[Mimedefang] Rejecting Mails for More Than 3 Unknown Users

Paul Murphy Paul.Murphy at argentadiscovery.com
Wed Mar 28 06:54:25 EDT 2007

>>> imacat <imacat at mail.imacat.idv.tw> 28/03/2007 11:15 >>>
On Tue, 27 Mar 2007 14:35:50 +0100
"Paul Murphy" <Paul.Murphy at argentadiscovery.com> wrote:
> I do it all in MIMEDefang because I want to record the sender and IP
> address into a database with all of my other status information so I
> can report on the prevalence of this sort of attack, and also because
> I want to be able to take action based on persistent dictionary
> attacks, such as firewalling the sending IP address for some time...

>    This sounds interesting, but terrible.  We are already suffering
> from high server load for garbage (we wound rather like to suffer from
> high server load for real business or friend mails.)  Now we are talking
> about running a database server for them! :p  My boss will kill me.

I run a database server anyway for SpamAssassin whitelisting, bayes, per-user preferences, and per-user blacklisting (where we have advertising and newsletters coming from several companies who are incapable of providing unsubscribe links or removing addresses from their databases on request, but where the messages are vital to 2 people at our company - the other 20 getting them 5-times daily are not interested).  We also have to archive all messages through the gateway, with a searchable index with sender/recipient/subject/attachment data, all of which I do in MD.   CanIT is also backed up with a database for everything, as its basically essential for any of the more interesting filtering scenarios and if you need a console/status page to show to the rest of the organisation, especially if users want to view their own traffic history.
Also, when you have a server which is connecting to yours every 30 seconds and spending 25 seconds trying to guess valid user names, you start with bad recipient filtering, then add the bad recipient throttle, and then just get sick of the whole thing and firewall them.  I do that automatically, because my filter can track whether they are persistent idiots or just a one-off.  You'd probably not notice the pattern, or if you did, it would be after several days of slow performance which was difficult to track down and even more difficult to avoid in future.
As for the performance, my system is basically idling, as it only handles 10,000 messages per day in total, of which 75% are rejected as spam, viruses, phishing, or for policy reasons such as too big, bad attachment types, etc.
The best advice anyone will give you is to reject the garbage early to reduce CPU and bandwidth consumption, and being able to spot repeat offenders and get rid of them is one approach to doing that, especially if I can kill the connection quickly and also firewall the offender for a day or more.

Paul Murphy
Head of I.T.
Argenta Discovery
Tel. 01279 645 554
Fax. 01279 645 646

More information about the MIMEDefang mailing list