBL
*prior* to passing on to spamd
 (b) use the same SMTP server to reject FROM: == *@hotmail
 (b) DL/rsync the whole CBL into a local pf/spamd table
 (c) throttle # of connections / second, and add to pf block element
if match/exceed

thoughts/comments on the 'best' approach?

thanks!

More information about the freebsd-pf mailing list