[Top] [All Lists]

Re: [ietf-smtp] You can't hurt a computer's feelings

2013-03-03 18:37:47
I'm still aware of high-concurrency attacks on large (i.e., 100M+ subscriber) 
domains, which admittedly is a small number of domains.  This includes attempts 
to open too many concurrent connections from a single IP to a single domain.  
Most of these are from targeted spam/DoS attacks on a single domain or perhaps 
a handful of domains launched from a small number of compromised servers 
sitting in data centers.  This connection limiting keeps a single non-BLed IP 
address which is obviously up to some anomalous activity from consuming too 
much server resource.  Most bots are on some BL, and can be efficiently ignored 
without connections limits.  IMHO, throttles/limits continue to be useful in 
large enterprise environments, especially if tuned by sender reputation.  


-----Original Message-----
From: ietf-smtp-bounces(_at_)ietf(_dot_)org 
[mailto:ietf-smtp-bounces(_at_)ietf(_dot_)org] On Behalf Of John R Levine
Sent: Sunday, March 03, 2013 8:22 AM
To: Randall Gellens
Cc: ietf-smtp(_at_)ietf(_dot_)org
Subject: Re: [ietf-smtp] You can't hurt a computer's feelings

That matches my experience.  Whatever problem might once have been addressed by 
limiting the number of connections per source, it doesn't exist any more.

My server hits its overall limit of 60 all the time when it's getting a lot of 
spam, but it's never more than a handful of those 60 from a single IP.  


Here's the answer I got:

At 3:05 PM -0500 3/1/13, David Ross wrote:
 It would depend on how many connections you have allocated to 
regular SMTP and how many to authenticated SMTP.

 One EIMS server I have in a small business has both set to 20. 
Server has been up since Feb 23 and the max connections to date are 7 
regular and 4 authenticated at any one time. And with a limit of 20 
on the regular SMTP connections I've never seen it hit 20 for at least 5 or 
more years.

 I suspect this is not as much of an issue now that computers can 
more easily handle a lot of connections and spammers are likely 
better at not flooding any one server with connections. I suspect the 
later also depends on the number of domains hosted.

 Most of the heavy attacks I see these days come in waves where they 
fire off from 100 or so IPs in a /24 each with a different domain as 
the sending entity. Spread over a few hours with under 5 connection attempts 
per IP.

 The office I mentioned with 2 domains and 20 people sees one or two 
of these a day.
ietf-smtp mailing list