Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 08 Feb 2007 11:17:55 -0600
From:      "eculp@encontacto.net" <eculp@encontacto.net>
To:        freebsd-pf@freebsd.org
Subject:   Re: SPAMD stop passing mail from WHITE-list
Message-ID:  <20070208111755.81jaocgn4w880k4g@correo.encontacto.net>
In-Reply-To: <45C5D5DB.9050407@vwsoft.com>
References:  <E1HD4Bj-000D25-00.msgs_for_me-mail-ru@f30.mail.ru> <45C5D5DB.9050407@vwsoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Quoting Volker <volker@vwsoft.com>:

> On 12/23/-58 20:59, =12;048<8@ =1A0?CAB8=3D wrote:
>> 2. If i have some malware on my PC and use mail-client program. If =20
>> I send the same message some times I automatically get into =20
>> WHITE-list and my malware can spam as much as it must?
>
> Not really related to your spamd problem, but probably useful...
>
> If you need to limit an internal client system for sending out mail
> through your system, IMO you may also use pf's limit functions.
>
> Imagine something like:
>
> pass in quick on $int_if from any to $int_if port smtp keep state
> (max-src-conn 1, max-src-conn-rate 2/60)
>
> This should limit an internal client to one concurrent connection
> and a maximum of 2 connections per 60 seconds and so mass mailing by
> abusing your mail gateway should be impossible.
>
> Combining this by a rule like 'block in quick on $int_if from any to
> ! $int_if port smtp' should efficiently block spam originating from
> your internal net.

Has anyone tried using a table and blocking smtp connections similar =20
to the ssh brute force solution that I've often seen on the list and =20
have been using happily for some time?

Something like:

pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp keep stat=
e
       (max-src-conn 1, max-src-conn-rate 2/60, overload <smtp-excess> =20
flush global)
block drop in quick on $ext_if from <smtp-excess>

Could it work and be controlable or would it make a bad situation worse?

Thanks,

ed

>
> And for the malware issues, I would like to recommend not to install
> and use malware! ;)
>
> Greetings,
>
> Volker

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070208111755.81jaocgn4w880k4g>