2 Replies Latest reply: Jan 31, 2014 4:25 AM by kmac RSS

    Can we throttle message rate for a user account (not client host)?

    JimKlimov


      We've recently had an incident with a compromised user account, and the spam botnets submitted half a million messages in about 2-3 hours, using the authorized SMTP connection despite all the security checks (because most of them are bypassed for authorized users). Luckily most of these messages got stuck in the outgoing queues and were manually killed off, but a few thousand did pass to the internet and now we are clearing the server's name in numerous DNS RBL services. Our first such incident in over a decade!

       

      I wonder now if there is a MeterMaid setting (or some similar solution) that would throttle the number of messages submitted by an authorized user's account (via SMTP, and if possible - via webmail) - regardless of which IP addresses these connections come from. And especially if they come from "some over-the-threshold" amount of hosts in a short timeframe.

       

      Are there any recommended solutions readily available in CommSuite or integratable with it (perhaps an opensource/freeware milter?)

       

      Thanks,

      //Jim Klimov

        • 1. Re: Can we throttle message rate for a user account (not client host)?
          Kellyc-Oracle

          There is a MOS knowledge article which gives a simple answer:

          How to Restrict Number of Emails Sent Per-user by Using a MeterMaid ? (Doc ID 1542987.1)

           

          And this one also includes a pointer to the docs:

          Metermaid Appears to be Counting Invalid Recipient Addresses Multiple Times (Doc ID 1569500.1)


          Triggering Effects From Transaction Logging: The LOG_ACTION Mapping Table.

          • 2. Re: Can we throttle message rate for a user account (not client host)?
            kmac

            There are a couple of interesting options available in CommSuite.

             

            Metermaid

            After you get that up and running per the MOS article, you can set a few mappings so that you use the auth username as criteria to count in Metermaid, since this will always be the same for each SMTP AUTH username used, even if the bad actor rotates through forged MAIL FROMs.

             

            To count MAIL FROMs you can use a mapping like the below in FROM ACCESS.

             

               *|SMTP*|*|*|*      $C$[/opt/sun/comms/messaging64/lib/check_metermaid.so,throttle,\

            throttle_sender_ssl,$4]$N421$ Too$ many$ messages$ from$ this$ sender.$ Please$ try$ again$ later.

             

            To count RCPT TO and still store the auth username in Metermaid, I had to first set the USE_AUTH_RETURN MTA option to 2 so that a SEND ACCESS mapping would reference the SMTP AUTH username. Then set a mapping like the below in SEND ACCESS

             

              tcp_*|*|*|*   $C$[/opt/sun/comms/messaging64/lib/check_metermaid.so,throttle,\

            throttle_recipient_ssl,$1]$N421$ Too$ many$ messages$ from$ this$ sender.$ Please$ try$ again$ later.



            Other
            I also set some tcp_submit channel options to hopefully inconvenience the bad actors.

            disconnectbadauthlimit

            disconnectrejectlimit

            disconnecttransactionlimit

            recipientcutoff

             

             

            I found it pretty effective to have both the per-connection settings on the channel and the "per time frame" settings leveraged by Metermaid.