On 16/04/2021 13:44, micah via mailop wrote: > > It seems to be a fun past-time for some people to mailbomb users (10k > emails in minutes), to blow up a person's mailbox so they are over > quota, or to make them miss an important email. > > I'm curious what others have settled on for reasonable rate limits for > incoming mail for individual accounts? The danger is that the rate > limits can still cause a denial of service for that user, unless the > rate-limits are done properly. > > Unfortunately, I have yet to find a free software solution that will do > the right thing, but I'm interested to hear other's implementations. > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop >
I can only tell about Rspamd as I have implemented and designed it's ratelimiting logic. Rspamd keeps tracks of the reputation of each ratelimit bucket allowing to send fewer messages at the beginning and more if your messages are 'fine' from the terms of spam/malware score then your limit is growing slightly towards some upper limit. And, on the contrary, if your messages are 'bad' then your limit is shrinking to some lower bound. This is represented in the following graph: https://rspamd.com/doc/modules/ratelimit.html#principles-of-work Your limits are starting from the point 0 and the rate can move up and down depending on the limit bucket reputation. I have also made it quite configurable: you can make rate limits on literally everything, you can even set different limits for different days of week if needed. Originally, Rspamd used triplets like to_from_ip(lower rate) + to_from (higher rate) + to (even higher rate), but now you can combine these buckets freely, depending on the exact demands and the direction of the email traffic. _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
