Re: [Dovecot] Dovecot LDA and address extensions - folders flood

Wed, 11 Jan 2012 11:26:08 -0800 

On 2012-01-11 2:05 PM, huret deffgok wrote:

On Wed, Jan 11, 2012 at 7:04 PM, Charles Marcus wrote:

On 2012-01-11 1:00 PM, huret deffgok wrote:

This post is slightly OT, I hope no one will take offense. I was
following the wiki on using dovecot LDA with postfix and
implemented, for our future mail server, the address extensions
mechanism: an email sent to
"validUser+foldername@**mydomain.com<validuser%2bfoldern...@mydomain.com>"
will have dovecot-lda automagically create and subscribe the
"foldername" folder. With some basic scripting I was able to
create hundreds of folders in a few seconds. So my question is
how do you implement this great feature in a secure way so that
funny random people out there cant flood your mailbox with
gigatons of folder.



Don't have it autocreate the folder...

Seriously, there is no way to provide that functionality and have the
system determine when it is *you* doing it or someone else...

But I think it is a non problem... how often do you receive plus-addressed
spam??



None from now.  But I was thinking about something like malice rather than
spamming. For me it's an open door to DOS the service.
What about a functionality that would throttle the rate of creation of
folders from one IP address, with a ban in case of abuse ? Or maybe should
I look at the file system level.


Again - and no offense - but I think you are tilting at windmills...


If you get hit by  this, you will not only have thousands or millions of 
folders, you'll have one email for each folder. So, the question is, how 
do you prevent being flooded with spam... and the answer is, decent 
anti-spam measures.



I prefer ASSP, but I just wish you could use it as an after queue 
content filter (for its most excellent content filtering and more 
importantly quarantine management/block reporting 
features/functionality). That said, postfix, with sane anti-spam 
measures, along with  the most excellent new postscreen (available in 
2.8+ I believe) is good enough to stop most anything like this that you 
may be worried about.



Like I said, set up postfix (or your smtp server) right, and this is a 
non-issue.


--

Best regards,

Charles






















					Reply via email to