CleanMail - Automatic SMTP Traffic Limiting
Directory Harvesting Protection
Directory harvesting attacks are used by spammers to find valid mail addresses in your domain. The attacker, for example, goes through a list of common first names and combines them with your domain name to issue SMTP RCPT TO commands, like this:
RCPT TO firstname.lastname@example.org
If a your mail server accepts this address, the spammer takes this as an indication that this address is valid.
CleanMail counts the number of failed RCPT TO commands in a SMTP session. As soon as this counter exceeds a configurable limit, the remote host is disconnected. This counter is reset whenever a RCPT TO command is successful.
Offending remote hosts are blocked for some time from making new connections.
Mail Flooding Protection
CleanMail's traffic limiting options are also useful to protect yourself against the impact of mail flooding.
The most common kind of mail flooding are excessive amounts of non-delivery reports. This happens after a spammer or a virus is using one of your email addresses as 'From'-address and you get thousands of non-delivery reports from all around the world. Typically, you will find a pattern: only a few badly configured mail hosts are the source of these mails.
Mail servers try to deliver mail as fast as possible, and so they open more than one connection to your mail server. If a server has thousands of non-delivery reports queued for you, it can easily happen that this server alone is capable of pushing your server to its limit with spam filtering and anti virus checking for several hours. During this time, your legitimate incoming mail traffic can be slowed down to a trickle.
Sometimes it might help to send the admin of these sites a mail to inform them of the errors of their ways (they could have rejected the mail outright, instead of accepting it and sending a non-delivery report to the wrong person afterwards), but this is rarely successful.
CleanMail provides the means to reduce the impact of this problem. You can put the offending mail host on a reject list, or you can limit the number of simultaneous connections accepted from the same host. This traffic limiting can be done either by host IP address (the IP address of the MTA that connects to CleanMail), or by the name the MTA supplies with the SMTP HELO/EHLO command.
Open Relay Protection
If you want to limit the recipients CleanMail accepts, you can configure the valid recipient domains or recipient addresses using CleanMail's Open Relay Protection. Mail to other addresses is rejected. You can use the wildcard characters ? (any character) and * (any number of any character). Normally, you will want to accept mail for recipients in your domain only, like in *@byteplant.com. Multiple address patterns can be separated by blanks.
On the Windows platform, the list of recipients can be populated from Active Directory.