outbound failure limiting - the next phase in the spam war?

From: John Pettitt (no email)
Date: Tue May 24 2005 - 14:39:17 EDT

  • Next message: (no name): "Sender whitelist seems to not be working"

    As outbound port 25 blocking starts to become prevalent among ISPs the
    zombie armies of spam machines are starting to send via the ISPs
    outbound mail servers. This is going to make many of the rbl lists
    obsolete as any per-server filter is too blunt an instrument to filter
    this kind of attack.

    The obvious place to deal with a hijacked client is at the ISP mail
    server basic rate limiting is one approach. Adaptive rate limiters
    would be better but they still wont solve the problem and run the risk
    of upsetting legitimate users (the spike in email caused by the party
    invite will always be a problem).

    In another life I wrote credit card fraud detection software. On of the
    lessons from that business was to look at all the available information.
    In an outbound email server it would be really useful to look at the
    failure rate. If a given users mail was failing much more than the norm
    that would probably be a good indicator of a problem. Now we have DSN in
    postfix Id like to suggest another feature: An interface similar to
    the policy daemon interface- that is called when a message fails.
    Obviously postfix would do nothing more than notify the policy daemon
    that he message failed and pass on the DSN info. However if the
    listening daemon could use that information to trigger alerts and or
    rate limits on mail from that outbound user. The interface would need to
    pass the message headers and DSN info and the heavy lifting of the
    figuring out what to do with it would reside in the policy daemon.

    N.B. you can do this sort of by log watching but it is less than
    optimal.

    Before I go write a patch to do this are there any comments? Good idea?
    Bad idea? Why?

    John


  • Next message: (no name): "Sender whitelist seems to not be working"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD