Hi, just struggling with the same problem. We have own smtp server (ClearOs Linux), but it is not reliable (if it would broke, my brother would not be able to repair it himself, and I am not always available at hand), so that server is not a problem. But then we have users, who request that e.g. gmail (plus cca 8 other well known services) being used, so we have an address list of "allowed_mail_servers", where users have to authenticate, so we allow that.
But - then we are allowed to use our ISPs mail server. I tried to set-up some rules, but so far I am not sure it works reliably:
chain=mail action=add-src-to-address-list protocol=tcp dst-address=x.x.x.x address-list=mail_spammers address-list-timeout=0s dst-port=25 connection-limit=30,32 limit=50,5
And I have some questions:
1) do all viruses/spam malware behave the way, that it opens multiple connections? I mean - is it possible to open one tcp connection to smtp server, and deliver multiple emails? Because if so, then the connection-limit rule might not catch all spam techniques
2) limit= 50, 5 - OK, so I limit by 50 pps. Is that reliable? I mean - 50 packets, even of 1400bytes size = ~ 70 KB of data. So - is 70KB of data delivered per second any good measure for the technique to work reliably?
3) I can see that with newer OSes (I am not working with MT so frequently, so sorry if it is in there for ages
), there is so called dst-limit. My question is - could I use the rule, instead of setting limit + connection limit? Is that the same? I mean - could following rule be used instead?:
chain=mail action=add-src-to-address-list protocol=tcp dst-address=x.x.x.x address-list=mail_spammers address-list-timeout=0s dst-port=25 dst-limit=50,5,addresses-and-dst-port/1m40s
Thanks a lot,