What is smtpguard...

SMPTGuard is a tool which controls the flow of email traversing an MTA (Mail Transfer Agent). It is designed to be used on an SMTP server for incoming mail, and currently supports postfix.

SMTPGuard was originally created to meet the needs of Internet Service Providers (ISP). ISP's typically receive tremendous amounts of email from their local (user) network. Within a wide variety of users, some are spammers, many unknowingly have virus infected PC's; each of these can send large quantities of mail through the ISP's SMTP (Simple Mail Transfer Protocol) servers. This is especially a problem for ISP's who are connected to their users via high speed lines such as fiber or ADSL. SMTPGuard was developed to prevent SMTP servers from being overwhelmed by unexpected spikes in usage from specific (ofren malicious) users.

SMTPGuard Image

Patterns of problems Unique IP address Quantity of e-mail
SPAM from local network a few lots
SPAM from infected PC lots not much
SPAM from internet a few not too much

In order to properly control through put, and not cause inconvenience to the user, think about the questions below:

The diagram below illustrates the basic premise of SMTPGuard.

For a large ISP, their only problem isn't just with overloaded incoming SMTP servers. SPAM will also be queued on the outgoing server (perhaps the same server) for delivery to the Internet. Because the mail is SPAM it will likely bounce, then double bounce putting extreme load on the outgoing server and its queue. SMTPGuard is designed to stop this type of extreme load by stopping floods of mail at the gate (incoming server).

SMTPGuard is point based. Each time a client connects to the SMTP server, SMTPGuard adds points according to the rules file. SMTPGuard uses information acquired during the SMTP session, adds points according to the rules file, and finally takes actions based on its settings. For example, the information below is used:

The following actions can be taken:

okwhite list
waitdelay processing
rejectreject messages
mailsend alert email to administrator
logoutput message to log
deletedelete record in database

Description examples of configuration file


# If IP address is 172.16.3.*, add 1 point.
A:IP=172.16.3.     : add(1)

# If MAIL FROM does not end with example.com, add 1 point.
A:F!  ?=example.com     :add(1)

# Every RCPT TO, add 1 point
A:              :add(1)

# If RCPT TO does not end with example.com, add 1 point.
A: T!  ?=example.com            :add(1)

# If the number of RCPT TO exceeds more than 100, add 100 points temporally.
R:TC>100        :addlocal(100)

# If the point is more than 100,
#        Return "wait(5) to smtpd
#        Log output
R:P>100 :wait(5),
        log("inserting a small sleep in a SMTP session from" , IP)

# If the point exceeds more than 1,000,
#        Send a warning message to "admin@example.com"
#        Extend the data expiration time by 900 seconds
#        Log output
#        Return "MESSAGE" to the client from smtpd
R:P>1,000               : mail("admin@example.com"),
        reject("411 mail server temporally rejected message"),
        log("rejecting a SMTP session from", IP)

Last Updated: 2014-03-12 Yoshiaki Yanagihara
© 2005-2011 VA Linux Systems Japan, K.K.
© 2012- SCSK K.K.