Penalty_Box
Penalty Box
Description
The Penalty Box is a method of blocking spam by scoring negative characteristics of SMTP sessions from a sender host's IP address during a timed interval, and blocking further SMTP sessions from that IP address if a scoring threshold is reached during that time. The timed interval is referred to as the penalty phase. After the penalty phase expires, the sender host's IP address will be allowed to resume SMTP session attempts.
The Penalty Box also has an extreme threshold that when exceeded can cause all connection attempts from the sender host's IP address to be rejected as soon as ASSP detects it.
The term "penalty box" is a reference to the place where players of ice hockey, lacrosse, rugby football, and other sports, must go for temporary punishment of an offense that did not warrant complete expulsion from the contest. The player must stay in the penalty box until the timed penalty phase is over.
The ASSP Penalty Box is used to determine which IPs are sending spam to your MTA, and subsequently reject connections from those misbehaving IPs for a specific period of time. It accomplishes this by computing a PB (Penalty Box) Score for each connecting IP based on the scores of the various anti-spam tests, and each time the PB score passes a pre-determined threshold, the IP is prohibited from connecting.
Every time an incoming message fails an anti-spam test that is either activated or in score-only mode, the score associated with that test is added to an ongoing tally for the particular IP from which the email message was received. The specific score for each anti-spam test is defined in the Penalty Box settings. Individual PB scores will expire after a period of minutes set by the admin.
How it works
The Penalty Box accumulates the PB score for each incoming IP during the PenaltyExpiration period. If the accumulated PB score for a particular IP exceeds the threshold set in the PenaltyLimit option the IP is then banned from connecting to the MTA for the period of time set in the PenaltyExpiration option. If the accumulated PB score exceeds the threshold set in the PenaltyExtreme option, the IP is banned for the period of days set in the ExtremeExpiration option.
This mechanism allows ASSP to determine which MTAs/IPs are behaving poorly over a large cross-section of email messages, and not one or two in particular. If an IP is sending large amounts of spam to the MTA, each time Spam is detected, the associated score will accumulate, and once the threshold is surpassed, the IP will no longer be permitted to connect. The goal is therefore to set the scores in such a way that not just one email message will trigger the threshold to be crossed, but rather require several email messages sent within the time period set in the PenaltyExpiration option to fail before the IP is banned.
On the other hand, when a whitelisted email message is received by ASSP, the associated IP will automatically be added to the PB White Box. The concept behind this is simple; two fold.
Email messages that are whitelisted are likely coming from a valid MTA - not one that is used for spam, so there should be no reason to block / penalize it. Even if the IP does send Spam, you would not block / penalize valid email messages from coming through. Instead, ASSP will just use the other usual anti-spam tests to filter out valid email messages from spam messages.
An Analogy
The ASSP Penalty Box is analogous to the demerit system in driving.
When driving, every time you are caught making a traffic violation, the police assesses you a ticket and an associated number of demerits based on the severity of your violation.
In ASSP, every time an incoming email message is determined to be Spam by a anti-spam test, the Penalty Box associates a score based on the severity of the test that was just failed. When driving, all your demerits are accumulated based on your driver's license number. In ASSP the PB Scores are accumulated based on the connecting IP address.
When driving, after accumulating enough demerit points in a certain period of time, the courts will suspend your driver's license. Similarly, if an IP accumulates a high enough score in a short enough period of time, the IP is prevented from connecting to your MTA for a period of time.
When driving, demerit points are cleared from your record after a specific period of time depending on your province / state / country. In ASSP, the PB score for a specific failure is cleared after PenaltyDuration.