On 9 Jun 2015, at 14:39, Matus UHLAR - fantomas wrote:
On 09.06.15 11:29, John Hardin wrote:
Two things that I have found very useful at the MTA level are:
(1) Delay sending your SMTP banner a second or two and reject any
sender that starts sending information before that. This is a
built-in option in Sendmail, google "greet_pause".
even 15...
Based on the implementation in Sendmail on a variety of systems with up
to a few million sessions/day, Postfix's 'postscreen' implementation on
smaller (mostly *much* smaller) sites and CommunigatePro's
implementation on a couple of middling sites, the value of adding
greet_pause time starts dropping fast around 3 seconds and there's no
point going past 5. You can actually start seeing occasional collateral
damage around 10 seconds with some high-volume legitimate senders timing
out their 'first try' runs aggressively. 15 is another breakpoint,
apparently because there is widespread lore in high-speed sending that
says it is not worth waiting any longer for a greeting banner. For
high-volume sites it is also important to understand that SMTP session
lives from SYN-ACK to FIN without a greeting pause are mostly under 10
seconds; adding 3 seconds to that means you must support MANY more
concurrent SMTP connections.
FWIW, the best implementation of fast-talk detection is Postfix's
postscreen. It is optimized to put this and other low-cost exclusion
tricks outside of a relatively heavy smtpd and was designed with an eye
on the many years of demonstration by Sendmail and others of how to
minimize the impact of adding delays. By not delaying clients that have
recently passed a delay, it assures that most of your high-volume
legitimate senders don't contribute to performance issues.
(2) Check the HELO the other guy sends and reject if it's not a FQDN
(i.e. it's not got any periods at all).
or if it's your FQDN, or your IP - they should use their FQDN, not
yours.
And if you don't/can't use a greeting pause, these are useful in
catching many of the bots that fast-talk. Also useful are checks for
improper use of IP HELOs (e.g. unbracketed IPs, not valid "IP literals")
and checking for *.local and *.localdomain HELO args. A handful of
innocent morons run MTAs that use such names, but they tend not to
survive long doing so.
