Hi all, first of all, a belated Merry Christmas ! As for the reason for this message; on Christmas eve one of my boxes running ASSP faced an issue; one of the users credentials were stolen and then used to pump out junk through the server now, the problem is that the rate limiter was almost ineffective and, in practice didn't kick in due to the following reasons
* Messages were sent in relatively small batches from a number of different IPs (most probably bots) * The message sender was "randomly" generated so there was no constant "single sender" (same for recipients by the way) now, I think that a quick way to solve this issue may be changing the rate limiter to also keep track of the "auth-user" ID; this way, in case an account gets stolen and abused as above, the rate limiter may still kick in and both, limit the damage and alert the admins which may/will then remediate the issue; by the way the current "whitelisting" (aka no-rate-limit) should still apply so that the change won't break things I don't know how much complex it may be, but given that when ASSP acts as a regular proxy or as an SSL proxy it can see the auth phase taking place, I think it should be possible to intercept the userid and use it for such a purpose. ------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
