On Tue, Aug 14, 2001 at 06:16:45PM +0800, Miguel A.L. Paraz wrote (wyy sez):
> On Tue, Aug 14, 2001 at 04:28:29PM +0800, Gino LV.Ledesma wrote:
> > I asked some people around (some from the postfix mailing list)
> > whether it was possible to simply reject mail outright but was told that
> > postfix has first to get it, then check, then accept/reject it.
>
> Sorry, that is the only way - your MTA has to do body checks because
> there's nothing in the MAIL FROM: or RCPT TO: that indicates it's Sircam.
>
this is the root of the problem. we do have postfix running with body
checks. however, our system gets "DOS"ed because of the HUGE log files
that are generated by the SirCam mail.info logs. the current system is
configured to log to /dev/null all the mail.info logs to prevent another
downtime due to this type of problem. write now all the logs are written
also to /dev/tty12 so that we can see the SirCam action.
the strange thing is that these SirCam attempts come from only single
sources and i think that some of them might be failed bounce attempts
since postfix bounces the email. this could even be a bounce chain.
isn't postfix supposed to quit after a given number of bounce failures?
anyway, this is just a suspicion and with no scientific basis.
i wrote a patch for the latest snapshot of postfix. (have not had the
time to test it yet though. but, i built the RPMS already.) the patch
basically adds a feature called DROP. DROP is like REJECT but with two
major differences. it does not log the failed attempt and it sets the
email status to BOUNCE2 and thus postfix postfix's qmqrd will treat it
as a failed bounce message and should theoretically write an error and
drop the email. the packages can be downloaded from
http://sysads.ateneo.net/wyu/
> Perhaps Linux has - or someone (from PLUG?) would code - a way to intercept
> and drop packets based in content. Dropping the TCP packet containing
> "Hi.." whatever and sending a RST should kill it, no? Any iptables hackers?
>
this is not a very simple task since a single packet might not be able
to contain the entire string that you would like to drop. an email could
be divided into multiple packets such that you regular expression string
would not match any single packet.
another problem is that this will be really CPU intensive since the data
of all the packets must now be checked. these packets are a lot.
next problem is that the packets may not come in the proper order thus
making it very difficult to complete a string.
my $0.02
--------------------------------------
William Emmanuel S. Yu
Ateneo Cervini-Eliazo Networks (ACENT)
email : [EMAIL PROTECTED]
web : http://cersa.admu.edu.ph
phone : 63(2)4266001-5925/5904
GPG : http://sysads.ateneo.net/wyu/wyy.pgp
Of all forms of caution, caution in love is the most fatal.
PGP signature
