add uniq IP restrictions

[kollyma]

We have blocked several SPAM botnets with this plugin. In addition to the client_uniq_country_login_count we added the client_uniq_ip_login_count filter. This makes this plugin more efficient to protect against smaller/single country bots.

postfwd configuration:

id=ban_botnet_max_uniq_ip
  sasl_username=~^(.+)$
  client_uniq_ip_login_count > 20
  action=rate(sasl_username/1/10800/421 4.7.1: $$sasl_username: too many messages from different IP addresses, try later.)

[Lirt]

Hello @kollyma,

thank you for contribution. Code looks good from your side. I should do some refactoring and extract functions to keep code more clear later.

Are 20 unique addresses good for production use? What is your experience?

[kollyma]

Thanks @Lirt !
We have had SPAM attacks in every taste :-). The smaller they are, the more difficult to detect. Therefore 20 unique IPs is OK in our case. We started with higher values and decreased in time to avoid false positives.

[Lirt]

Hello again @kollyma,

I cannot find your email address, so maybe you will see this here.

I would like to include example postfwd configuration for unique IP address restrictions, that you implemented here.

As you can see, this is current example - https://github.com/Vnet-as/postfwd-anti-geoip-spam-plugin#postfwd-configuration.

Do you also combine country and IP address restrictions? I guess code below could be good?

# Anti spam botnet rule:
#     This example shows how to limit e-mail address defined by `sasl_username`
#     to be able to login from max. 5 different countries AND max. 20 unique
#     IP addresses (both must match!), otherwise it will be blocked from sending messages.
# How items work:
#     Multiple items of the same type in a rule = OR
#     Items of different types in a rule = AND

&&PRIVATE_RANGES { \
   client_address=!!(10.0.0.0/8) ; \
   client_address=!!(172.16.0.0/12) ; \
   client_address=!!(192.168.0.0/16) ; \
};
&&LOOPBACK_RANGE { \
   client_address=!!(127.0.0.0/8) ; \
};

id=CLIENT_LOGIN_COUNT ; \
    sasl_username=~^(.+)$ ; \
    &&PRIVATE_RANGES ; \
    &&LOOPBACK_RANGE ; \
    incr_client_country_login_count != 0 ; \
    action=jump(BAN_BOTNET)

id=BAN_BOTNET ; \
    sasl_username=~^(.+)$ ; \
    &&PRIVATE_RANGES ; \
    &&LOOPBACK_RANGE ; \
    client_uniq_country_login_count > 5 ; \
    client_uniq_ip_login_count > 20 ; \
    action=rate(sasl_username/1/3600/554 Your mail account ($$sasl_username) was compromised. Please change your password immediately.);

[kollyma]

Hello @Lirt

Yes we use it the same way. However we have different messages if account is compromised:

id=ban_botnet_country
  sasl_username=~^(.+)$
  client_uniq_country_login_count > 10
  action=rate(sasl_username/1/10800/554 554: $$sasl_username: too many messages from different countries.)

id=ban_botnet_ip
  sasl_username=~^(.+)$
  client_uniq_ip_login_count > 20
  action=rate(sasl_username/1/10800/554 554: $$sasl_username: too many messages from different hosts)