dnsbl: xml/dnsbl.in comparison

comparison xml/dnsbl.in @ 136:f4746d8a12a3

add smtp auth rate limits

author	carl
date	Tue, 26 Sep 2006 13:59:14 -0700
parents	2b1a4701e856
children	4028de9b46dd

comparison

equal deleted inserted replaced

-:8e813497582e
+:f4746d8a12a3
 unless previously whitelisted.  This milter also counts the number of
 invalid HTML tags, and can reject mail if that count exceeds your
 specified limit.
 </para>
 <para>
+This milter can also impose hourly rate limits on the number of
+recipients accepted from SMTP AUTH connections, that would otherwise be
+allowed to relay thru this mail server with no spam filtering.
+</para>
+<para>
 The DNSBL milter reads a text configuration file (dnsbl.conf) on
 startup, and whenever the config file (or any of the referenced include
 files) is changed.  The entire configuration file is case insensitive.
 If the configuration cannot be loaded due to a syntax error, the milter
 will log the error and quit.  If the configuration cannot be reloaded
 </refsect1>
 <refsect1 id='filtering.1'>
 <title>Filtering Procedure</title>
 <para>
-If the client has authenticated with sendmail, the mail is accepted, the
+If the client has authenticated with sendmail, the rate limits are
-filtering contexts are not used, the dns lists are not checked, and the
+checked.  If the authenticated user has not exceeded the hourly rate
-body content is not scanned.  Otherwise, we follow these steps for each
+limits, then the mail is accepted, the filtering contexts are not used,
-recipient.
+the dns lists are not checked, and the body content is not scanned.  If
+the client has not authenticated with sendmail, we follow these steps
+for each recipient.
 </para>
 <orderedlist>
 <listitem><para>
 The envelope to email address is used to find an initial filtering
 context.  We first look for a context that specified the full email
 <title>TODO</title>
 <para>
 The following ideas are under consideration.
 </para>
 <para>
-Add mail volume limits based on smtp auth accounts, to prevent
-customers from sending too much mail. This should catch customers
-that get infected with malware that knows about smtp auth.
-</para>
-<para>
 Add a per-context option to reject mail if the number of digits in
 the reverse dns client name exceeds some threshold.
 </para>
 <para>
 Look for href="hostname/path" strings that are missing the required
 <literallayout class="monospaced"><![CDATA[
 CONFIG     = {CONTEXT ";"}+
 CONTEXT    = "context" NAME "{" {STATEMENT}+ "}"
 STATEMENT  = (DNSBL | DNSBLLIST | CONTENT | ENV-TO | VERIFY |
-CONTEXT | ENV-FROM) ";"
+CONTEXT | ENV-FROM | RATE-LIMIT) ";"
 DNSBL      = "dnsbl" NAME DNSPREFIX ERROR-MSG1
 DNSBLLIST  = "dnsbl_list" {NAME}+
 VERIFY     = "verify" HOSTNAME ";"
 ENV_FROM   = "env_from" [DEFAULT] "{" {(FROM-ADDR | DCC-FROM)}+ "}"
 FROM-ADDR  = ADDRESS VALUE [";"]
 DCC-FROM   = "dcc_from" "{" DCCINCLUDEFILE "}" ";"
+RATE-LIMIT = "rate_limit" "{" (RATE)+ "}"
+RATE       = USER LIMIT [";"]
 DEFAULT    = ("white" | "black" | "unknown" | "inherit" | "")
 ADDRESS    = (USER@ | DOMAIN | USER@DOMAIN)
 VALUE      = ("white" | "black" | "unknown" | CHILD-CONTEXT-NAME)]]></literallayout>
 </refsect1>
 // backscatter prevention - don't send bounces for mail that we accepted but could not forward
 // we only send bounces to our own customers
 env_from unknown {
 "<>"    black;
 };
+// per recipient rates - only available in the default (first top level) context
+rate_limit {
+" "  30;    // default specified by user name composed of a single blank
+fred 100;   // override default limits
+joe  10;
+};
 };
 context sample {
 dnsbl   local   blackholes.five-ten-sg.com  "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s";
 dnsbl   sbl     sbl-xbl.spamhaus.org        "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";

Mercurial > dnsbl

comparison xml/dnsbl.in @ 136:f4746d8a12a3