And now... for what it's worth..
I'm posting this here because I know a lot of people have the same trouble I do with Perl taking up system resources, but don't have the time or energy or desire (yet) to install one of the server optimizers. (And even then, this can help those *with* said optimizers.)
What I had done so far was to create a database of machines that made it past DNS filters but failed my own tests, weighed them according to their trespasses, and incorporated that list into my tcpserver deny rules.
Well, I found something to put in front of tcpserver. There's a project called packetbl (http://www.duskglow.com/software.html) that judges and accepts/drops SYN packets using DNSBL's. I've been using it for a while now on our production servers (and as a test on some of our border routers) and it eliminates the time each machine wastes with systems I'm going to eventually block anyway.
For those who don't have an issue with *completely* ignoring/firewalling blacklisted machines, it's superb at freeing up resources. I've made my database back-end visible via DNS now, so that helps out too. I'm also thinking of using it to protect my web pages from being visited by mail harvesting robots. :)
The idea is to the user-space iptables QUEUE to compare packets before being processed. Although this guy's program is written in C (and seems to be very stable.. running several weeks on my system without fail), I wrote a proof-of-concept version in Perl. My Perl version croaks after a few hours, probably because I cache all lookups in a hash. :P Still a project at work.
Matt gets the credit for the next stage of my plan. With a daemon watching the queue for bad IP's, it could append a new rule to the chain telling that packet (and subsequent connections) to talk to a different SMTP server--one that simply passed out 550's "Sorry, you're blocked. See myurl.com/yourbadip..." Or, for those who wanted to tarpit the offending machines, you could build a tarpitting SMTP server, or send the packet to the iptables tarpit queue. Fun stuff! :)
Definitely not a qpsmtpd-only project, but one that would (IMHO) benefit the users.
-- Bryan
