Author: Sam Michaels Date: To: Exim List Subject: [Exim] Feature request: intelligent throttling
I have to give Philip Hazel (can I call you Phil?) a big hand for the ACL
checks...it really took the load off the server when handling the zillions
of spam/virus mails.
But the problem still remains....hosts keep incessantly sending virus after
virus after virus after virus. It wastes CPU/memory/bandwidth. While I pat
myself on the back for being able to constantly monitor the reject logs for
big offenders and adding them to the host rejection list, I can't keep doing
it much longer. The normal rate limits don't work because the host doesn't
do it in the same SMTP session.
I'd be nice if there was something similar to smtp_ratelimit_* where the
master process keeps tracks of things and will set a variable if the
threshold is reached.
In the main config:
acl_ratelimit_deny = 5,10m,24h
In an ACL...let's say the acl_smtp_connect:
deny message = Service unavailable
condition = ${if {$acl_ratelimit_deny_reached}{1}{0}}
'acl_ratelimit_deny' will make $acl_ratelimit_deny_reached be true if the
host received a 'deny' inside ANY of the ACL checks 5 times within 10
minutes and will be active for 24 hours. Once the threshold has been
reached Exim doesn't have to keep track of 'deny' messages, hence the deny
statement in the acl_smtp_connect above won't cause a loop to overflow the
counter with an incessant host.
The reason I'd use it within ACLs is because of the diversity. You could do
it in acl_smtp_connect to just trash the host...you could do it in
acl_smtp_rcpt if you want to see the addresses for logging purposes....you
could add a 'delay' clause...
Obviously you'd need to create another db to keep track of the ratelimits
incase the master process goes down in flames.
You could also create other ones for the various ACL actions:
Other considerations.....include another option in the acl_ratelimit_*
options to wipe out the entire subnet incase of similar hosts. Example:
acl_ratelimit_deny = 5,10m,24h,255.255.255.0/24
I have 4 hosts constantly sending viruses: 192.168.1.3, 192.168.1.8,
192.168.1.9, 192.168.1.20...that would search for and activate the throttle
for 192.168.1.0/24. Naturally sysadmins would have to be careful that they
don't end up killing off the entire world. I'm sure most would leave this
out so it defaults to single host matching.