Author: Alexander Sabourenkov Date: To: Suresh Ramasubramanian CC: exim-users Subject: Re: 5xx during / after DATA [was Re: [Exim] bouncing viruses]
Suresh Ramasubramanian wrote: > On Tuesday, February 18, 2003 5:12 PM [GMT+0530=IST],
> Alexander Sabourenkov <lxnt@???> wrote:
>
>
>>From what I've seen, those that try to send as many messages as
>>possible in given time do not pay attention to what they get as
>>response (and many break protocol synchronization by not waiting
>>for responses) nor if the
>
>
> Domains / IPs which are noted doing this escalate from our access.db /
> rbldns to our firewall deny lists.
Then I suppose you shouldn't have problems with dumb clients retrying after
550 to end of data, as they'll eventually will find themselves outright blocked,
if I understood you.
Whether that's acceptable is the question. It all depends on how do you
clean up your access.db/rbldns/firewall lists and how many/at what rate identical
failed relay attempts happen.
Wandering off into realms of fantasy, one could come up with a wicked method to
fingerprint messages (or relay attempts) by, say, originating IP(s), HELO/EHLO parameters,
sender and recipient, to use that for temporary blocks.
Say, there is a message that you don't want, but sender host(s) do not pay attention
to rejects after data. Then you can use this 'fingerprint' to block at RCPT TO stage.
Alas, in terms of message count this will produce only somewhat less false
positives than IP-based block after n-th failure to take reject after DATA into account.