On 11/26/16 12:08, Walter Alejandro Iglesias wrote: > Is there a way to detect on the fly spam attacks like the pasted below > (maillog)? It seems pf max-src-conn-rate takes in care only the > "connected" event. > > I obscured the recipients. Basically sorted addresses of the same target > Chinese host. > > Nov 26 05:59:42 server smtpd[55880]: 3bcc430eee258cd7 smtp event=connected > address=119.141.24.19 host=119.141.24.19 > Nov 26 05:59:46 server smtpd[55880]: 3bcc430eee258cd7 smtp > event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT > TO:<???????@*.com>" result="550 Invalid recipient" > Nov 26 05:59:49 server smtpd[55880]: 3bcc430eee258cd7 smtp > event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT > TO:<???????@*.com>" result="550 Invalid recipient" > Nov 26 05:59:50 server smtpd[55880]: 3bcc430eee258cd7 smtp > event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT > TO:<???????@*.com>" result="550 Invalid recipient" > Nov 26 05:59:51 server smtpd[55880]: 3bcc430eee258cd7 smtp > event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT > TO:<???????@*.com>" result="550 Invalid recipient" > Nov 26 05:59:52 server smtpd[55880]: 3bcc430eee258cd7 smtp > event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT > TO:<???????@*.com>" result="550 Invalid recipient" > Nov 26 05:59:53 server smtpd[55880]: 3bcc430eee258cd7 smtp > event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT > TO:<???????@*.com>" result="550 Invalid recipient" > Nov 26 05:59:53 server smtpd[55880]: 3bcc430eee258cd7 smtp > event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT > TO:<???????@*.com>" result="550 Invalid recipient" > Nov 26 05:59:54 server smtpd[55880]: 3bcc430eee258cd7 smtp > event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT > TO:<???????@*.com>" result="550 Invalid recipient" > [...] *a hundred of more one second frequency entries here* > Nov 26 06:06:55 server smtpd[55880]: 3bcc430eee258cd7 smtp > event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT > TO:<?????@*.com>" result="550 Invalid recipient" > Nov 26 06:06:56 server smtpd[55880]: 3bcc430eee258cd7 smtp > event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT > TO:<?????@*.com>" result="550 Invalid recipient" > Nov 26 06:06:56 server smtpd[55880]: 3bcc430eee258cd7 smtp > event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT > TO:<?????@*.com>" result="550 Invalid recipient" > Nov 26 06:06:57 server smtpd[55880]: 3bcc430eee258cd7 smtp event=closed > address=119.141.24.19 host=119.141.24.19 reason=disconnect
You could try configuring spamd(8) with a suitable /etc/mail/spamd.alloweddomains (listing only the domains you are actually handling mail for). And as others have said already, if this is irritating enough, add the offending IP addresses by hand to a table you're already blocking. (block with probability just shy of 100% if you're so inclined) -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
