On Sat, Nov 26, 2016 at 12:08:37PM +0100, Walter Alejandro Iglesias wrote: > Hello everyone, > > Is there a way to detect on the fly spam attacks like the pasted below > (maillog)? It seems pf max-src-conn-rate takes in care only the > "connected" event. >
There's not much you can do besides adding the offending addresses in a pf blacklist. > I obscured the recipients. Basically sorted addresses of the same target > Chinese host. > Been receiving lots of these from chinese hosts in the last few days too > Nov 26 05:59:42 server smtpd[55880]: 3bcc430eee258cd7 smtp event=connected > address=119.141.24.19 host=119.141.24.19 > Nov 26 05:59:46 server smtpd[55880]: 3bcc430eee258cd7 smtp > event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT > TO:<???????@*.com>" result="550 Invalid recipient" > Nov 26 05:59:49 server smtpd[55880]: 3bcc430eee258cd7 smtp > event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT > TO:<???????@*.com>" result="550 Invalid recipient" > Nov 26 05:59:50 server smtpd[55880]: 3bcc430eee258cd7 smtp > event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT > TO:<???????@*.com>" result="550 Invalid recipient" > Nov 26 05:59:51 server smtpd[55880]: 3bcc430eee258cd7 smtp > event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT > TO:<???????@*.com>" result="550 Invalid recipient" > Nov 26 05:59:52 server smtpd[55880]: 3bcc430eee258cd7 smtp > event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT > TO:<???????@*.com>" result="550 Invalid recipient" > Nov 26 05:59:53 server smtpd[55880]: 3bcc430eee258cd7 smtp > event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT > TO:<???????@*.com>" result="550 Invalid recipient" > Nov 26 05:59:53 server smtpd[55880]: 3bcc430eee258cd7 smtp > event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT > TO:<???????@*.com>" result="550 Invalid recipient" > Nov 26 05:59:54 server smtpd[55880]: 3bcc430eee258cd7 smtp > event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT > TO:<???????@*.com>" result="550 Invalid recipient" > [...] *a hundred of more one second frequency entries here* > Nov 26 06:06:55 server smtpd[55880]: 3bcc430eee258cd7 smtp > event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT > TO:<?????@*.com>" result="550 Invalid recipient" > Nov 26 06:06:56 server smtpd[55880]: 3bcc430eee258cd7 smtp > event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT > TO:<?????@*.com>" result="550 Invalid recipient" > Nov 26 06:06:56 server smtpd[55880]: 3bcc430eee258cd7 smtp > event=failed-command address=119.141.24.19 host=119.141.24.19 command="RCPT > TO:<?????@*.com>" result="550 Invalid recipient" > Nov 26 06:06:57 server smtpd[55880]: 3bcc430eee258cd7 smtp event=closed > address=119.141.24.19 host=119.141.24.19 reason=disconnect > -- Gilles Chehade https://www.poolp.org @poolpOrg
