Viktor Dukhovni:
> On Sat, Oct 05, 2013 at 09:59:23AM -0400, Wietse Venema wrote:
>
> > It should be easy enough to count per "login name" instead of per
> > "SMTP client" (after all, those labels are just simple strings that
> > select a hash-table entry).
> >
> > However it should not be too easy to exhaust server memory.
> >
> > In particular, Postfix must not try to maintain huge numbers of
> > counters when some spammer tries a huge number of different login
> > names in a short time.
>
> Which requires a large number of concurrently compromised accounts.
> In most cases a spammer will have compromised a modest number of
No. Think "brute force account guessing attack". For example, a
spammer tries (a long list of usernames) x (a long list of passwords)
distributed over multiple compromised clients.
Regardless of whether this is a common mode of operation, Postfix
must not run out of memory when it happens.
> > Either the use of per "login name" counters
> > should be restricted to "known" logins,
>
> This is for free, there is no such thing as an "unknown login".
Not true when "per login name" counters are updated regardless of
whether the login exists, for example as part of a defense against
brute-force account guessing attacks such as described above.
In the general case of counters per sender address, recipient
address, or some other information that the client provides, Postfix
does not necessarily have ground truth of what is "known" (for
example Postfix has no knowledge of all "known" email addresses on
the Internet). Yet it could be useful to throttle down traffic that
is obviously out of kilter.
Did you have more ideas about shared-memory counter in memcache?
Wietse
