[Mimedefang] Feature Addition
Lucas Albers
admin at cs.montana.edu
Sat Aug 30 20:35:00 EDT 2003
Dave,
I have an idea for a good feature addition.
Auto-throttle of sites that send too much spam or too many virus's, for a
set period of time.
I was thinking about how to implement this...
If the same relay sends more then x number of (spam|virus) in n amount of
time, set a temporary reject error for n amount of time.
i had a single ip address send me 700 sobig virus'. And I was trying to
figure out how to stop that single address from occupying connections on
my mail server.
If a site sends me more then 50 virus's in a day, I should reject all mail
from the site for 4 hours between virus's sent...
Problems:
High load sites like aol.com could send x number of virus's in a day quite
easily.
ok, if a site sends 50 virus's in a row, and that is all they send, then
reject mail at the earliest stage in the connection for a set period of
time.
Thinking out loud...
At this very moment I have a mail relay that is sending me a sobig virus
every 30 seconds, and have sent me about 100 virus's.
Watching the mail logs helps me think about this.
Look at my graphdefang to see what I am saying...1 site that sending it all.
http://www.cs.montana.edu/support/spam/
http://www.cs.montana.edu/support/spam/hourly_virus_9value2_stacked_bar.png
This same sort of solution would protect sites that are being hammered by
a single spammer.
So what you really want is some sort of automatic throttling to protect
your mail server from being overwhelmed by a single site that is sending
nothing but spam, or nothing but virus's.
You can add an access entry in, but this requires the operator to notice
the problem.
Anyone else see the problem this solves?
Ideas, on a better solution?
Or consideration that their is not better solution without collatoral damage?
--Luke
More information about the MIMEDefang
mailing list