qmail-spamthrottle(5) - the qmail spam throttle mechanism





INTRODUCTION

       The  idea  of  spam  throttling  came about after would-be
       spammers were easily circumventing  (classic)  tarpitting.
       A  reasonable  recipient  limit  in  tarpitting  must  not
       adversely affect acceptable mail usage,  so  spam  clients
       typically  create  multiple SMTP connections, all of which
       fall under this threshold.   Other  sources  have  similar
       concepts,  using  rate  limiting, stuttering, et cetera to
       describe them.

       It was originally intended for  use  at  ISPs  to  control
       their internal clients (users) SMTP usage, although it can
       applied equally in other environments.  An ISP may wish to
       enable  this  mechanism  for its customers to prevent them
       from using the mail servers as a convenient location  from
       which  to  send spam.  However, in some or all other cases
       (other originating IP addresses) this mechanism  might  be
       disabled  to allow for legitimate high-volume mail traffic
       such as mailing lists.

       Spam throttling acts in a similar  manner  to  tarpitting,
       except that it is highly parameterized, more flexible, and
       (hopefully)  more  effective.   A  wait  is  imposed  (via
       sleep(3))  following  the  DATA command depending on these
       SMTP parameters: remote IP address; previous SMTP  connec­
       tion timestamp; and previous wait time.

       With  the  addition  of  teergrubing, spammers should keep
       their connections open and deliver less mail.


DETAILS

       Two files, wait and time, store the previous wait time and
       SMTP  connection  timestamp, respectively.  Both files are
       found in  /var/qmail/spam/dir.   Where  dir  is  based  on
       parameters  set  in  /var/qmail/control/spamt.   If dir is
       empty as a result, then it will be  automatically  set  to
       a/b/0/0, where a and b are the two octets (in decimal) for
       the remote IP address, a.b.c.d.

       Similarly, if dir starts with a  slash  (/),  then  it  be
       automatically  set  to the n-bit masked IP address (format
       [/n]), based on the remote IP address.

       See qmail-spamt(5) for details.

       Note: In case it is not yet evident, when dir is empty (or
       starts  with  a slash), as indicated above, then every dot
       (.) is interpreted as a slash (/) in the  construction  of
       the  directory  where  the  spam  throttle state files are
          ipblock:dir:st:stmax:flush:rcpt:tg:tg_resp:

       Message throughput is controlled via the value of st.  The
       delays imposed (by calling sleep(3)) depend on:  the value
       of st); number of recipients for the current SMTP  session
       (R);  the  number  of reasonable recipients per connection
       (rcpt); how much time has passed (T) since the  last  SMTP
       request  (as  determined by /var/qmail/spam/dir/time); and
       the   last   imposed   delay   (W)   (as   determined   by
       /var/qmail/spam/dir/wait).  The new delay is approximately

           (R - R / 2^(R/rcpt)) * ((W * st * R) / T)

       when rcpt is greater than 0, and

            (W * st * R) / T

       otherwise.  The unit of time is milliseconds.

       If stmax is defined (and is non-zero), then it is used  as
       a  maximum  (in  milliseconds)  for  the  delay calculated
       above.

       In short, st is roughly the minimum time between  messages
       and/or  connections.   If  you  already know that you only
       want a throughput of N messages per second, then  you  can
       use 1000/N as a good starting point for st.


CONFIGURATION

       For  the  following  discussion,  we assuming the matching
       entry in /var/qmail/control/spamt is

          ipblock:dir:st:stmax:flush:rcpt:tg:tg_resp:

       Despite efforts to impose a  waiting  period  on  would-be
       spammers,  it  is still possible for the client to circum­
       vent the call to sleep(3).  That is, they may not wait for
       the  response  from  the DATA command, continuing to write
       their message, assuming success, then closing the  socket,
       again  without waiting for a response from the server; the
       message will be delivered  at  no  (time)  cost  to  them.
       Adherence  to  standards  (such as ignoring the absence of
       PIPELINING) should not be assumed for  clients  acting  as
       agents  for  unsolicited  bulk  email.  As such, the flush
       variable can be set (non-zero) to indicate that all  input
       will  be flushed after calling sleep(3) and prior to send­
       ing a response to the DATA command.   RFC  2920  (STD  60)
       prohibits  flushing  of  the input buffer if PIPELINING is
       supported.  As such, EHLO  responses  will  not  advertise
       PIPELINING while flush is set.

            ...
            DATA
            354-please wait
            354-please wait
            354 go ahead
            ...


ENVIRONMENT

       The   environment   variable,   TCPREMOTEIP,  is  strictly
       required  by  spam  throttle.   If  you  are   not   using
       tcpserver,  then  you  will  have to use tcp-env to ensure
       TCPREMOTEIP is set.


CAVEATS

       The implicit translation of  an  empty  directory  to  one
       based  on the remote IP address will most certainly result
       in an unwieldy spam  directory  structure  and  should  be
       reserved  for small networks, such as the internal network
       side of an office or ISP (including  ISP  users).   It  is
       recommended  that  the  /n  format  be used in the default
       /var/qmail/control/spamt  entry  (empty  network   block).
       Then, for specific networks, a directory per IP address is
       still possible: for example, the entries

          192.168.0.0/24:/32:::::::
          :/16:1500:120000::::::

       define the default spam throttle directory  (assuming  the
       remote  IP  address is a.b.c.d) as a/b/0/0.  However, when
       the remote IP address is  in  the  192.168.0.0/24  network
       block,  the spam throttle directory will be a/b/c/d, since
       the dir parameter is /32.


EXAMPLES

       These examples assume that /var/qmail/control/spamthrottle
       contains a non-zero value.

       Here  is a sample /var/qmail/control/spamt file for a home
       user:

           # network:dir:st:stmax:flush:rcpt:tg:tg_resp:
           #
           # default entry (make it all share the  public  direc­
       tory)
           :public:1500:120000::::::
           #
           #   private   (trusted)   network   does  not  enforce
           #   network
           10.1.0.0/16:/32:::::::
           .

       Here is a sample file for a high-volume  mail  server  (or
       servers)  for  some  arbitrary  ISP (with customer network
       10.0.0.0/16 and internal/ employee network 10.1.0.0/24):

           # network:dir:st:stmax:flush:rcpt:tg:tg_resp:
           #
           # by default, turn throttling off
           ::0:::::::
           #
           # customer network uses default behaviour
           # (IP-based throttle files)
           10.0.0.0/16:/32:::::::
           #
           # employee network doesn't adhere to throttling
           10.1.0.0/24::0::::::
           #
           # external trusted network which legitimately
           # provides high volume mail traffic
           10.1.1.0/24::0::::::
           #
           # a collection of addresses/networks which we
           # might have gathered from past abuse experience
           # - we allow the mail, but we're aggressive
           #   about throttling it
           10.1.2.1/32:abuse:5000::::::
           10.1.2.2/32:abuse:5000::::::
           10.1.2.3/32:abuse:5000::::::
           10.1.3.0/24:abuse:5000::::::
           .


SEE ALSO

       tcp-env(1), tcp-environ(5), qmail-spamt(5), qmail-smtpd(8)


AUTHOR

       Dale Woolridge, James Law, and Moto Kawasaki.  Contact the
       authors via email: <spamthrottle at qmail dot ca>.

                                            qmail-spamthrottle(5)

Man(1) output converted with man2html