[Dshield] Blocking Country Access

Tony Earnshaw tonni at hetnet.nl
Fri Feb 23 00:01:23 GMT 2007


Valdis.Kletnieks at vt.edu wrote, on 22. feb 2007 14:24:

>> May I ask about your message load?  How many mail users and how
>> many messages per day or per some other period of time?
> 
> I'm not Tony, but I'll just comment that most performance curves for this
> sort of thing is usually not a smooth curve - it may work fine for 70 users,
> and require no additional hardware for 700, or 7,000, but it totally falls over
> if you try to put 70,000 people on it.  Doing RBL lookups for 4,000 messages
> a day is trivial - trying to do RBLs for 4 million msgs/day without getting
> totally killed by the additional latency is a major challenge.  And I can't
> tell you where the curve bends, because it's highly site dependent (on things
> like network topology, the RBLs in use, and even what order you check the RBLs
> in...)
> 
> Actually, this would be *trivial* to do, except we have users that want the
> million or so *legitimate* messages we handle a day to be delivered in a timely
> fashion as well.  Damned users - always being the monkey wrench in the design. ;)

I agree entirely, I constantly try to envisage projection of our own 
low-volume site configuration to that of a high-volume site and take as 
examples of mailadmins those (on the Postfix ML) dealing with hundreds 
of thousands of subscribers/recipients - and have already based some of 
my own filters on theirs. This doesn't only apply to RBLs, but also to 
header and message-body filtering, Sender/Recipient Address 
verification, all forms of DNS lookup verification and - of course - the 
luxury of being able to check refused client site smtp conversations.

--Tonni

-- 
Tony Earnshaw
Email: tonni at hetnet dot nl


More information about the list mailing list