I would like to second the idea of just rate limiting all port 25
connections instead of blocking. I have a rule setup at 30 sites that
only allows 4 simultaneous client connections, and limits new
connections to 3 every 60 seconds. (Just create an allow rule for SMTP
and look at the advanced options) This allows the occasional user to
send email (most use webmail clients anyway), but limits the damage that
an infected machine can do. The downside is the DOS aspects of this,
one infected client shuts down the ability for everyone else to send
port 25 mail. Customers are not usually there for more than a couple
hours, so it hasn't been an issue yet.
It would be fun to monitor the firewall logs for blocked smtp
connections, and trigger a strobe light when an infected client
connects. Then you could throw the nerf ball of virus infection(or does
that sound bad) at the most recent customer to connect, for the shaming
effect. That might limit some repeat business though. Or you could
just sell/give them some virus/spyware removal software.
Josh
lartc wrote:
hi all,
thanks for all your thoughts ...
this was actually a case of an unsuspecting microf...ing windblowz user
infected with a fakealert virus -- sending thousands of e-mails.
i'm thinking about creating an `untrusted` subnet on a free pfsense port
and proxying 25 & 465 to a postfix/amavis setup that can rate limit and
reject ...
Try the solution from Untangle. Set it up with spam filtering and as
transparent bridge in between your lan and pfsense.
haven't heard of this, so i'll check it out -- but since i'm running
embedded, my resources are a bit limited.
thanks again
charles
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Lake Agassiz Regional Library - Moorhead MN larl.org
Josh Stompro | Office 218.233.3757 EXT-139
LARL Network Administrator | Cell 218.790.2110
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]