[51014] in North American Network Operators' Group
Re: Echo
daemon@ATHENA.MIT.EDU (Brad Knowles)
Sun Aug 18 15:09:31 2002
In-Reply-To: <a05111b1ab98470990872@[10.0.1.60]>
Date: Sun, 18 Aug 2002 21:05:04 +0200
To: Brad Knowles <brad.knowles@skynet.be>,
"Karsten W. Rohrbach" <karsten@rohrbach.de>
From: Brad Knowles <brad.knowles@skynet.be>
Cc: Martin Hannigan <hannigan@fugawi.net>, nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
At 11:36 PM +0200 2002/08/17, Brad Knowles wrote:
> You mean, the IP address of the machine contacting you, or the IP
> address of the originating machine? If the former, keep in mind
> that many providers host a large number of customers, and you could
> deny service to a lot of innocent people. If the latter, then you
> would be vulnerable to forging.
I've been thinking about this a bit more. I think the best way
to implement protection mechanisms for something like this is using a
"milter" plug-in for sendmail. It would get called after the message
has been transmitted by the sending relay, but before your mail
server returns "250 Okay".
This milter would do whatever you programmed it to do, but would
be able to check databases, compare times of previous messages from
the same IP address or network, etc.... Once a message passes all
the checks, the milter plug-in would return a code that tells the
sendmail program to accept the message, where the actual work is
performed by another program.
The advantage of milter is that it is inherently multi-threaded,
asynchronous, and capable of using an arbitrary number of off-system
back-end milter servers.
--
Brad Knowles, <brad.knowles@skynet.be>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.
GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
