

Standards, Environments, and Macros         qmail-spamthrottle(5)


NNNNAAAAMMMMEEEE
     qmail-spamthrottle - the qmail spam throttle mechanism


IIIINNNNTTTTRRRROOOODDDDUUUUCCCCTTTTIIIIOOOONNNN
     The idea of spam throttling came about after would-be  spam-
     mers were easily circumventing (classic) tarpitting.  A rea-
     sonable recipient limit in  tarpitting  must  not  adversely
     affect  acceptable  mail  usage,  so  spam clients typically
     create multiple SMTP connections, all of  which  fall  under
     this  threshold.  Other sources have similar concepts, using
     rate limiting, stuttering, et cetera to describe them.

     It was originally intended for use at ISPs to control  their
     internal clients (users) SMTP usage, although it can applied
     equally in other environments.  An ISP may  wish  to  enable
     this  mechanism for its customers to prevent them from using
     the mail servers as a convenient location from which to send
     spam.   However, in some or all other cases (other originat-
     ing IP addresses) this mechanism might be disabled to  allow
     for  legitimate  high-volume  mail  traffic  such as mailing
     lists.

     Spam throttling acts in  a  similar  manner  to  tarpitting,
     except  that  it is highly parameterized, more flexible, and
     (hopefully)  more  effective.   A  wait  is   imposed   (via
     sssslllleeeeeeeepppp(3)) following the DDDDAAAATTTTAAAA command depending on these SMTP
     parameters: remote  IP  address;  previous  SMTP  connection
     timestamp; and previous wait time.

     With the addition of teergrubing, spammers should keep their
     connections open and deliver less mail.


DDDDEEEETTTTAAAAIIIILLLLSSSS
     Two files, _w_a_i_t and _t_i_m_e, store the previous wait  time  and
     SMTP  connection  timestamp,  respectively.   Both files are
     found in ////vvvvaaaarrrr////qqqqmmmmaaaaiiiillll////ssssppppaaaammmm////_d_i_r.  Where _d_i_r is based on parame-
     ters  set in ////vvvvaaaarrrr////qqqqmmmmaaaaiiiillll////ccccoooonnnnttttrrrroooollll////ssssppppaaaammmmtttt.  If _d_i_r is empty as a
     result, then it will be automatically set to _a/_b/0/0,  where
     _a  and  _b  are the two octets (in decimal) for the remote IP
     address, _a._b._c._d.

     Similarly, if _d_i_r starts  with  a  slash  (////),  then  it  be
     automatically  set  to  the  _n-bit masked IP address (format
     [/_n]), based on the remote IP address.

     See qqqqmmmmaaaaiiiillll----ssssppppaaaammmmtttt((((5555)))) for details.

     NNNNooootttteeee:::: In case it is not yet evident, when _d_i_r is  empty  (or
     starts with a slash), as indicated above, then every dot (....)


SunOS 5.11                Last change:                          1


Standards, Environments, and Macros         qmail-spamthrottle(5)


     is interpreted as a slash (////) in  the  construction  of  the
     directory where the spam throttle state files are stored.


     If you are using libtai for your time calculations, then the
     format  for the _t_i_m_e file is a packed TAI64NA label.  If you
     have perl and the tai64nlocal program, you can use the  fol-
     lowing  perl  expression  to  convert  from a packed TAI64NA
     label to a TAI64N timestamp:

          print join("","@",unpack("H24",<>)), "0;


     Given an entry in ////vvvvaaaarrrr////qqqqmmmmaaaaiiiillll////ccccoooonnnnttttrrrroooollll////ssssppppaaaammmmtttt, such as

        ipblock:dir:st:stmax:flush:rcpt:tg:tg_resp:

     Message throughput is controlled via the value of  _s_t.   The
     delays  imposed  (by calling sssslllleeeeeeeepppp(3)) depend on:  the value
     of _s_t); number of recipients for the  current  SMTP  session
     (_R);  the  number  of  reasonable  recipients per connection
     (_r_c_p_t); how much time has passed (_T)  since  the  last  SMTP
     request (as determined by ////vvvvaaaarrrr////qqqqmmmmaaaaiiiillll////ssssppppaaaammmm////_d_i_r////ttttiiiimmmmeeee); and the
     last    imposed    delay    (_W)    (as     determined     by
     ////vvvvaaaarrrr////qqqqmmmmaaaaiiiillll////ssssppppaaaammmm////_d_i_r////wwwwaaaaiiiitttt).  The new delay is approximately

         (_R - _R / 2^(_R/_r_c_p_t)) * ((_W * _s_t * _R) / _T)

     when _r_c_p_t is greater than 0, and

          (_W * _s_t * _R) / _T

     otherwise.  The unit of time is milliseconds.

     If _s_t_m_a_x is defined (and is non-zero), then it is used as  a
     maximum (in milliseconds) for the delay calculated above.

     In short, _s_t is roughly the minimum  time  between  messages
     and/or  connections.  If you already know that you only want
     a throughput of N messages per  second,  then  you  can  use
     1000/N as a good starting point for _s_t.


CCCCOOOONNNNFFFFIIIIGGGGUUUURRRRAAAATTTTIIIIOOOONNNN
     For the following discussion, we assuming the matching entry
     in ////vvvvaaaarrrr////qqqqmmmmaaaaiiiillll////ccccoooonnnnttttrrrroooollll////ssssppppaaaammmmtttt is

        ipblock:dir:st:stmax:flush:rcpt:tg:tg_resp:

     Despite efforts to impose a waiting period on would-be spam-
     mers,  it is still possible for the client to circumvent the
     call to sssslllleeeeeeeepppp(3).  That  is,  they  may  not  wait  for  the


SunOS 5.11                Last change:                          2


Standards, Environments, and Macros         qmail-spamthrottle(5)


     response  from  the  DATA command, continuing to write their
     message, assuming success, then closing  the  socket,  again
     without  waiting for a response from the server; the message
     will be delivered at no (time) cost to them.   Adherence  to
     standards  (such  as  ignoring  the  absence  of PIPELINING)
     should not be assumed  for  clients  acting  as  agents  for
     unsolicited  bulk email.  As such, the _f_l_u_s_h variable can be
     set (non-zero) to indicate that all input  will  be  flushed
     after  calling  sssslllleeeeeeeepppp(3)  and prior to sending a response to
     the DATA command.  RFC 2920 (STD 60) prohibits  flushing  of
     the  input buffer if PIPELINING is supported.  As such, EHLO
     responses will not advertise PIPELINING while _f_l_u_s_h is set.

     Another method, teergrubing, involves  issuing  continuation
     lines  periodically  to keep the client connected while they
     wait for the go ahead from the  DATA  command.   By  setting
     (non-zero) the variable _t_g, you can specify the frequency of
     continuation lines in response to the DATA command.  If  the
     argument  to sssslllleeeeeeeepppp(3) would have been 11 (seconds) and _t_g is
     set to 2, then the response to the DATA command would result
     in  several  calls  to sleep(2) (and one sleep(1)) with each
     accompanied by a continuation  line.   A  continuation  line
     consist  of a 3-digit code, a dash, and an arbitrary string.
     The default string is "please  wait",  but  can  be  changed
     using the _t_g__r_e_s_p variable. For example,

          ...
          DATA
          354-please wait
          354-please wait
          354 go ahead
          ...


EEEENNNNVVVVIIIIRRRROOOONNNNMMMMEEEENNNNTTTT
     The environment variable, TTTTCCCCPPPPRRRREEEEMMMMOOOOTTTTEEEEIIIIPPPP, is strictly  required
     by  spam throttle.  If you are not using ttttccccppppsssseeeerrrrvvvveeeerrrr, then you
     will have to use ttttccccpppp----eeeennnnvvvv to ensure TTTTCCCCPPPPRRRREEEEMMMMOOOOTTTTEEEEIIIIPPPP is set.


CCCCAAAAVVVVEEEEAAAATTTTSSSS
     The implicit translation of an empty directory to one  based
     on  the  remote  IP address will most certainly result in an
     unwieldy spam directory structure and should be reserved for
     small  networks,  such  as  the  internal network side of an
     office or ISP (including ISP users).  It is recommended that
     the     /_n     format     be    used    in    the    default
     ////vvvvaaaarrrr////qqqqmmmmaaaaiiiillll////ccccoooonnnnttttrrrroooollll////ssssppppaaaammmmtttt entry (empty network block).  Then,
     for  specific  networks, a directory per IP address is still
     possible: for example, the entries


SunOS 5.11                Last change:                          3


Standards, Environments, and Macros         qmail-spamthrottle(5)


        192.168.0.0/24:/32:::::::
        :/16:1500:120000::::::

     define the default spam  throttle  directory  (assuming  the
     remote IP address is _a._b._c._d) as _a/_b/0/0.  However, when the
     remote IP address is in the  192.168.0.0/24  network  block,
     the  spam  throttle directory will be _a/_b/_c/_d, since the _d_i_r
     parameter is ////33332222.


EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS
     These examples assume  that  ////vvvvaaaarrrr////qqqqmmmmaaaaiiiillll////ccccoooonnnnttttrrrroooollll////ssssppppaaaammmmtttthhhhrrrroooottttttttlllleeee
     contains a non-zero value.

     Here is a sample ////vvvvaaaarrrr////qqqqmmmmaaaaiiiillll////ccccoooonnnnttttrrrroooollll////ssssppppaaaammmmtttt file  for  a  home
     user:

         # network:dir:st:stmax:flush:rcpt:tg:tg_resp:
         #
         # default entry (make it all share the public directory)
         :public:1500:120000::::::
         #
         # private (trusted) network does not enforce  spamthrot-
     tle
         192.168.0.0/24::0::::::
         #
         # some external network which we would like to  throttle
     collectively
         10.0.0.0/24:collected:::::::
         #
         # an external network (semi-trusted) which is throttled
         # based on individual IP address
         # - we don't specify SPAMTHROTTLEDIR and the default
         #   behaviour of storing state files in directories
         #   based on IP address is used)
         # - we also allow relaying from this semi-trusted
         #   network
         10.1.0.0/16:/32:::::::
         .


     Here is a sample file for  a  high-volume  mail  server  (or
     servers)  for  some  arbitrary  ISP  (with  customer network
     10.0.0.0/16 and internal/ employee network 10.1.0.0/24):

         # network:dir:st:stmax:flush:rcpt:tg:tg_resp:
         #
         # by default, turn throttling off
         ::0:::::::
         #
         # customer network uses default behaviour
         # (IP-based throttle files)


SunOS 5.11                Last change:                          4


Standards, Environments, and Macros         qmail-spamthrottle(5)


         10.0.0.0/16:/32:::::::
         #
         # employee network doesn't adhere to throttling
         10.1.0.0/24::0::::::
         #
         # external trusted network which legitimately
         # provides high volume mail traffic
         10.1.1.0/24::0::::::
         #
         # a collection of addresses/networks which we
         # might have gathered from past abuse experience
         # - we allow the mail, but we're aggressive
         #   about throttling it
         10.1.2.1/32:abuse:5000::::::
         10.1.2.2/32:abuse:5000::::::
         10.1.2.3/32:abuse:5000::::::
         10.1.3.0/24:abuse:5000::::::
         .


SSSSEEEEEEEE AAAALLLLSSSSOOOO
     tcp-env(1), tcp-environ(5), qmail-spamt(5), qmail-smtpd(8)


AAAAUUUUTTTTHHHHOOOORRRR
     Dale Woolridge, James Law, and Moto Kawasaki.   Contact  the
     authors via email: <spamthrottle@qmail.ca>.


SunOS 5.11                Last change:                          5