New wiki page
Steve Freegard
steve.freegard at fsl.com
Fri Jul 3 09:28:47 IST 2009
Zaeem Arshad wrote:
> Hi Steve,
>
> On Wed, Jul 1, 2009 at 11:20 PM, Steve Freegard <steve.freegard at fsl.com
> <mailto:steve.freegard at fsl.com>> wrote:
>
>
>
> - Inspect outbound SMTP traffic for obvious spam signs and reject it
> before queuing (e.g. as per my last mail: URIBL_*, DCC, RAZOR2, PYZOR,
> IXHASH, Bayes, envelope sender from a domain that doesn't belong to you
> etc.).
>
>
>
> Apart from the URIBL check, the DCC, Razor2, Pyzor and IXHASH checks
> require you to queue the mail before they can be run. I am not sure how
> would one delegate the responsibility to the MTA? And even if one can,
> the time involved in scanning will be considerable opening a DoS attack
> vector.
Queueing !== requiring the entire message to run.
Both Sendmail and Postfix support the milter API, Exim has even far more
wizardry (and can support the milter API as well); all of these can pass
the message body as it is received and can create their own temporary
files as they choose as they are totally separate programs. They can
then instruct the MTA to send specific SMTP codes and messages.
It's been possible to run SpamAssassin via various interfaces at SMTP
time for ages; milter-spamc, spamass-milter etc. same with ClamAV etc.
Time involved to scan is not considerable at all; a full SA scan
including bayes & network tests takes on average around 3 seconds,
ClamAV is even less - you could even run both concurrently (milter API
is serial at content however). The SMTP RFC allows for 10 minutes for
DATA termination; however I would limit this to 30-60 seconds maximum to
be on the safe side as this value is frequently tweaked by some sites
(lowest I have seen in the wild is 3 minutes).
There's no more DoS potential in this than with MailScanner (e.g. if you
can get your messages through the MTA, then you can easily fill the
inbound directory to the point it would more than a reasonable amount of
time to process). Plus there is loads that can be done to prevent DoS
in all MTAs.
Regards,
Steve.
Regards,
Steve.
More information about the MailScanner
mailing list