From: Lionel B. <lio...@bo...> - 2005-05-17 07:54:33
|
Klaus Alexander Seistrup wrote the following on 17.05.2005 09:29 : >On 17/05/05, Michel Bouissou <mi...@bo...> wrote: > > > >>>Then a culprit will be able to prevent legitimate email originating from >>>the same IP address, won't he? >>> >>> >>This won't happen if the considered IP only hosts one machine which is a >>"normal" mailserver which retries all the messages that it has in queue. >> >>This could possibly happen if this IP has a NATted LAN behind it, hosting >>both a legitimate mailserver and spam/virus sources, in which case it is >>this network's admin job to make sure that his network doesn't pollute the >>whole earth with junk. Even in this situation, already known "good" >>addresses that have already made it to from_awl or domain_awl wouldn't be >>blocked, only new connections. >> >> > >It could happen if the Good Sender and the Evil Sender are both using >the mail gateway of the same ISP. And if Good Sender is not already >in *_awl his mail could be blocked by Evil Sender's DoS'ing. > >I would like to be able to disable the feature in SQLgrey's config file. > > > I see another problem with this: when an ISP with which you have a lot of traffic will change a mailserver IP address, your local MTA will get a lot of new connections coming in. Having a ceiling for the number of connect entries with the same src will more or less control the rate of new senders/IP address. The problem is that you can't reliably detect which IP are legit MTAs and which are Windows zombies based on this rate alone. Any thoughts? Lionel Lionel. |