[OT] sendmail equivalent of zmailer's MaxSameIpSource ??

Sat Jan 1 21:04:11 GMT 2005

On Sat, Jan 01, 2005 at 12:14:58PM -0500, Vlad Mazek wrote:
> Probably better than what we're doing, at least for a single server for
> realtime blocking. I did something similar earlier in my career and it
> wasn't pretty - our primary routes went down and I had all the mail
> flowing through a single T1... the server got clogged up with
> attachments,  connections started crawling and I ended up firewalling
> every major ISP in the United States :)
>
> You might want to resolve those addresses too and check against major
> providers. I regularly have few hundred connections from legit ISP's
> (especially foreigners) on production servers so you might want to have
> an exclusion list and some sort of a backend db to track these drops
> over time (most of the folks we block are notorious repeat offenders or
> open relays and such).

Vlad,

That is such a cool name. I wish I was called Vlad!

First I should say this:

  I just read the part of the snort FAQ where it points out the dangers of
  combining automated firewalling response with a spoofed source. :)

  I'm not on top of this yet!

  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  !!! PLEASE DO _NOT_ USE THE QUOTED SCRIPT TO FEED YOUR FIREWALL !!!
  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

  I have not had time to check that netstat's idea (from /proc/net)
  of a connection is spoof-proof.

That said, I can return to my ordinary verbose conversational maner:

I confess I can't follow this, although the war-story element comes through
loud and clear.

Although I (half-)joke about firewalling the world out of existence, I am
extremely reticent about using such devices, not least because the boxes in
question are in a cupboard 3000 miles away (I must say, the valueweb reboot
service is good).

I _do_, currently, intend to implement a simple 'maximum connections from a
single souce' service that allows transactions to continue at that maximum
level from that source, and I plan to post my solution here when I have it,
if for no other reason than you cannot buy peer-review (okay, so I wish to
share :).

It might be better to return a 4xx smtp code, rather than than just drop
the connection.  If anyone can explain why this is so, I'm all ears.

Based on a philosphy of limiting the number of connections, rather than
firewalling sources entirely, I see no obvious reason to discriminate
beteween sources, but I'd happily be persuaded otherwise: all grist to
the mill.

I'm currently looking at the snort related options, to see what I can
learn.

Happy new year!

Regards,
Paddy

> Vlad reminded me that:
> paddy wrote:
>
> >netstat -n | grep :25 | cut -c45-65 | sed 's/:.*//' | sort  | uniq -c |
> >egrep "^ *[0-9]{2}"
> >
> >then I'm thinking, poor man's snort:
> >
> >tcpdump -s0 -w <tracefile> host $IP
--
Perl 6 will give you the big knob. -- Larry Wall

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!