[ On Sunday, February 16, 2003 at 18:47:49 (+0000), Alan J. Flavell wrote: ]
> Subject: Re: [Exim] bouncing viruses
>
> Note that smtp_ratelimit_* facilities don't help if the DoS consists
> of repeated SMTP connections: that rate limit is only effective within
> an individual SMTP call.
I'm not intimately familiar with Exim's smtp_ratelimit_* capabilities,
but I will note that in a generic way controlling the speed at which an
undesirable client can get anything done can indeed often help prevent
that same client from re-connecting again and trying the same stupid
error over again right away. I.e. you let them connect and then string
them out for as long as they'll stay connected. This ultimately uses a
lot less resources than pretty much anything but upstream filtering at
the IP level.
This doesn't help with multiple connects from the same client of course,
but it does raise the bar somewhat.
More sophisticated analysis of interesting events across time, such as
you hinted at next, can help build better mechanisms for controlling
abuse.
> But if you can identify the abuse situation
> that is of concern to you, within an ACL, then you can have exim write
> some data (calling IP, message-id, whatever seems appropriate) to a
> file, and you can subsequently look-up that file and base further
> actions on it.
or send DNS update requests to a suitable private DNS blacklist zone...
Note that most of this kind of information can very safely be kept in
memory too -- it's very volatile anyway.....
> Needs to be done with care, though, or one can easily
> shoot oneself in the foot (would that be called a "double denial of
> service" situation? :-} ).
indeed! ;-)
--
Greg A. Woods
+1 416 218-0098; <g.a.woods@???>; <woods@???>
Planix, Inc. <woods@???>; VE3TCP; Secrets of the Weird <woods@???>
