"Andrea Riela" <[EMAIL PROTECTED]> writes: > Oden Eriksson wrote: >> Sunday 08 February 2004 14.45 skrev Eduardo M. Bragatto: >>> Jeremy Kitchen wrote: >>>> that could only be done in tcpserver by rate limiting connections by >>>> IP address, and would also affect legitimate connections made by >>>> valid users using proper authentication credentials. I'd be mighty >>>> upset if anyone rate limited my pop3 connections ;) >>>> >>> I don't want it at the pop3, I want it on smtpd. Spammers are >>> hammering my server, sending messages to lots of domains that I'm >>> hosting. If I could set a limit like 5 simultaneously connections for >>> each IP address, no one would be able to use all my "slots". > > well, just a question. > With that patch, I could have problems with mailing lists? > And, with that patch, I could download from a lot of pop3 accounts, but send > through only "5" smtp connections, right?
You know, if you use Linux, iplimit (netfilter.org, grab patch-o-matic, patch kernel, recompile, add iptables target) is for exactly this kind of thing. I use it on my mailservers to great effect, it has actually REDUCED SPAM as combined with qmail tarpitting, it causes the bad guys to just give up. You can say: For netblocks x, allow only y connections at a time to destination netblocks/ports z. This way, I can allow more SMTPS from NATed customers, only one or two from each dialup-pool IP, and crush whole class Cs from the outside world - and have the power to make special exceptions if it irks valid humans. (In response to the obvious question - no, spammers are not humans.) Stress-tested by me, I vouch for its awesomeness :) - Erik