Dealing with MailScanner overloads

David dh at UPTIME.AT
Sun Sep 14 14:49:01 IST 2003 

On Sonntag, September 14, 2003, at 03:19  Uhr, Ulysees wrote:

>> The only question I have is regarding the relay address as being the 
>> right
>> one to block.   For example, I run a primary mail server with my ISP
> acting
>> as secondary MX.   All my Sobig.F emails went to their mail server,
> because
>> Sobig.F went for the highest MX value, and then got relayed on to me.
>>
>> This code would then result in me blocking my own fallback MX server, 
>> and
> I
>> think this is not an uncommon situation?
>
> I think this code could be usefull, however you would need to be able 
> to
> give it few hints, eg
> 1000 mails in an hour from othersite.mycorp.com is fine
> 100 mails in an hour from spam.spam.spam.spamity.spam.com is not normal
> behavior & should be blocked.
> really just a black/whitelist which sets a limit on mails per hour 
> from a
> host
>
>

Personally I believe that such a system should be implemented at system 
level, yet that might not be possible so MTA level would be the next 
logical step. Since that seems rathere difficult I do think doing it 
within MailScanner might pose a big advantage. However, do ZMailer, 
Exim. Postfix and other MTA that MailScanner might run with offer a 
similar facility to sendmails access.db?
What has been said above seems also very important to me, especially 
large corporations will see certain characteristics of mail flow from 
specific origins. I was also wondering how one would deal with bursts?

Imagine company X has 2000 users and 1300 of them are on a specific 
mailing list. Every Thursday those users receive a newsletter from said 
Mailing list. I think that would result in a burst of messages from the 
sending host that might get it blocked.
I think it would be safe to assume that this threshold only operates on 
infections? Thus Hosts which are infected or relaying Mail for many 
infected clients would get blocked after a certain threshold has been 
reached. That way the example above would not cause any problems 
assuming that the mailing list is virus free.

-d

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20030914/4d14ae54/PGP.bin

More information about the MailScanner mailing list