Hi Christian,
a couple of days ago one of our perdition servers
exceeded
the 1024 pop3 connections limit configured (normal usage is
about 30-50 parallel connections). I turned out that all
these connections had been eaten up by some customer trying
to pop his email from China and instead of firing off a
connection every 2 minutes things seemed to fail on his end
and groups of 3-6 parallel connects (which failed in turn
again) came hurtling in.
We had this problem with badly configured/behaving clients a while back (with UW IMAP) and
fixed it with some iptables rules:
-A INPUT -p tcp -m tcp --dport 110 -m state --state NEW -j pop-monitor
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
###### pop-monitor ######
# New rate limiting to max of three a minute
-A pop-monitor --match hashlimit --hashlimit-name pop --hashlimit 5/minute
--hashlimit-burst 3 --hashlimit-mode srcip -j ACCEPT
-A pop-monitor -j LOG --log-prefix "POP syn rate too high "
-A pop-monitor -j REJECT
Not perdition specific, but it's generic enough to cover for other software too.
Ian.