On Wed, Feb 27, 2013 at 4:52 PM, Reindl Harald <h.rei...@thelounge.net>wrote:
> > > Am 27.02.2013 21:45, schrieb francis picabia: > > I had a set of cascading iptables rules to rate limit new connections, > > but they circumvented this as well. Based on the IP, there were 5 > connections > > per minute and 15 connections per 5 minutes. If those were exceeded, > iptables > > would block that IP for 20 minutes. > > this is bullshit > > Thanks for the technical expose. > if you where my mail-admin i would call you something > not friendly - 15 connections and so 15 messages per > 5 minutes > > The fact is, those rules have been in place for over a year without any grief for the users (and they would complain quite liberally). This only impacts roaming users, and the count on new connections. You don't have enough information to understand our set up, nor do you have a right to complain! thank you if i check my mails in the morning and > reply to at least 50 of them due my first coffee > > things like the follwoing are working much better > because a average over 30 minutes allows natural > peaks > anvil_rate_time_unit = 1800s > smtpd_client_connection_rate_limit = 80 > This would have done nothing to address the situation I explained. Each IP connects about once every 2 minutes. > > Over 390 unique IPs simultaneously sent email at a gradual rate using 3 > sets of > > compromised credentials. > > > > I looked at one IP, and it connected 59 times over 2 hours, sending one > recipient per email. > > > > If that is indicative, then 59 * 390 = 23128 email. > > > > It looks like we need something which limits based on the authenticating > sender > > connection counts, not IP or recipient count > > or get rid of users which are compromised > You are funny. They pay the bills.
