Mailing List Archive: Repeating 5xx codes..

Repeating 5xx codes..

Jun 11, 2002, 5:35 AM

Post #1 of 3 (408 views)

A host connects to me by SMTP, and does

MAIL FROM: <something that fails verify>
RCPT TO: <either a valid or invalid recipient>

And gets a 5xx for the failing sender verify. It then proceeds to do
this again, on the SAME connection, with a new recipient, but with the
same sender. Repeat ad nauseum. exim4's rate-limiting doesnt seem to
slow this down, and I'm not sure if the max_rcpt settings will or not,
but while I'd like to allow a fairly high number of _accepted_ RCPTS,
I'd prefer not to allow a high number of failed ones.

Is there a way to control this that I am missing?

If there isn't, then perhaps a cut-off on the max number of 5xx errors
before no more commands of any type are accepted (with the possible
exception of DATA, if there had previously been at least one acceptable
RCPT TO), but anything else (including a new MAIL FROM after the
completion of a DATA command), would get a 5xx...

Perhaps another cut off, which would could be set higher, the maximum
number of 5xx codes in a row before just dropping the connection..

Seperately from the above, I am thinking of setting up some sort of
script, which would watch the rejectlog, and keep track of the IP
addresses I am issuing rejections to, and if a particular host gets more
than a certain threshold of rejections within a period of time (or more
likely, within a certain number of log lines), then temporarily add that
host's IP to a file to be used by host_reject_connection. (it would have
an expire time or something that the script would watch for and remove
the entry appropriately)

Anyone have any thoughts on this?

Re: Repeating 5xx codes.. [ In reply to ]

ph10 at cus

Jun 12, 2002, 3:42 AM

Post #2 of 3 (401 views)

Permalink

On Tue, 11 Jun 2002, Dave C. wrote:

> A host connects to me by SMTP, and does
>
> MAIL FROM: <something that fails verify>
> RCPT TO: <either a valid or invalid recipient>
>
> And gets a 5xx for the failing sender verify. It then proceeds to do
> this again, on the SAME connection, with a new recipient, but with the
> same sender. Repeat ad nauseum. exim4's rate-limiting doesnt seem to
> slow this down,

That, I think, can be classed as a bug. It appears not to be counting
MAIL commands, but to be counting incoming messages, which isn't quite
the same thing. I've noted that. A fix seems like a good idea.

> but while I'd like to allow a fairly high number of _accepted_ RCPTS,
> I'd prefer not to allow a high number of failed ones.

The problem with this is that rejecting MAIL doesn't always have any
effect; the client just tries again (often with the same sender). So you
are no better off.

> If there isn't, then perhaps a cut-off on the max number of 5xx errors
> before no more commands of any type are accepted (with the possible
> exception of DATA, if there had previously been at least one acceptable
> RCPT TO), but anything else (including a new MAIL FROM after the
> completion of a DATA command), would get a 5xx...

If you set the threshold too low you would be in danger of blocking
legitimate mail. Consider a busy mailing list with several users in your
domain, one of which goes away. You are down for several hours. When you
come back, the list server sends 100 messages to you, all in one
connection. You'll see 100 5xx codes on this connection... I think my
feeling is that a crude control like this wouldn't be very useful.

--
Philip Hazel University of Cambridge Computing Service,
ph10@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.

Re: Repeating 5xx codes.. [ In reply to ]

djc at microwave

Jun 12, 2002, 5:52 AM

Post #3 of 3 (405 views)

Permalink

On Wed, 12 Jun 2002, Philip Hazel wrote:

> On Tue, 11 Jun 2002, Dave C. wrote:
>
> > A host connects to me by SMTP, and does
> >
> > MAIL FROM: <something that fails verify>
> > RCPT TO: <either a valid or invalid recipient>
> >
> > And gets a 5xx for the failing sender verify. It then proceeds to do
> > this again, on the SAME connection, with a new recipient, but with the
> > same sender. Repeat ad nauseum. exim4's rate-limiting doesnt seem to
> > slow this down,
>
> That, I think, can be classed as a bug. It appears not to be counting
> MAIL commands, but to be counting incoming messages, which isn't quite
> the same thing. I've noted that. A fix seems like a good idea.
>
> > but while I'd like to allow a fairly high number of _accepted_ RCPTS,
> > I'd prefer not to allow a high number of failed ones.
>
> The problem with this is that rejecting MAIL doesn't always have any
> effect; the client just tries again (often with the same sender). So you
> are no better off.

I dont need to reject the MAIL, rejecting the RCPT is fine. The fix
above should help.

>
> > If there isn't, then perhaps a cut-off on the max number of 5xx errors
> > before no more commands of any type are accepted (with the possible
> > exception of DATA, if there had previously been at least one acceptable
> > RCPT TO), but anything else (including a new MAIL FROM after the
> > completion of a DATA command), would get a 5xx...
>
> If you set the threshold too low you would be in danger of blocking
> legitimate mail. Consider a busy mailing list with several users in your
> domain, one of which goes away. You are down for several hours. When you
> come back, the list server sends 100 messages to you, all in one
> connection. You'll see 100 5xx codes on this connection... I think my
> feeling is that a crude control like this wouldn't be very useful.

Perhaps the max number of 5xx errors, with no intervening successfull
transactions. The object is to stop an extended session of nothing but
rejections.

My desire would be to set a fairly high fail-safe threshold. What would
the right way be to force the sender-host to terminate this SMTP
session, and begin another if it had more mail? a 4xx code?

Perhaps a threshold after which, after any curren transaction is
completed, exim says 4xx, and closes the connection..