[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Limiting POP3/IMAP access

Subject: Re: [cobalt-users] Limiting POP3/IMAP access
From: "Jonathan Michaelson" <michaelsonjd@xxxxxxxxxxx>
Date: Thu May 29 07:09:00 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Hi Dan,

> > "poplimitd is a daemon process that will monitor your server
> > maillog file for POP3 or IMAP connections. Using configurable
> > settings it monitors the rate of logins based on user account
> > and IP address. If it finds excessive usage, it will send a
> > preconfigured email with the users information to that user
> > asking them to stop it. In the future it will also have the
> > option to block the IP address. On servers that suffer from
> > high POP3/IMAP load, this can dramatically modify user
> > behaviour and limit POP and IMAP connections and load."
> >
>
> How many times? i.e. if a user normally checks their box every 15
> minutes, but once checks it three times in 5 minutes would it send an
> email? Or, would the checking every minute or two have to be over a
> certain period of time before tripping a warning?

You can configure it to suit your needs - but it's over a period of time
that you can configure. It works using a formula based on settings that you
can make which specify the time interval to count over (interval_minutes)
and the ideal minimum you'd like them to pop every X minutes
(limit_minutes). Here is the example in the script:

# The trigger interval for the mail message is worked out by the average
# difference between $limit_minutes and $limit_minutes-1 within the
specified
# $interval_minutes. So, an $interval_minutes of 15 minutes with a
# $limit_minutes of 2 yields a trigger level of 11 POPs in 15 minutes:
# (15 - ((15 - 7)/ 2))

It doesn't just trigger if you go over 7 hits in 15 minutes in this example,
to allow for people hitting send+receive a few few times because their
sending before popping plus they check each 2 minutes. This means it always
will catch those checking once per minutes over a 15 minute period and those
that check once every 2 minutes but repeatedly hit send+receive to remind
them not to do that so often if they're checking every 2 minutes (so should
check every 3 minutes to limit the load and not get the threatening email).

We've found it to be extremely effective as a social engineering method
(since it only currently sends out an email) in relieving the load on the
POP server every customer that has receved an email has modified their
client to check less often.

We hope to develop it further in the future such that repeat offenders
(those that breach the $interval_minutes on more than a specified number of
occasions in a row) will have their IP address blocked for POP3 access
either through ipchains/iptables or hosts.deny for a given period to help
them understand further :-)

--
Regards,
Jonathan Michaelson
Commercial CGI Scripting, Web Hosting
Web-based Email, Homepage Creation and Live Help products
http://www.webumake.com

References:
- RE: [cobalt-users] Limiting POP3/IMAP access
  - From: Dan Kriwitsky

Prev by Date: Re: [cobalt-users] MAJOR BUG, Browse any directory view any file
Next by Date: Re: [cobalt-users] CRON DAEMON ERROR MESSAGE
Previous by thread: RE: [cobalt-users] Limiting POP3/IMAP access
Next by thread: [cobalt-users] phpMyAdmin 2.5.0 - http auth mode fails (RAQ550)

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index