| Current File : //var/qmail/man/cat5/qmail-spamthrottle.0 |
Standards, Environments, and Macros qmail-spamthrottle(5)
N�N�N�NA�A�A�AM�M�M�ME�E�E�E
qmail-spamthrottle - the qmail spam throttle mechanism
I�I�I�IN�N�N�NT�T�T�TR�R�R�RO�O�O�OD�D�D�DU�U�U�UC�C�C�CT�T�T�TI�I�I�IO�O�O�ON�N�N�N
The idea of spam throttling came about after would-be spam-
mers were easily circumventing (classic) tarpitting. A rea-
sonable recipient limit in tarpitting must not adversely
affect acceptable mail usage, so spam clients typically
create multiple SMTP connections, all of which fall under
this threshold. Other sources have similar concepts, using
rate limiting, stuttering, et cetera to describe them.
It was originally intended for use at ISPs to control their
internal clients (users) SMTP usage, although it can applied
equally in other environments. An ISP may wish to enable
this mechanism for its customers to prevent them from using
the mail servers as a convenient location from which to send
spam. However, in some or all other cases (other originat-
ing IP addresses) this mechanism might be disabled to allow
for legitimate high-volume mail traffic such as mailing
lists.
Spam throttling acts in a similar manner to tarpitting,
except that it is highly parameterized, more flexible, and
(hopefully) more effective. A wait is imposed (via
s�s�s�sl�l�l�le�e�e�ee�e�e�ep�p�p�p(3)) following the D�D�D�DA�A�A�AT�T�T�TA�A�A�A command depending on these SMTP
parameters: remote IP address; previous SMTP connection
timestamp; and previous wait time.
With the addition of teergrubing, spammers should keep their
connections open and deliver less mail.
D�D�D�DE�E�E�ET�T�T�TA�A�A�AI�I�I�IL�L�L�LS�S�S�S
Two files, _�w_�a_�i_�t and _�t_�i_�m_�e, store the previous wait time and
SMTP connection timestamp, respectively. Both files are
found in /�/�/�/v�v�v�va�a�a�ar�r�r�r/�/�/�/q�q�q�qm�m�m�ma�a�a�ai�i�i�il�l�l�l/�/�/�/s�s�s�sp�p�p�pa�a�a�am�m�m�m/�/�/�/_�d_�i_�r. Where _�d_�i_�r is based on parame-
ters set in /�/�/�/v�v�v�va�a�a�ar�r�r�r/�/�/�/q�q�q�qm�m�m�ma�a�a�ai�i�i�il�l�l�l/�/�/�/c�c�c�co�o�o�on�n�n�nt�t�t�tr�r�r�ro�o�o�ol�l�l�l/�/�/�/s�s�s�sp�p�p�pa�a�a�am�m�m�mt�t�t�t. If _�d_�i_�r is empty as a
result, then it will be automatically set to _�a/_�b/0/0, where
_�a and _�b are the two octets (in decimal) for the remote IP
address, _�a._�b._�c._�d.
Similarly, if _�d_�i_�r starts with a slash (/�/�/�/), then it be
automatically set to the _�n-bit masked IP address (format
[/_�n]), based on the remote IP address.
See q�q�q�qm�m�m�ma�a�a�ai�i�i�il�l�l�l-�-�-�-s�s�s�sp�p�p�pa�a�a�am�m�m�mt�t�t�t(�(�(�(5�5�5�5)�)�)�) for details.
N�N�N�No�o�o�ot�t�t�te�e�e�e:�:�:�: In case it is not yet evident, when _�d_�i_�r is empty (or
starts with a slash), as indicated above, then every dot (.�.�.�.)
SunOS 5.11 Last change: 1
Standards, Environments, and Macros qmail-spamthrottle(5)
is interpreted as a slash (/�/�/�/) in the construction of the
directory where the spam throttle state files are stored.
If you are using libtai for your time calculations, then the
format for the _�t_�i_�m_�e file is a packed TAI64NA label. If you
have perl and the tai64nlocal program, you can use the fol-
lowing perl expression to convert from a packed TAI64NA
label to a TAI64N timestamp:
print join("","@",unpack("H24",<>)), "0;
Given an entry in /�/�/�/v�v�v�va�a�a�ar�r�r�r/�/�/�/q�q�q�qm�m�m�ma�a�a�ai�i�i�il�l�l�l/�/�/�/c�c�c�co�o�o�on�n�n�nt�t�t�tr�r�r�ro�o�o�ol�l�l�l/�/�/�/s�s�s�sp�p�p�pa�a�a�am�m�m�mt�t�t�t, such as
ipblock:dir:st:stmax:flush:rcpt:tg:tg_resp:
Message throughput is controlled via the value of _�s_�t. The
delays imposed (by calling s�s�s�sl�l�l�le�e�e�ee�e�e�ep�p�p�p(3)) depend on: the value
of _�s_�t); number of recipients for the current SMTP session
(_�R); the number of reasonable recipients per connection
(_�r_�c_�p_�t); how much time has passed (_�T) since the last SMTP
request (as determined by /�/�/�/v�v�v�va�a�a�ar�r�r�r/�/�/�/q�q�q�qm�m�m�ma�a�a�ai�i�i�il�l�l�l/�/�/�/s�s�s�sp�p�p�pa�a�a�am�m�m�m/�/�/�/_�d_�i_�r/�/�/�/t�t�t�ti�i�i�im�m�m�me�e�e�e); and the
last imposed delay (_�W) (as determined by
/�/�/�/v�v�v�va�a�a�ar�r�r�r/�/�/�/q�q�q�qm�m�m�ma�a�a�ai�i�i�il�l�l�l/�/�/�/s�s�s�sp�p�p�pa�a�a�am�m�m�m/�/�/�/_�d_�i_�r/�/�/�/w�w�w�wa�a�a�ai�i�i�it�t�t�t). The new delay is approximately
(_�R - _�R / 2^(_�R/_�r_�c_�p_�t)) * ((_�W * _�s_�t * _�R) / _�T)
when _�r_�c_�p_�t is greater than 0, and
(_�W * _�s_�t * _�R) / _�T
otherwise. The unit of time is milliseconds.
If _�s_�t_�m_�a_�x is defined (and is non-zero), then it is used as a
maximum (in milliseconds) for the delay calculated above.
In short, _�s_�t is roughly the minimum time between messages
and/or connections. If you already know that you only want
a throughput of N messages per second, then you can use
1000/N as a good starting point for _�s_�t.
C�C�C�CO�O�O�ON�N�N�NF�F�F�FI�I�I�IG�G�G�GU�U�U�UR�R�R�RA�A�A�AT�T�T�TI�I�I�IO�O�O�ON�N�N�N
For the following discussion, we assuming the matching entry
in /�/�/�/v�v�v�va�a�a�ar�r�r�r/�/�/�/q�q�q�qm�m�m�ma�a�a�ai�i�i�il�l�l�l/�/�/�/c�c�c�co�o�o�on�n�n�nt�t�t�tr�r�r�ro�o�o�ol�l�l�l/�/�/�/s�s�s�sp�p�p�pa�a�a�am�m�m�mt�t�t�t is
ipblock:dir:st:stmax:flush:rcpt:tg:tg_resp:
Despite efforts to impose a waiting period on would-be spam-
mers, it is still possible for the client to circumvent the
call to s�s�s�sl�l�l�le�e�e�ee�e�e�ep�p�p�p(3). That is, they may not wait for the
SunOS 5.11 Last change: 2
Standards, Environments, and Macros qmail-spamthrottle(5)
response from the DATA command, continuing to write their
message, assuming success, then closing the socket, again
without waiting for a response from the server; the message
will be delivered at no (time) cost to them. Adherence to
standards (such as ignoring the absence of PIPELINING)
should not be assumed for clients acting as agents for
unsolicited bulk email. As such, the _�f_�l_�u_�s_�h variable can be
set (non-zero) to indicate that all input will be flushed
after calling s�s�s�sl�l�l�le�e�e�ee�e�e�ep�p�p�p(3) and prior to sending a response to
the DATA command. RFC 2920 (STD 60) prohibits flushing of
the input buffer if PIPELINING is supported. As such, EHLO
responses will not advertise PIPELINING while _�f_�l_�u_�s_�h is set.
Another method, teergrubing, involves issuing continuation
lines periodically to keep the client connected while they
wait for the go ahead from the DATA command. By setting
(non-zero) the variable _�t_�g, you can specify the frequency of
continuation lines in response to the DATA command. If the
argument to s�s�s�sl�l�l�le�e�e�ee�e�e�ep�p�p�p(3) would have been 11 (seconds) and _�t_�g is
set to 2, then the response to the DATA command would result
in several calls to sleep(2) (and one sleep(1)) with each
accompanied by a continuation line. A continuation line
consist of a 3-digit code, a dash, and an arbitrary string.
The default string is "please wait", but can be changed
using the _�t_�g__�r_�e_�s_�p variable. For example,
...
DATA
354-please wait
354-please wait
354 go ahead
...
E�E�E�EN�N�N�NV�V�V�VI�I�I�IR�R�R�RO�O�O�ON�N�N�NM�M�M�ME�E�E�EN�N�N�NT�T�T�T
The environment variable, T�T�T�TC�C�C�CP�P�P�PR�R�R�RE�E�E�EM�M�M�MO�O�O�OT�T�T�TE�E�E�EI�I�I�IP�P�P�P, is strictly required
by spam throttle. If you are not using t�t�t�tc�c�c�cp�p�p�ps�s�s�se�e�e�er�r�r�rv�v�v�ve�e�e�er�r�r�r, then you
will have to use t�t�t�tc�c�c�cp�p�p�p-�-�-�-e�e�e�en�n�n�nv�v�v�v to ensure T�T�T�TC�C�C�CP�P�P�PR�R�R�RE�E�E�EM�M�M�MO�O�O�OT�T�T�TE�E�E�EI�I�I�IP�P�P�P is set.
C�C�C�CA�A�A�AV�V�V�VE�E�E�EA�A�A�AT�T�T�TS�S�S�S
The implicit translation of an empty directory to one based
on the remote IP address will most certainly result in an
unwieldy spam directory structure and should be reserved for
small networks, such as the internal network side of an
office or ISP (including ISP users). It is recommended that
the /_�n format be used in the default
/�/�/�/v�v�v�va�a�a�ar�r�r�r/�/�/�/q�q�q�qm�m�m�ma�a�a�ai�i�i�il�l�l�l/�/�/�/c�c�c�co�o�o�on�n�n�nt�t�t�tr�r�r�ro�o�o�ol�l�l�l/�/�/�/s�s�s�sp�p�p�pa�a�a�am�m�m�mt�t�t�t entry (empty network block). Then,
for specific networks, a directory per IP address is still
possible: for example, the entries
SunOS 5.11 Last change: 3
Standards, Environments, and Macros qmail-spamthrottle(5)
192.168.0.0/24:/32:::::::
:/16:1500:120000::::::
define the default spam throttle directory (assuming the
remote IP address is _�a._�b._�c._�d) as _�a/_�b/0/0. However, when the
remote IP address is in the 192.168.0.0/24 network block,
the spam throttle directory will be _�a/_�b/_�c/_�d, since the _�d_�i_�r
parameter is /�/�/�/3�3�3�32�2�2�2.
E�E�E�EX�X�X�XA�A�A�AM�M�M�MP�P�P�PL�L�L�LE�E�E�ES�S�S�S
These examples assume that /�/�/�/v�v�v�va�a�a�ar�r�r�r/�/�/�/q�q�q�qm�m�m�ma�a�a�ai�i�i�il�l�l�l/�/�/�/c�c�c�co�o�o�on�n�n�nt�t�t�tr�r�r�ro�o�o�ol�l�l�l/�/�/�/s�s�s�sp�p�p�pa�a�a�am�m�m�mt�t�t�th�h�h�hr�r�r�ro�o�o�ot�t�t�tt�t�t�tl�l�l�le�e�e�e
contains a non-zero value.
Here is a sample /�/�/�/v�v�v�va�a�a�ar�r�r�r/�/�/�/q�q�q�qm�m�m�ma�a�a�ai�i�i�il�l�l�l/�/�/�/c�c�c�co�o�o�on�n�n�nt�t�t�tr�r�r�ro�o�o�ol�l�l�l/�/�/�/s�s�s�sp�p�p�pa�a�a�am�m�m�mt�t�t�t file for a home
user:
# network:dir:st:stmax:flush:rcpt:tg:tg_resp:
#
# default entry (make it all share the public directory)
:public:1500:120000::::::
#
# private (trusted) network does not enforce spamthrot-
tle
192.168.0.0/24::0::::::
#
# some external network which we would like to throttle
collectively
10.0.0.0/24:collected:::::::
#
# an external network (semi-trusted) which is throttled
# based on individual IP address
# - we don't specify SPAMTHROTTLEDIR and the default
# behaviour of storing state files in directories
# based on IP address is used)
# - we also allow relaying from this semi-trusted
# network
10.1.0.0/16:/32:::::::
.
Here is a sample file for a high-volume mail server (or
servers) for some arbitrary ISP (with customer network
10.0.0.0/16 and internal/ employee network 10.1.0.0/24):
# network:dir:st:stmax:flush:rcpt:tg:tg_resp:
#
# by default, turn throttling off
::0:::::::
#
# customer network uses default behaviour
# (IP-based throttle files)
SunOS 5.11 Last change: 4
Standards, Environments, and Macros qmail-spamthrottle(5)
10.0.0.0/16:/32:::::::
#
# employee network doesn't adhere to throttling
10.1.0.0/24::0::::::
#
# external trusted network which legitimately
# provides high volume mail traffic
10.1.1.0/24::0::::::
#
# a collection of addresses/networks which we
# might have gathered from past abuse experience
# - we allow the mail, but we're aggressive
# about throttling it
10.1.2.1/32:abuse:5000::::::
10.1.2.2/32:abuse:5000::::::
10.1.2.3/32:abuse:5000::::::
10.1.3.0/24:abuse:5000::::::
.
S�S�S�SE�E�E�EE�E�E�E A�A�A�AL�L�L�LS�S�S�SO�O�O�O
tcp-env(1), tcp-environ(5), qmail-spamt(5), qmail-smtpd(8)
A�A�A�AU�U�U�UT�T�T�TH�H�H�HO�O�O�OR�R�R�R
Dale Woolridge, James Law, and Moto Kawasaki. Contact the
authors via email: <spamthrottle@qmail.ca>.
SunOS 5.11 Last change: 5