On Wed, 2005-05-11 at 20:29 +0100, Tony Finch wrote:
> For those interested in what I'm planning, have a look at this:
>
> http://www.cus.cam.ac.uk/~fanf2/hermes/doc/antiforgery/ratelimit.html
[snip]
> Any feedback is welcomed.
Interesting. A while back (~18 months I'd guess) I asked if anybody had
done any rate limiting to manage compromised senders and no one had. So,
I ended up implementing a moving average filter system, similar to
yours, on our smarthosts.
Our system keeps a moving average value where :
MA(t) = k.MA(t-1) + (1-k).R(t)
Where R(t) is the number of recipients received at time 't'. This value
is stored in a MySQL database. If the sending IP address's MA exceeds a
given value then they are blocked, via a defer, from sending until that
MA has reached (nearly) zero. The MA is kept up-to-date by using some
arithmetic in an SQL query for every time they connect.
This has worked very well. It of course hasn't stopped our smarthosts
receiving lots of UCE and the like, but it does work for damage
limitation. Since we graph the queues et al on our systems we see the
spam building up and remove it manually and then fully block the IP
address until they get it fixed.
Any one that has a legitimate reason to send bulk email gets put on a
white list so that they're excluded from the "reverse grey list" as I
call it.
Jerry.
--
Jerry Nicholls E: Jerry.Nicholls@???
Core & Network Operations Manager W: http://www.zen.co.uk/
Zen Internet Ltd. T: 0845 058 9000
F: 0845 058 9005
