headers
Marc Chametzky | 28 Mar 2012 03:09
Gravatar

Re: Metermaid & Slowing a Spammer with credentials

You're using MeterMaid in your PORT_ACCESS mapping. That means that the 
probe to throttle the connections will be done at the time the 
connection is established. Since all of these enqueues happened over the 
period of about one and a half seconds, I'm thinking that they were the 
result of a single connection with multiple SMTP transactions within 
that connection.

If you want to throttle based on SMTP transactions, then you can use a 
FROM_ACCESS mapping instead.

You could do both, but then you'd double-count the first transaction 
within a connection (assuming you were to use the same table; using 
different throttle tables would avoid that problem).

--Marc
Permalink | Reply |
headers
John Goubeaux | 28 Mar 2012 06:16
Picon
Favicon

Re: Metermaid & Slowing a Spammer with credentials

Thanks Marc,

Yes, this is apparently the situation, eg single connections where 
multiple msgs were sent.

I will add a "throttle"  to the FROM_ACCESS mapping table as suggested   BUT

Do I want to configure this new throttle to be on the  tcp_auth   OR  
tcp_local    src-channel  ?

-john

21-Mar-2012 12:18:26.40 tcp_auth     tcp_local    EEA 4 
customer-service@...
rfc822;a.barnesm.d@... a.
barnesm.d@... User ([78.47.65.198]) 'system:, keep'
21-Mar-2012 12:18:26.40 tcp_auth     tcp_local    EEA 4 
customer-service@...
rfc822;a.elders@... a.eld
ers@... User ([78.47.65.198]) 'system:, keep'

On 3/27/2012 6:09 PM, Marc Chametzky wrote:
> You're using MeterMaid in your PORT_ACCESS mapping. That means that 
> the probe to throttle the connections will be done at the time the 
> connection is established. Since all of these enqueues happened over 
> the period of about one and a half seconds, I'm thinking that they 
> were the result of a single connection with multiple SMTP transactions 
> within that connection.
>
> If you want to throttle based on SMTP transactions, then you can use a
(Continue reading)

Permalink | Reply |
headers
Marc Chametzky | 28 Mar 2012 17:56
Gravatar

Re: Metermaid & Slowing a Spammer with credentials

> Yes, this is apparently the situation, eg single connections where 
> multiple msgs were sent.
>
> I will add a "throttle"  to the FROM_ACCESS mapping table as 
> suggested   BUT
>
> Do I want to configure this new throttle to be on the  tcp_auth   OR  
> tcp_local    src-channel  ?
I guess the issue is whether you want to have different behavior for 
those connections coming from outside your organization versus those 
coming from within.

For the purposes of this particular exercise, you're looking at 
constraining the enqueue rate of messages coming from authenticated 
users. Would that same constraint apply to unauthenticated submissions 
from remote MTAs as well? If the answer is yes, then simply use a 
wildcard (*) for that field. If, on the other hand, you want to restrict 
this handling for authenticated users only, then specify tcp_auth.

--Marc
Permalink | Reply |
headers
John Goubeaux | 28 Mar 2012 22:54
Picon
Favicon

Re: Metermaid & Slowing a Spammer with credentials

At 11:56 AM -0400 3/28/12, Marc Chametzky wrote:
>>Yes, this is apparently the situation, eg single connections where 
>>multiple msgs were sent.
>>
>>I will add a "throttle"  to the FROM_ACCESS mapping table as suggested   BUT
>>
>>Do I want to configure this new throttle to be on the  tcp_auth 
>>OR  tcp_local    src-channel  ?
>I guess the issue is whether you want to have different behavior for 
>those connections coming from outside your organization versus those 
>coming from within.
>
>For the purposes of this particular exercise, you're looking at 
>constraining the enqueue rate of messages coming from authenticated 
>users. Would that same constraint apply to unauthenticated 
>submissions from remote MTAs as well? If the answer is yes, then 
>simply use a wildcard (*) for that field. If, on the other hand, you 
>want to restrict this handling for authenticated users only, then 
>specify tcp_auth.
>
>--Marc

Thanks Marc,

I really just need to restrict  "authenticated users"      AND all my 
users using IMAP clients are using the tcp_submit port 587 for 
submits and I have a webmail channel that is also throttled  SO I am 
thinking that this throttle on the   tcp_auth   channel   will really 
only be for situations where a spammer  gets a users credentials such 
as I have seen in the last week.
(Continue reading)

Permalink | Reply |

Gmane