"Andrea Riela" <[EMAIL PROTECTED]> writes:

> Oden Eriksson wrote:
>> Sunday 08 February 2004 14.45 skrev Eduardo M. Bragatto:
>>> Jeremy Kitchen wrote:
>>>> that could only be done in tcpserver by rate limiting connections by
>>>> IP address, and would also affect legitimate connections made by
>>>> valid users using proper authentication credentials.  I'd be mighty
>>>> upset if anyone rate limited my pop3 connections ;)
>>>> 
>>>     I don't want it at the pop3, I want it on smtpd. Spammers are
>>> hammering my server, sending messages to lots of domains that I'm
>>> hosting. If I could set a limit like 5 simultaneously connections for
>>> each IP address, no one would be able to use all my "slots".
>
> well, just a question.
> With that patch, I could have problems with mailing lists?
> And, with that patch, I could download from a lot of pop3 accounts, but send
> through only "5" smtp connections, right?

You know, if you use Linux, iplimit (netfilter.org, grab patch-o-matic, patch
kernel, recompile, add iptables target) is for exactly this kind of thing.
I use it on my mailservers to great effect, it has actually REDUCED SPAM as
combined with qmail tarpitting, it causes the bad guys to just give up.

You can say:

For netblocks x[],
allow only y connections at a time
to destination netblocks/ports z[].

This way, I can allow more SMTPS from NATed customers, only one or two from
each dialup-pool IP, and crush whole class Cs from the outside world - and
have the power to make special exceptions if it irks valid humans.

(In response to the obvious question - no, spammers are not humans.)

Stress-tested by me, I vouch for its awesomeness :)

- Erik

Reply via email to