From: mouss (moussml.netoyen.net)
Date: Sun Jun 28 2009 - 05:12:00 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Kouhei Sutou a écrit :
> Hi,
>
> I want smtpd to abort a connection for a SMTP client as soon
> as possible when the client disconnects the connection
> before smtpd returns a response.
>

If you mean the ability to reject a connection before RCPT TO, then you
can change smtpd_delay_reject. but if you do so, MTAs that don't
"understand" this will retry.

if you mean the ability to disconnect instead of sending a response,
then the only compliant way is to return 421. so "real" MTAs will retry.

as a result, the costs may increase!

finally, some ratware will retry whatever you return.

> [snip]
>
> Tarpitting is an effective anti-spam technique for some
> spammers. The following figure shows about 20% spammers can
> be protected by 65s tarpitting:
>
> http://f.hatena.ne.jp/images/fotolife/s/stealthinu/20070705/20070705142716.png
>
> I want to use tarpitting ONLY IF connected SMTP client is
> very spammy because tarpitting may cause DoS. And I want to
> reduce system resource usage caused by tarpitting.
>
> Tarpitting can be done with SLEEP action in access(5),
> policy server or sleep(3) in milter. All of them sleep
> specified seconds even if connected SMTP client disconnects
> a connection.
>
> [snip]
> Or I should place other software (e.g. spamd) in front of
> Postfix? (I hope that all of my mail system is built with
> Postfix based technologies to maintain easily.)
>

yes, using something like OpenBSD spamd is more effective. you can
couple this with a policy service that update your firewall rules so
that only misbehaving clients are redirected to spamd... etc.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]