New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
@dgprasetya
I am listening :P
If iptables is too hard you might ought not be providing vps (or hire a fucking sysadmin).
:LET:
I may be late to the party, but I found a simple and easy way for you to limit the amount of emails being sent. Although our system is proprietary and programmed by ourselves, here is something very similar that would help you in your situation.
If you are using virsh to manage all your KVM instances, or some other form of deployment, edit each .xml and under the "interfaces" put in your target dev (ex. using "test1").
ex. virsh edit vps01
Although this won't affect at all the iptables command I am going to tell you. But what this will do is create a virtual interface so you may easily add more iptables commands or manipulate what's going through the connection (whether it be through TC - Linux Traffic Control, or ebtables). Instead of all traffic going through the default interface of vnet0
Now the easy part.
Simply throw this in iptables and fill in where it says $IP to whatever IP is set to the VPS. Adjust the limit however necessary.
What the above commands do is limit any new connections through port 25 to 10 per minute. Anything above will result in a dropped packet and the e-mail will simply be deferred and put into queue in whichever e-mail server they are using (postfix, Zimbra, etc). You can adjust the "--limit 10/min" to whatever you deem fit.
You will have to use the commands on the node that the VPS is being hosted on.
If you see a large amount of SMTP traffic, check /var/log/messages and you'll most likely see the SMTP-Drop commands being piled up and what IP it is coming from.
If you want to be transparent to your customers, I would recommend that you tell them that port 25 is being limited, however, port 587 is not. Usually spammers will neglect to use port 587 since it's harder for them to spoof or manipulate the domain it's being sent from.
If you want to automate this, create a bash script or something in Python and hook it to your provisioning / deployment system.
Hope this helps!
That's just awesome !
I already have 'target dev 'on each VPS, so all I'm left to do is iptables rules Now I just hope it will work and no side effect on server load.