[prev in list] [next in list] [prev in thread] [next in thread] 

List:       info-cyrus
Subject:    Re: Per-user receive rate controls
From:       Michael Fair <michael () daclubhouse ! net>
Date:       2001-10-03 5:52:57
[Download RAW message or body]

This is clearly something that you will want to "add"
to Postfix.

If you do it any later then the initial attempt to
send mail into the users inbox you have not gained
anything as the mail has already gone through the
pipeline.  If you are truly trying to stop resource
consumption (which it seems you are), then you need
to catch it as early in the game as possible which to
me would say if you truly thought this was a good
idea (and it wouldn't be for anything larger than
even a moderate sized number of users as the amount
of data to be tracked for the relatively little gain
is hardly worth it in most cases) you will want
to hack the Postfix daemon to check/update a counter
and timestamp associated to the email address each
time it receives the SMTP RCPT TO command.  This
integration would actually be really useful for
stopping delivery for over quota users as well.

Otherwise, I would either pass it off as anomolous 
hardly worth the resources and engineering efforts
to defend against, and then wait to see if this 
practice actually became a larger nuisance than a 
one time event.  For good measure, now that his account
has been blocked I would send him an email threatening
with abuse of resources and a more stringent quota
as a result and request a response informing me of
the correction within 72 hours.  Check the logs
every so often to see if the end user logs in to 
receive the warning and if not, nuke the account.  
Since the case tends to be that once you are on 
the spam list, you aren't getting off of it, there
will most likely be nothing the end user can do
about it and therefore have their account nuked for
abuse anyway.

Good Luck,
-- Michael --

On Tue, 2001-10-02 at 20:15, Jeremy Howard wrote:
> Sorry for the x-post, but I'm not sure if this is best done by Postfix or
> deliver...
> 
> Last night we had a user sign up who for some reason used their account to
> receive a _lot_ of spam (thousands of messages per minute). I'm curious as
> to why this might happen--any suggestions via private email would be
> welcome. But that's not the purpose of this post...
> 
> What I'd like to do is avoid this happening in the future. I've manually
> added this address with REJECT to check_client_access for now. Now what I'd
> like to do is add something that checks how many messages a user has
> received in the last n minutes, or in some other way is triggered by an
> unusual rate of email to a particular user. I'd want to be able to trigger a
> little script based on this hook, which would automatically add the user to
> our check_client_access table and notify me that something fishy was going
> on. That way my other users won't be effected because Postfix will block the
> deluge of messages early on.
> 
> What would be the easiest way to do this? I could use unix_notify in Cyrus
> to update a table and check rate with a little Perl daemon, but this seems
> like a resource intensive way to do such a simple check... Another extreme
> would be a cron job that checks somehow the message rate--but what log to
> check?
> 
> How are others dealing with this, if at all?
> 
> TIA,
>   Jeremy
> 
> 

[prev in list] [next in list] [prev in thread] [next in thread]