kinda cool, at first look:
%tail -f -n 10000 /var/log/maillog | egrep -i "(anvil)"
Feb 4 22:36:07 im1 postfix/anvil[45395]: statistics: max connection rate
30/3600s for (smtp:207.218.165.207) at Feb 4 22:35:38
Feb 4 22:36:07 im1 postfix/anvil[45395]: statistics: max connection count
2 for (smtp:207.218.165.205) at Feb 4 22:32:14
Feb 4 22:41:10 im1 postfix/anvil[45623]: statistics: max connection rate
19/3600s for (smtp:207.218.165.205) at Feb 4 22:40:46
Feb 4 22:41:10 im1 postfix/anvil[45623]: statistics: max connection count
2 for (smtp:24.126.72.41) at Feb 4 22:36:27
Feb 4 22:46:10 im1 postfix/anvil[45623]: statistics: max connection rate
24/3600s for (smtp:207.218.165.207) at Feb 4 22:42:57
Feb 4 22:46:10 im1 postfix/anvil[45623]: statistics: max connection count
17 for (smtp:69.105.94.40) at Feb 4 22:42:12
I expect it will be difficult to adjust the params. Do you set if x
connect per hour, per 10 minutes?
here's a command to show total connects for today per ip:
awk '/smtpd.* connect from/{ print $8}' /var/log/maillog | sort -f | uniq
-ic | sort -rf | less
need this script: taking the top of the preceding list, for each IP, count
the connects per hour.
and then massage for legit IPs. The idea is that whatever IP connects to
your MX "too many" connects/unittime is up to no good and can be
dynamically blocked. ie, the SMTP client behavior, not the msg content or
envelope info, will block them.
Len
