Kelsey Cummings
kgc@sonic.net
Fri May 21 16:30:22 UTC 2004
On Thu, May 20, 2004 at 07:19:31AM -0600, Vernon Schryver wrote: > > From: Kelsey Cummings > > > After deploying dccm for outbound bulk detection it's become clear that > > there is one feature that we'd really like to see. It would be very handy > > if we were able to control the log/reject thresholds in a similiar fashion > > to the existing whitelist files. This would allow us to change the limits > > based on source adressess (IP or envelope) to allow for more flexible > > configuration. We are short on developer time now but might be able to > > provide patches if there is interest in the feature. I don't see how it > > would useful for anything but outbound mail processing. > > Where would those additional per-send values be stored? Currently > dccm has space only for a choice among OK, OK2, and MANY for each > SMTP client value including HELO, IP address, and envelope and header > from values. I'm not sure. Presumably it would require some substantial hacking into the existing 'whitelist' structures. > Whilelist values of "OK" or nothing for a sender IP address can be used > for a boolean reject threshold. Do you need more than that? For > detecting and stopping "trojaned" systems or other spamming customers, > why do you need more than one threshold? I can see the utility of > finer control than "trust this user implicitly" vs. a global threshold > for billing and accounting, but do you really need fine controls for > stopping outgoing spam? Here's my situation. I've only be able to get a rather high limit (1000 messages) on my outbound servers due to the suprising number of clients that I have sending list traffic off of their own machines. As much as I'd like to change this behavior it will be dificult to do without gathering alot of ill-will from long time customers. These people, can, of course, be whitelisted but the lower I set the limit the more customer I'll be affecting and the more administritive upkeep I'll have to do. The rub is that I'd also like to push my webservers outbound mail through the same servers. Most of the spam that gets sourced off our network is currently coming from exploited customer CGI. It would be very nice if I could define a reject level for mail sourced from the webservers at 10, or 20 which would have a pronounced affect at dropping outbound spam. One way to accomplish this would be to define classes of users/hosts that have differing thresholds. Untrusted, with a very low limit, trusted, with a reasonable limit for 'normal' use within our AUP, and Whitelisted, for allowed bulk senders. Of course, I can also install a fourth private DCC server group for the webservers and setup a dedicated outbound mail cluster for them. -- Kelsey Cummings - kgc@sonic.net sonic.net, inc. System Administrator 2260 Apollo Way 707.522.1000 (Voice) Santa Rosa, CA 95407 707.547.2199 (Fax) http://www.sonic.net/ Fingerprint = D5F9 667F 5D32 7347 0B79 8DB7 2B42 86B6 4E2C 3896
More information about the DCC
mailing list
