Re: blacklists

To: debian-isp@lists.debian.org
Subject: Re: blacklists
From: Craig Sanders <cas@taz.net.au>
Date: Fri, 10 Dec 2004 16:43:52 +1100
Message-id: <[🔎] 20041210054352.GT1464@taz.net.au>
In-reply-to: <08FAD015F125F94224E5E043@[10.1.2.77]>
References: <[🔎] 415112373.20041205105403@onee.sk> <[🔎] 200412090000.44946.russell@coker.com.au> <[🔎] 20041208141218.GE19611@taz.net.au> <[🔎] 200412091127.30750.russell@coker.com.au> <[🔎] 20041209012205.GG1464@taz.net.au> <08FAD015F125F94224E5E043@[10.1.2.77]>

On Thu, Dec 09, 2004 at 10:22:24PM -0700, Michael Loftis wrote:
> >if you want to see it, look in http://taz.net.au/postfix/scripts/
> >
> >it's called watch-maillog.pl
>
> One little note about that script, the DROP needs to be changed since
> basically you're DoSing yourself by hanging a bunch of connections

DoS is a huge exaggeration.  a few smtpd processes waiting to timeout does not
constitute a DoS.  neither does a few dozen. 

> because you suddenly start dropping their inbound packets while still
> 'in-flight' as it were. postfix's default timeouts are about 300s, so
> you'll want to turn those down (300s seems too generous to me for most
> of them anyway)

aside from the DoS exaggeration, that is true, but i don't care....or more
accurately, i care more about spammer noise in my logs and the bandwidth that
spammers waste.  i have more than enough smtpd processes, ram, and cpu power
available to cope with a few (or even several dozen) smtpds waiting to time
out.  

i can also cope with the eventual dropped connection messages in the logs -
instead of vaguely annoying me like the spam rejects do, they give me a feeling
of satisfaction that i have in some small way slowed down the spamware by
silently dropping their packets.

the first workable fix i can think of is to DROP only smtp packets with SYN
set, rather than all smtp packets.

alternatively, i could extract the PID of the smtpd process and send it a HUP
at the same time as i created the iptables rule.

if it ever bothered me, i'd do one or the other....but, as i said, it's not
something i care much about.

craig

ps: watch-maillog.pl is a toy that i wrote for my own amusement.  if you like
it, run it or adapt it for your own needs.  if you don't, then ignore it.  i
don't claim that it's good software or even that it's useful.  i wrote it more
as a proof of concept than anything else.

pps: it also monitors TLS connection failures and adds them to
/etc/postfix/tls_per_site (which doesn't seem to be really necessary now, but
they were quite common a few years ago, mainly due to a particularly broken
version of communigate) and it does basic pop-before-smtp (dovecot only because
that's what i run).  these two features are actually useful :)

-- 
craig sanders <cas@taz.net.au>           (part time cyborg)

Reply to:

Follow-Ups:
- Re: blacklists
  - From: Michael Loftis <mloftis@modwest.com>

References:
- blacklists
  - From: Marek Podmaka <marki@onee.sk>
- Re: blacklists
  - From: Russell Coker <russell@coker.com.au>
- Re: blacklists
  - From: Craig Sanders <cas@taz.net.au>
- Re: blacklists
  - From: Russell Coker <russell@coker.com.au>
- Re: blacklists
  - From: Craig Sanders <cas@taz.net.au>
- Re: blacklists
  - From: Michael Loftis <mloftis@modwest.com>

Prev by Date: Re: blacklists
Next by Date: Re: blacklists
Previous by thread: Re: blacklists
Next by thread: Re: blacklists
Index(es):
- Date
- Thread