Re: [exim] cross connection message tracking - Was: exim all…

Pàgina inicial
Delete this message
Reply to this message
Autor: Kelley Reynolds
Data:  
A: Exim Mailing List
Assumptes vells: Re: [exim] exim allowed someone to slam my mail server for 3 hours
Assumpte: Re: [exim] cross connection message tracking - Was: exim allowed someone to slam my mail server for 3 hours
On Jun 27, 2005, at 6:27 PM, Peter Bowyer wrote:

> My next enhancement is to count invalid recipients across connections
> from a single IP, and DNSBL the connecting IP once it reaches a
> threshold.
>


One thing we've used with success is using a simple lookup using
SQLite (you can use whatever storage mechanism you want, it's the
same difference) to determine if the last X messages from a host are
failures. A format as simple as (ip, ts) would be sufficient for this
purpose. Whenever a host is denied, toss and entry in there. Whenever
a host is accepted, clean it out. Then at whichever point you feel
like denying mail (like acl_connect or an smtp_max_* expansion), you
can lookup to see whether or not they have had x failures in the last
y minutes. If so, defer (or defer with delay, or deny, or deny and
blacklist, or napalm, whatever makes you happy; we choose defer since
no legit mail will be lost (in theory))

The cleaning of something like this is equally flexible. You can
clean out old entries past Y minutes every time something is added,
every time it's rejected, ever time a random number is > something,
in a cron job, whatever. This kind of thing beats back a DOS or dict
attack awfully quickly.

If you want to be uber swank, you can have a network-accessible data
store and do cross-mx/connection/message/tracking/fu with a local
cache of the lookup results for speeeeeed. Of course, only a madman
would try that....

Kelley Reynolds
President
Inside Systems, Inc.