dccm feature request

Kelsey Cummings kgc@sonic.net
Fri May 21 16:30:22 UTC 2004


On Thu, May 20, 2004 at 07:19:31AM -0600, Vernon Schryver wrote:
> > From: Kelsey Cummings 
> 
> > After deploying dccm for outbound bulk detection it's become clear that
> > there is one feature that we'd really like to see.  It would be very handy
> > if we were able to control the log/reject thresholds in a similiar fashion
> > to the existing whitelist files.  This would allow us to change the limits
> > based on source adressess (IP or envelope) to allow for more flexible
> > configuration.   We are short on developer time now but might be able to
> > provide patches if there is interest in the feature.  I don't see how it
> > would useful for anything but outbound mail processing.
> 
> Where would those additional per-send values be stored?  Currently
> dccm has space only for a choice among OK, OK2, and MANY for each
> SMTP client value including HELO, IP address, and envelope and header
> from values.

I'm not sure.  Presumably it would require some substantial hacking into
the existing 'whitelist' structures.

> Whilelist values of "OK" or nothing for a sender IP address can be used
> for a boolean reject threshold.  Do you need more than that?  For 
> detecting and stopping "trojaned" systems or other spamming customers,
> why do you need more than one threshold?  I can see the utility of
> finer control than "trust this user implicitly" vs. a global threshold
> for billing and accounting, but do you really need fine controls for
> stopping outgoing spam?

Here's my situation.  I've only be able to get a rather high limit (1000
messages) on my outbound servers due to the suprising number of clients
that I have sending list traffic off of their own machines.  As much as I'd
like to change this behavior it will be dificult to do without gathering
alot of ill-will from long time customers.  These people, can, of course,
be whitelisted but the lower I set the limit the more customer I'll be
affecting and the more administritive upkeep I'll have to do.

The rub is that I'd also like to push my webservers outbound mail
through the same servers.  Most of the spam that gets sourced off our
network is currently coming from exploited customer CGI.  It would be very
nice if I could define a reject level for mail sourced from the webservers
at 10, or 20 which would have a pronounced affect at dropping outbound
spam.

One way to accomplish this would be to define classes of users/hosts that
have differing thresholds.  Untrusted, with a very low limit, trusted, with
a reasonable limit for 'normal' use within our AUP, and Whitelisted, for
allowed bulk senders.  Of course, I can also install a fourth private DCC
server group for the webservers and setup a dedicated outbound mail cluster
for them.

-- 
Kelsey Cummings - kgc@sonic.net           sonic.net, inc.
System Administrator                      2260 Apollo Way
707.522.1000 (Voice)                      Santa Rosa, CA 95407
707.547.2199 (Fax)                        http://www.sonic.net/
Fingerprint = D5F9 667F 5D32 7347 0B79  8DB7 2B42 86B6 4E2C 3896



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.