[IMGate] Re: anybody try these params?

Thu, 05 Feb 2004 07:38:19 -0800 

>
>The rate limit setting of 5.  Is that low?

I don't know yet, trying to come up with some numbers.  Since I'm probably 
more BOFH than most of you (and I admin some egregiously abused, high 
volume servers. hey, those two points are related!), I'll probably have 
mine set lower.

>   Recommended?

I'm running this:

smtpd_client_connection_rate_limit = 5
client_rate_time_unit = 1800
smtpd_client_connection_limit_exceptions = $mynetworks
client_connection_status_update_time = 60

The README says not to have the _unit too long, as the real-time anvil 
memory could grow quite large for a) long _units b)high volumes.

Gerry pointed out the SAV perspective for idiots MTAs that have their retry 
interval set ridiculuosly low.  If they are spammers, great. If they are 
legit, then need to watch the SAV(with PTR) reports a little more closely.

Allow 5 connections in 30 minutes?  sounds low, but no conclusion, 
yet.  Those settings, since midnight, gives:

%egrep -ic "Too frequent connections" /var/log/maillog
8998

... discos for a server doing these global numbers in the same period:

Grand Totals
------------
messages

    4136   received
    3862   delivered
       0   forwarded
      29   deferred  (91  deferrals)
      48   bounced
   62682   rejected (93%)
    8731   reject warnings
       0   held
     305   discarded (0%)

   69661k  bytes received
   76923k  bytes delivered
    2147   senders
    1185   sending hosts/domains
    1923   recipients
      67   recipient hosts/domains

smtpd

    65406   connections
    12079   hosts/domains
        7   avg. connect time (seconds)
  135:30:22  total connect time


Per-Hour Traffic Summary
     time          received  delivered   deferred    bounced     rejected
     --------------------------------------------------------------------
     0000-0100         548        496          7         10       8669
     0100-0200         455        465         10          8       9094
     0200-0300         451        407          4          4       8210
     0300-0400         465        388         13          5       9772
     0400-0500         390        320         12          3       7842
     0500-0600         457        404         17          8       8110
     0600-0700         531        532         23          6       8142
     0700-0800         636        663          5          4       8973

Mon and Tue, this box was doing 10K - 12K rejects/hour due to the 
novarg/mydoom aftermath, vs. 7K - 9K /hour normally.  So the numbers above 
could be lower due to aftermath decreasing but certainly lower also due to 
anvil discos.

here's a report of the discos, sorted by IP

% egrep -i "Too frequent connections" /var/log/maillog | awk '{print $10, 
$12}' | sort -k2 -rfn | less

the top of which looks like this:

9 221.194.77.144
8 221.194.77.144
7 221.194.77.144
6 221.194.77.144
6 221.194.102.130
10 221.194.77.144
9 221.189.6.56
8 221.189.6.56
7 221.189.6.56
6 221.189.6.56
15 221.189.6.56
14 221.189.6.56
13 221.189.6.56
12 221.189.6.56
11 221.189.6.56
10 221.189.6.56
8 221.163.53.215
7 221.163.53.215
6 221.163.53.215
8 221.12.92.14
7 221.12.92.14
6 221.12.92.14
9 220.96.60.20
8 220.96.60.20
7 220.96.60.20
6 220.96.60.20
11 220.96.60.20
10 220.96.60.20
9 220.249.97.4
9 220.249.97.4
9 220.249.97.4
8 220.249.97.4
8 220.249.97.4

sorted by number of discos:

egrep -i "Too frequent connections" /var/log/maillog | awk '{print $10, 
$12}' | sort -rfn | less

gives

85 207.218.165.205
84 207.218.165.205
83 207.218.165.205
82 207.218.165.205
81 207.218.165.205
80 207.218.165.205
79 207.218.165.205
78 207.218.165.205
77 207.218.165.205
76 207.218.165.205
75 207.218.165.205
74 207.218.165.205
73 207.218.165.205
72 207.218.165.205
71 207.218.165.205
70 207.218.165.205
69 207.218.165.205
68 207.218.165.205
67 207.218.165.206
67 207.218.165.205

the is above 60+ discos PER 30 MINUTES!!  Clearly abusive level for rate of 
attempted deliveries.  very very nice!

who is that? ah yes, our old friends:

%dig -x 207.218.165.205

;; ANSWER SECTION:
205.165.218.207.in-addr.arpa.  3h44m11s IN PTR  mail5.opinionsurveys.com.

%dig -x 207.218.165.206

;; ANSWER SECTION:
206.165.218.207.in-addr.arpa.  3h38m8s IN PTR  mail6.yourinterestsonly.com.

%dig -x 69.59.179.165

;; ANSWER SECTION:
165.179.59.69.in-addr.arpa.  32m7s IN PTR  mx1.luckydogfreebies.com.

%dig -x 216.180.114.8

;; ANSWER SECTION:
8.114.180.216.in-addr.arpa.  55m3s IN PTR  rbn2-216-180-114-8.adsl.hiwaay.net.



The "Too many connections" (disco) log line doesn't list the PTR/unknown 
(but postfix knows it), so I'm going to ask Wietse to change that log line 
to include it.

This anvil action is precisely an approach I took with my earlier advanced 
scripts, where IPs that sent "too many" rejects/hour won a place in the 
routing table: gateway 127.0.0.1, and got pulled out of the routing table 
every hour if they quit attacking.   fast attack, slow decay.

It would be easy enough to harvest the anvil rejects, and nulroute them, 
which tarpits them, since for attempt to contact our MX IP, they get an TCP 
timeout (which takes many seconds).  With  anvil, they acheive an TCP 
connect immediately, but don't get an SMTP greeting, and an immediate TCP 
disco.

Len

Reply via email to