I've gone ahead and implemented the auto-response rate limiting algorithm discussed below. I have a few questions I'd like some feedback on before I check it in.
1) Should this feature be turned on or off by default? I think on. Better to be safe than sorry. 2) The pertinent configuration variable is called ``MAX_AUTORESPONSES_PER_DAY'' which is pretty self-explanatory. What is a good default value? Remember that this is a last-resort measure to stop a broken auto-responder, so it should be high enough where no legitimate cases trigger it. Also remember this limit is per-sender, not total. How about 50/day? Too high? Too low? > For reference, see > http://mla.libertine.org/tmda-users/200205/msg00388.html > > I think it's wise to add some autoresponse rate limiting to guard > against mail loops between TMDA and broken, non-rfc compliant > autoresponders. > > Matt, indeed your sender-based pending queue would prevent this, but > at this point that's too radical a departure I think. I'm still not > sure I'm philosophically comfortable with the idea anyway. > > I'm envisioning a configurable per-recipient message count and time > interval. So, TMDA would not send out more than count messages per > interval to the same recipient. Sound right? > > So, lets brainstorm. Any thoughts on how to implement this? > > I've looked at how Bruce Guenter's qmail-autoresponder[1] does this, > and it seems like a pretty sound algorithm. From > qmail-autoresponder(1): > > qmail-autoresponder limits the rate at which it sends responses to > each recipient to prevent mail flooding or denial-of-service > attacks. For each response it sends, it creates a file in > DIRECTORY. The name of that file consists of the process ID of > qmail-autoresponder, a period, the current UNIX time number, and > the envelope sender address (with any / characters replaced with : > to prevent creation of files outside of DIRECTORY). When it > receives a message, it scans DIRECTORY. Any files that are older > than the time interval (see below) are deleted and ignored. If > the number of remaining files with the same sender address is > greater than or equal to the maximum number of replies, no > response is generated. > > The next question is whether it's acceptable for TMDA to just drop the > auto-reply when the rate limit is exceeded. This will leave the > sender no way to confirm that message (if indeed the message is > legitimate, and not just part of a mail loop). Although perhaps if > the rate limit is high enough, no legitimate case will get caught by > this? What's a reasonable threshold? > > Footnotes: > 1. http://untroubled.org/qmail-autoresponder/ _________________________________________________ tmda-workers mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-workers
