rate limiting mail server

[Doug Hardie]

On Feb 23, 2009, at 21:13, Mark E Doner wrote:

> Greetings,
>   I am running a fairly large mail server, FreeBSD, of course. It is  
> predominantly for residential customers, so educating the end users  
> to not fall for the scams is never going to happen. Whenever we have  
> a customer actually hand over their login credentials, we quickly  
> see a huge flood of inbound connections from a small handful of IP  
> addresses on ports 25 and 587, all authenticate as whatever customer  
> fell for the scam du jour, and of course, load goes through the roof  
> as I get a few thousand extra junk messages to process in a matter  
> of minutes.
>
> Thinking about using PF to rate limit inbound connections, stuff the  
> hog wild connection rates into a table and drop them quickly. My  
> question is, I know how to do this, PF syntax is easy, but has  
> anyone ever tried this? How many new connections per minute from a  
> single source are acceptable, and what is blatantly malicious? And,  
> once I have determined that, how long should I leave the offenders  
> in the blocklist?

The Book of PF has in chapter 6 a similar setup although its used for  
ssh and not smtp.  The questions are not directly answered, but it  
does discuss the issues.  If you do implement it, you will need to  
monitor the situation to see if they blocking period is long enough.   
If they come back right after you remove the block, then the period is  
too short.  I am using pf and spamd to block drive-by spammers.  Its a  
bit different in that it blocks everyone and only allows those through  
I want.  The retention time for an IP address is 72 days.  As a result  
it has taken over 4 months for the tables to stabilize.  However, it  
is effective.  I have cut out about 90% of the received spam.