[Japanese|English]

  • Download Source
  • Please send bugs or questions to:

    What is smtpguard...

    smtpguard is a tool which controls the flow of email traversing an MTA (Mail Transfer Agent). It is designed to be used on an SMTP server for incoming mail, and currently supports postfix.

    smtpguard was originally created to meet the needs of Internet Service Providers (ISPs). ISP's typically receive tremendous amounts of email from their local (user) network. Within a wide variety of users, some are spammers, many unknowingly have virus infected PC's; each of these can send large quantities of mail through the ISP's SMTP (Simple Mail Transfer Protocol) servers. This is especially a problem for ISP's who are connected to their users via high speed lines such as fiber or ADSL. smtpguard was developed to prevent SMTP servers from being overwhelmed by unexpected spikes in usage from specific (often malicious) users.


    Patterns of problems

    		 Unique IP addresses Quantity of email

  • SPAM from local network
    		• a fewlots
  • SPAM from infected PC
    		• lotsnot much
  • SPAM from internet
    		• a fewnot too much

    In order to properly control throughput, and not cause inconvenience to the user, think about the questions below:

  • Average load: how many msgs/s per user?
  • When SPAM'ed: how many msgs/s?
  • How many msgs/s can your system sustain?

    The diagram below illustrates the basic premise of smtpguard.


    For a large ISP, their only problem isn't just with overloaded incoming SMTP servers. SPAM will also be queued on the outgoing server (perhaps the same server) for delivery to the Internet. Because the mail is SPAM it will likely bounce, then double bounce putting extreme load on the outgoing server and its queue. smtpguard is designed to stop this type of extreme load by stopping floods of mail at the gate (incoming server).

    smtpguard is point based. Each time a client connects to the SMTP server, smtpguard adds points according to the rules file. smtpguard uses information acquired during the SMTP session, adds points according to the rules file, and finally takes actions based on its settings. For example, the information below is used:

  • Remote IP Address
  • Character string provided by MAIL FROM command
  • Character string provided by RCPT TO command

    The following actions can be taken:

    • ok

    		 white list

    wait

    		 delay processing

    reject

    		 reject messages

    mail

    		 send alert email to administrator

    log

    		 output message to log

    delete

    		 delete record in database

    Example configuration file: 
    MAILFROM="postmaster@example.com"
SENDMAIL="/usr/sbin/sendmail"
EXPIRE=900

# If IP address source is 172.16.3.*, add 1 point.
A: IP=172.16.3.		: add(1)

# If MAIL FROM does not end with example.com, add 1 point.
A: F!~=example.com	: add(1)

# For every RCPT TO, add 1 point
A: 			: add(1)

# If RCPT TO does not end with example.com, add 1 point.
A: T!~=example.com      : add(1)

# If the number of RCPT TO's in a session exceeds more than 100, add 100 points temporarily.
R: TC>100        	: addlocal(100)

# If the point total is more than 100,
#       - Return wait(5) to smtpd
#       - Log output
R: P>100 		: wait(5),
	log("inserting a small sleep in a SMTP session from " , IP)

# If the point total exceeds more than 1,000,
#       - Send a warning message to "admin@example.com"
#       - Extend the data expiration time by 900 seconds
#       - Log output
#       - Return "MESSAGE" to the client from smtpd
R: P>1,000               : mail("admin@example.com"),
        extendexpire(900),
        reject("411 mail server temporally rejected message"),
        log("rejecting a SMTP session from ", IP)

    Last Updated: Wed Nov 9 03:09:13 PST 2005 by Alexander Reeder
    Created by Alexander Reeder
    Copyright (c) 2005 VA Linux Systems Japan, K.K. All Rights Reserved.