Once upon a time, Simon Hobson <[email protected]> said: > Chris Adams <[email protected]> wrote: > > > We have multiple SMTP servers and multiple policyd servers (all VMs). > > We had a compromised user sending a high volume of spam this morning > > from a bunch of different IPs (standard spammer behavior). The user > > falls under our default policy of 50 messages per 30 minutes, but they > > were able to send thousands of messages this morning without hitting the > > limit. > > > > The problem appears to be that cbpolicyd didn't properly track the > > quota. I see messages in the log that show the quota being incremented > > and then jumping back to 1 rapidly (all in a second or two). > > So I guess you have an instance of Postfix plus an instance of PolicyD per > server. How are they sharing a database ? Is the database also distributed, > or do they access one shared instance ? > And how many servers are involved ?
There are 4 VMs for outbound postfix, and 4 separate VMs for policyd (each are load-balanced). There's a separate dedicated MySQL server that everything talks to. I've been looking at my logs, and I see other instances of the quota being reset to 1, not just under this spam flood, although under moderate rates. For example, one user had the quota go from 1 to 38 between 03:10:03 and 03:11:02, and then at 03:11:03 it went back to 1. That user's limit is 50 messages per 30 minutes; the "reset to 1" behavior is not consistent; a little later that user hit their 50 and got rejects. I do see the entries in the session_tracking table. I don't know why the Quotas module didn't see them. -- Chris Adams <[email protected]> _______________________________________________ Users mailing list [email protected] http://lists.policyd.org/mailman/listinfo/users_lists.policyd.org
