Re: [exim] Issues with greylisting

Page principale
Supprimer ce message
Répondre à ce message
Auteur: David Woodhouse
Date:  
À: Graeme Fowler
CC: exim-users
Nouveaux-sujets: Re: [exim] Issues with greylisting - NEW IMPLEMENTATION
Sujet: Re: [exim] Issues with greylisting
On Wed, 2010-01-20 at 23:19 +0000, Graeme Fowler wrote:
> Incidentally, yesterday in $dayjob we got hit with what looked like a
> significant botnet hit - in that it started very abruptly but no pattern
> (in terms of connecting IP) could be found.
>
> What really hurt was that the injected messages got through all the
> pre-DATA checks (of which there are many) and hit SpamAssassin, causing
> all 8 cores on 3 MX servers to be completely maxed out. Largely
> speaking, SA timed out (or Exim timed out before SA did) so most of the
> messages got deferred and not scored.
>
> Oddly enough, it stopped very abruptly too. Unfortunately it consumed a
> whole person day mitigating the problem.
>
> So yes, I'd say that CPU is important too (under certain circumstances)!


Thanks for the input.

Perhaps a hybrid approach would be better -- normally, you use SA and
greylist only messages which have _some_ SA points. But if the system
load is above a certain threshold, you fall back to greylist-first to
save CPU.

So you could put your SA magic into a subroutine, then invoke that once
before greylisting if the load is low enough. And again afterwards if it
hasn't been done already...


check_content_spamassassin:
# Only once per mail.
accept condition = ${if def:acl_m_sa_attempted}

warn set acl_m_sa_attempted = true

  # I ripped out some error handling for simplicity. Don't cut and paste this 
  warn   spam = nobody:true/defer_ok
         message = X-Spam-Score: $spam_score ($spam_bar)\n\
                   X-Spam-Report: $spam_report
         set acl_m_sa_score = $spam_score_int


  deny   condition = ${if >={$spam_score_int}{100} {1}}
         message = $spam_report
         log_message = Rejected for SA score $spam_score


  warn   condition = ${if >{$spam_score_int}{0} {1}}
         set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons


accept


check_sa_early:
# Don't run SA before greylisting if the system is busy
accept condition = ${if >={$system_load}{10} {1}}

# Or if we have a reason to greylist this mail anyway
accept condition = ${if def:acl_m_greylistreasons}

require acl = check_content_spamassassin

acl_smtp_data:
require acl = check_sa_early
require acl = greylist_mail
require acl = check_content_spamassassin

Admittedly, system load isn't the right metric (and isn't $system_load
either but I'm too lazy to look it up right now).

Does this look like a reasonable approach? If so, I'll code it up for
the wiki...

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse@???                              Intel Corporation