David MacQuigg wrote:
100KB seems like a sensible size chunk. No need for a separate process
monitoring the reply channel. No need to wait to make sure there is no
REJECT on each chunk. A full handshake is not required. Just don't
ignore any REJECTS that are sent.
Unfortunately David, as always, it is the bad guys using legacy SMTP
client software for these DATA attacks could not be restricted by any
new graceful control logic.
The force disconnect (drop) is all we have but that has an implicit
451 reply code for the client.
I can only see some form of learning or behavior tracking to
selectively use a drop.
For example, if an client shows extended client mode by using a return
path SIZE= attribute and it exceeds this size in the data transfer,
then that might be a trigger for bad behavior tracing.
--
Sincerely
Hector Santos
http://www.santronics.com