North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Time to check the rate limits on your mail servers

  • From: Kevin
  • Date: Thu Feb 03 21:05:10 2005
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta;; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=VQQErQpFkdSN5fjIv1bhfq+gqX9SV5/zm3ZVZuaTysyQ8kXpJcGDmVipoh3ORf+R1aGHWmTsQYtSbs3CZsannOiaQGRm/i0DkOt+X4pNH+lZ8UfKFj9IYuVCdvLAEJUFOey5KCHdVOb4Ql4/W+NwUlAOQQoBwuEjz7aVekcVQck=

On Thu, 3 Feb 2005 09:30:58 -0500 (EST), [email protected] <[email protected]> wrote:
> I just implemented a patch to tcpserver which allows me to limit the
> number of simultaneous SMTP connections from any one IP, but have not yet
> looked into daily/hourly limits.  I know Comcast has started limiting
> residential customers to 50-100 emails per day, and that customers with
> legitimate reasons for using more than that are starting to complain.

See for a qmail rate-limiting solution.

Setting a limit on the maximum number of messages/minute that will be
accepted (and enforcing the limit by tarpitting, by slowing down the
server response)
seems to be less likely to annoy customers than setting a hard daily quota.

> > One additional thing that I think wasnt mentioned in the article -
> > Make sure your MXs (inbound servers) are separate from your outbound
> > machines, and that the MX servers dont relay email for your dynamic IP
> > netblock. Some other trojans do stuff like getting the ppp domain name
> > / rDNS name of the assigned IP etc and then "nslookup -q=mx
> >", then set itself up so that all its payloads get delivered
> > out of the domain's MX servers.

This is a very good suggestion.  I also ran into a trojan which would take the
target domain name and try to guess mail servers willing to accept mail for
the domain by prepending names like "mx" and "smtp" and "mail1".  I ended
up renaming "mail1" to a more obscure name after noticing that 80% of the
blocked worm traffic for a given week was coming in via that one path.

At Date: Thu, 3 Feb 2005 09:54:00 -0500 Nils Ketelsen  writes:
> That, on the other hand, gets you into trouble with rather stupid Spam
> filters, that only accept mails from a server, if that server is also
> MX for the senders domain.
> Yes, this is stupid, but that does not change the fact, that these
>setups are out there.

I've set up the outbound and inbound mail servers for many sites, including
a Fortune 500 enterprise sending many thousands of messages each day,
and have never run into a problem with outbound mail being refused because
the outbound mail servers are not listed as an MX for the sender's domain.

Not only are the outbound servers not listed in the MX record for the sending
domain, but much of the outbound email shows a 'from' address which is
a completely different domain than the domain of the server's DNS entry.

I don't doubt that there might be sites blocking email based on this criteria,
but such a policy is not only shortsighted, but also exceedingly rare.