[milters] Archive

Lists Index Date Thread Search

Article: 702
From: Anthony Howe
Date: 2005-08-20 11:19:39 -0400
Subject: Re: milter-limit question

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support
--------------------------------------------------------

E Y wrote:
> I am wondering if the milter-limit have the feature that it can limit
> the rate of the envelope recipients specified from a specific IP

milter-limit limits the number of messages by IP, host, MAIL, or RCPT 
for specified time periods. However, it does NOT do real time 
"throttling" or rate control which I think might be more what you are 
looking for.

You should look into Sendmail's rate control by IP:

define(`confCONNECTION_RATE_THROTTLE', 5)
define(`confCONNECTION_RATE_WINDOW_SIZE', 60)

FEATURE(`ratecontrol')
FEATURE(`conncontrol')

I've not really played with it, but essentially you can regulate the 
number of connections (not messages) per IP.

> address.  I have a experience of a spammer/zombie inside specified a
> batch of recipients in a smtp connection and then rset it to send
> another batch of recipients.  Then a zombie only connected only once

In this case milter-limit might help since it will monitor at the 
message level during an SMTP transaction:

	milter-limit-from:zombie@example.com	10/30m
or
	milter-limit-connect:192.0.2.77		10/30m

Note that this limits messages, not recipients. It might be an 
interesting enhancement to add limit tags by number of recipient that a 
IP, host, or sender can address in a given time period. So maybe 
something like

	milter-limit-connect:192.0.2.77		10r/15m

Or some such. I'd have to think about that first.

Personally though I would cut off the user's access until a) they 
contact you and b) get their system clean and protected. Something like 
this should be allowed by your EUL.

You might also consider a site wide policy limiting number of RCPT per 
message:

dnl -------------------------------------------------------------------
dnl Allow only N RCPT per message.  Any more generates an error.

define(`confMAX_RCPTS_PER_MESSAGE', 50)

> and still spam out in large until the mail adminstrator find out its
> mail server is being blocked by others.  milter-limit will not be much
> useful in this case, I think.  However, if each recipient entered is
> being counted, say 99 recipients per hour, it will protect the mail
> server from spamming too much out and get alert from the milter log.
> 
> make sense?

Yes. I would have to make an enhancement to do this. But simple solution 
is block the user. Prevent them from sending any spam or worms so that 
your servers don't get black listed.

Also consider blocking IRC ports at the firewall to prevent C&C machines 
from reaching the zombies on your network.

-- 
Anthony C Howe                                 +33 6 11 89 73 78
http://www.snert.com/       ICQ:
7116561         AIM: Sir Wumpus

Sendmail Anti-Spam Solutions           http://www.snertsoft.com/
                                             We Serve Your Server

Lists Index Date Thread Search