IDS options?

Matt Kettler mkettler at EVI-INC.COM
Thu Mar 10 21:23:03 GMT 2005

At 03:43 PM 3/10/2005, Devon Harding wrote:
>Does MailScanner, or Sendmail for that matter, have any IDS functions
>built in where if it sees a swarm of SMTP connections from a
>particular IP or domain, it disables future connections from that IP
>for a set ammount of time.   IronMail has this feature.

Hmm, personally, I prefer to do my IPS and/or flood control at the network
layer with a decent firewall.

This way it's a bit more flexible and I can also protect all my servers,
including web, dns and other things, all at the same time. It seems like
re-implementing a solution to the same basic problem in each and every
server program at the application layer is a bit of a waste, not to mention
needing to learn how to configure each and every different server for it.

The Juniper Netscreen does a great job of this. It's the "Source IP Based
Session Limit " in the zone screen.  OpenBSD's PF does it even better with
the max-src-states option to a rule. You might even be able to do something
useful with the limit module for IPTables, but you might need to get a bit
fancy with it as it's not obvious how to do this with limit. Ditto for
Cisco router with FWFS by adding a rate-limit statement to an ACL.

One thing that is very useful to do at the application layer is protecting
against application specific abuse. One example in sendmail is throttling
off connections which are using a lot of invalid recipients.. it cuts off
the rumplestiltskin attacks:


Once a connection hits 5 bad recipients, they get throttled back with a 1
second sleep before the server will accept more tries from them.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ ( and
the archives (

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list