Well, I tried that, and today I had the chance to verify if it is working and unfortunately it didn’t. Our mail server got full within minutes with more than thousands of mail. When I saw that I did a torch on port 25 to see which IP was spamming. Once identified the external IP I dropped it with a firewall rule.
This way I stoped the spamming proccess.
Can anyone improve the above example?
I have used that method for detecting infected computers on my network. The values that they are using are a little high I would change the connection-limit to 5,32 what that means is that any one IP address can open at most 5 smtp connections at any one time. I didn’t bother with the connection rate because most mail spamming programs try to open multiple smtp connections at once. These settings have proven invaluable in detecting workstation infections but might need to be tweeked for use with a server.
I have noticed that the external IP spaming me yesterday wasn’t opening more than two connections at a time, it was using small emails (around 15kb) and sending aproximatly 10 email at once in interval of nearly 10 sec.
On the other hand the mail server inside the LAN does of course use more connections and more data rate. So I exluded the mail server to be proceded through that rule, and let’s see how it will work.
I haven’t adapted the script, because I am more focused to see the firewall rule is working.
Is there any spam tool to test it, thus tuning it to my LAN specification?
