vthrottle: SMTP virus throttle
license: 3-clause BSD.
vthrottle is an implementation of m. williamson's rate throttling mechanism for mail bourne worms and viruses. basically the software keeps track of what hosts and what senders have been sending mail. if they attempt to send mail from one machine or using one address more than once in a specified interval we back them off by sending a temporary failure. well behaved hosts are expected to not trip this detection/throttle ...
vthrottle works by evaluating mail transactions at three points: the connection, the HELO (or EHLO) statement, and the stated source address of the mail. for each of these, a list is traversed and the observed time interval between observations is evaluated. if the observed interval is shorter than the policy interval, the mail is blocked. this is accomplished by sending a failure reply code to the SMTP client, causing them to queue the message.
a whitelist may be used to create exceptions to the default intervals. this whitelist can specify hostnames or mail addresses and specifies the expected interval for that entry. the tool vmeasure can be used To generate this whitelist based on observations on your network. this tool is included in the vthrottle distribution.
the threat model for this tool requires a generic solution. hosts infected with a worm which uses mail to spread will attempt to send as much mail as possible to spread rapidly. to prevent this system from becoming overwhelmed by requests, only header information is recorded and acted upon.
when a host is throttled, entries like this will appear in the system logfiles:
Jan 25 00:20:42 gibbs vthrottle: throttling host localhost: observed interval: 10, expected: 60
a big hearty thank you to matt williamson and the HP management team for being ok with an independent implementation being developed and released. their technique and implementations are patent pending. this is just an approximation of their methods. two relevant papers to this tool are:
because vthrottle uses libmilter, it will not work with other MTAs, it will work only with sendmail.
vthrottle currently depends on a few OpenBSD specific functions, including strsep(), openlog_r() and syslog_r(). porting vthrottle to other platforms is being worked on.
add lines similar to the following to enable vthrottle's use:
regen your config and install it, restart sendmail to use that configuration file. you can also use an IPv4 or IPv6 socket for the filter, see the sendmail and milter docs for how to do this.INPUT_MAIL_FILTER(`filter1', `S=unix:/var/run/milter/vthrottle.sock, F=R') define(`confINPUT_MAIL_FILTERS', `filter1')
version 0.55: march 8, 2004 (beta release for testing) vthrottle-0.55.tar.gz
version 0.54: june 3, 2004
vthrottle and this site are copyright © 2003-2004 jose nazario, all rights reserved.