serv/mox
1
0
Fork 0
mirror of https://github.com/mjl-/mox.git synced 2024-12-26 16:33:47 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

slow down connections for spammy deliveries, and too many failed authentications, and sleep for 15 seconds before delivering messages by first-time senders

Browse source 
similar to greylisting, but not quite the same: with greylisting you would
always reject the first delivery attempt with a temporary failure. with the
hope that spammers won't retry their deliveries. the spams i've been receiving
seem to be quite consistent though. and we would keep rejecting them anyway.

we slow down the spammy connections to waste some of the resources of a
spammer. this may slow their campaigns down a bit, leaving a bit more time to
take measures.

we do the same with connections that have their 3rd authentication failure,
typically password guess attempts.

when we accept a message by a first-time sender, we sleep for 15 seconds before
actually delivering them. known-good senders don't have to wait. if the message
turns out to be a spammer, at least we've consumed one of their connections,
and they cannot deliver at too high a rate to us because of the max open
connection limit.
This commit is contained in:
Mechiel Lukkien 2023-02-08 21:45:32 +01:00
parent 6623cb435a
commit 9419ee15dd
No known key found for this signature in database
5 changed files with 166 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -16,9 +16,9 @@ Mox features:
- Reputation tracking, learning (per user) host- and domain-based reputation from
(Non-)Junk/Non-Junk email.
- Bayesian spam filtering that learns (per user) from (Non-)Junk email.
- Greylisting of servers with no/low reputation and questionable email content.
Temporarily refused emails are available over IMAP in a special mailbox for a
short period, helping with misclassified legimate synchronous
- Slowing down senders with no/low reputation or questionable email content
(similar to greylisting). Rejected emails are stored in a mailbox called Rejects
for a short period, helping with misclassified legimate synchronous
signup/login/transactional emails.
- Internationalized email, with unicode names in domains and usernames
("localparts").

94
imapserver/server.go
View file

@ -130,6 +130,10 @@ func limitersInit() {
}
}
// Delay before reads and after 1-byte writes for probably spammers. Tests set this
// to zero.
var badClientDelay = time.Second
// Capabilities (extensions) the server supports. Connections will add a few more, e.g. STARTTLS, LOGINDISABLED, AUTH=PLAIN.
// ENABLE: ../rfc/5161
// LITERAL+: ../rfc/7888
@ -163,6 +167,7 @@ type conn struct {
bw *bufio.Writer // To remote, with TLS added in case of TLS.
tr *moxio.TraceReader // Kept to change trace level when reading/writing cmd/auth/data.
tw *moxio.TraceWriter
slow bool // If set, reads are done with a 1 second sleep, and writes are done 1 byte at a time, to keep spammers busy.
lastlog time.Time // For printing time since previous log line.
tlsConfig *tls.Config // TLS config to use for handshake.
remoteIP net.IP
@ -182,9 +187,10 @@ type conn struct {
searchResult []store.UID
// Only when authenticated.
username string // Full username as used during login.
account *store.Account
comm *store.Comm // For sending/receiving changes on mailboxes in account, e.g. from messages incoming on smtp, or another imap client.
authFailed int // Number of failed auth attempts. For slowing down remote with many failures.
username string // Full username as used during login.
account *store.Account
comm *store.Comm // For sending/receiving changes on mailboxes in account, e.g. from messages incoming on smtp, or another imap client.
mailboxID int64 // Only for StateSelected.
readonly bool // If opened mailbox is readonly.
@ -376,18 +382,40 @@ func (c *conn) unselect() {
c.uids = nil
}
func (c *conn) setSlow(on bool) {
if on && !c.slow {
c.log.Debug("connection changed to slow")
} else if !on && c.slow {
c.log.Debug("connection restored to regular pace")
}
c.slow = on
}
// Write makes a connection an io.Writer. It panics for i/o errors. These errors
// are handled in the connection command loop.
func (c *conn) Write(buf []byte) (int, error) {
if err := c.conn.SetWriteDeadline(time.Now().Add(30 * time.Second)); err != nil {
c.log.Errorx("setting write deadline", err)
chunk := len(buf)
if c.slow {
chunk = 1
}
n, err := c.conn.Write(buf)
if err != nil {
panic(fmt.Errorf("write: %s (%w)", err, errIO))
var n int
for len(buf) > 0 {
if err := c.conn.SetWriteDeadline(time.Now().Add(30 * time.Second)); err != nil {
c.log.Errorx("setting write deadline", err)
}
nn, err := c.conn.Write(buf[:chunk])
if err != nil {
panic(fmt.Errorf("write: %s (%w)", err, errIO))
}
n += nn
buf = buf[chunk:]
if len(buf) > 0 && badClientDelay > 0 {
mox.Sleep(mox.Context, badClientDelay)
}
}
return n, err
return n, nil
}
func (c *conn) xtrace(level mlog.Level) func() {
@ -406,6 +434,10 @@ var bufpool = moxio.NewBufpool(8, 16*1024)
// read line from connection, not going through line channel.
func (c *conn) readline0() (string, error) {
if c.slow && badClientDelay > 0 {
mox.Sleep(mox.Context, badClientDelay)
}
d := 30 * time.Minute
if c.state == stateNotAuthenticated {
d = 30 * time.Second
@ -1367,6 +1399,19 @@ func (c *conn) cmdAuthenticate(tag, cmd string, p *parser) {
// Command: ../rfc/9051:1403 ../rfc/3501:1519
// Examples: ../rfc/9051:1520 ../rfc/3501:1631
// For many failed auth attempts, slow down verification attempts.
if c.authFailed > 3 {
mox.Sleep(mox.Context, time.Duration(c.authFailed-3)*time.Second)
}
c.authFailed++ // Compensated on success.
defer func() {
// On the 3rd failed authentication, start responding slowly. Successful auth will
// cause fast responses again.
if c.authFailed >= 3 {
c.setSlow(true)
}
}()
var authVariant string
authResult := "error"
defer func() {
@ -1442,6 +1487,11 @@ func (c *conn) cmdAuthenticate(tag, cmd string, p *parser) {
authz := string(plain[0])
authc := string(plain[1])
password := string(plain[2])
if authz != "" && authz != authc {
xusercodeErrorf("AUTHORIZATIONFAILED", "cannot assume role")
}
acc, err := store.OpenEmailAuth(authc, password)
if err != nil {
if errors.Is(err, store.ErrUnknownCredentials) {
@ -1450,13 +1500,8 @@ func (c *conn) cmdAuthenticate(tag, cmd string, p *parser) {
}
xusercodeErrorf("", "error")
}
if authz != "" && authz != authc {
acc.Close()
xusercodeErrorf("AUTHORIZATIONFAILED", "cannot assume role")
}
c.account = acc
c.username = authc
authResult = "ok"
case "CRAM-MD5":
authVariant = strings.ToLower(authType)
@ -1521,7 +1566,6 @@ func (c *conn) cmdAuthenticate(tag, cmd string, p *parser) {
c.account = acc
acc = nil // Cancel cleanup.
c.username = addr
authResult = "ok"
case "SCRAM-SHA-1", "SCRAM-SHA-256":
// todo: improve handling of errors during scram. e.g. invalid parameters. should we abort the imap command, or continue until the end and respond with a scram-level error?
@ -1601,11 +1645,14 @@ func (c *conn) cmdAuthenticate(tag, cmd string, p *parser) {
c.account = acc
acc = nil // Cancel cleanup.
c.username = ss.Authentication
authResult = "ok"
default:
xuserErrorf("method not supported")
}
c.setSlow(false)
authResult = "ok"
c.authFailed = 0
c.comm = store.RegisterComm(c.account)
c.state = stateAuthenticated
c.writeresultf("%s OK [CAPABILITY %s] authenticate done", tag, c.capabilities())
@ -1636,6 +1683,19 @@ func (c *conn) cmdLogin(tag, cmd string, p *parser) {
xusercodeErrorf("PRIVACYREQUIRED", "tls required for login")
}
// For many failed auth attempts, slow down verification attempts.
if c.authFailed > 3 {
mox.Sleep(mox.Context, time.Duration(c.authFailed-3)*time.Second)
}
c.authFailed++ // Compensated on success.
defer func() {
// On the 3rd failed authentication, start responding slowly. Successful auth will
// cause fast responses again.
if c.authFailed >= 3 {
c.setSlow(true)
}
}()
acc, err := store.OpenEmailAuth(userid, password)
if err != nil {
authResult = "badcreds"
@ -1647,6 +1707,8 @@ func (c *conn) cmdLogin(tag, cmd string, p *parser) {
}
c.account = acc
c.username = userid
c.authFailed = 0
c.setSlow(false)
c.comm = store.RegisterComm(acc)
c.state = stateAuthenticated
authResult = "ok"

3
imapserver/server_test.go
View file

@ -23,6 +23,9 @@ import (
func init() {
sanityChecks = true
// Don't slow down tests.
badClientDelay = 0
}
func tocrlf(s string) string {

92
smtpserver/server.go
View file

@ -93,6 +93,14 @@ func limitersInit() {
}
}
var (
// Delay before reads and after 1-byte writes for probably spammers. Zero during tests.
badClientDelay = time.Second
// Delay before accepting message from sender without reputation. Zero during tests.
reputationlessSenderDeliveryDelay = 15 * time.Second
)
type codes struct {
code int
secode string // Enhanced code, but without the leading major int from code.
@ -241,6 +249,7 @@ type conn struct {
w *bufio.Writer
tr *moxio.TraceReader // Kept for changing trace level during cmd/auth/data.
tw *moxio.TraceWriter
slow bool // If set, reads are done with a 1 second sleep, and writes are done 1 byte at a time, to keep spammers busy.
lastlog time.Time // Used for printing the delta time since the previous logging for this connection.
submission bool // ../rfc/6409:19 applies
tlsConfig *tls.Config
@ -341,28 +350,57 @@ func (c *conn) xtrace(level mlog.Level) func() {
}
}
// setSlow marks the connection slow (or now), so reads are done with 3 second
// delay for each read, and writes are done at 1 byte per second, to try to slow
// down spammers.
func (c *conn) setSlow(on bool) {
if on && !c.slow {
c.log.Debug("connection changed to slow")
} else if !on && c.slow {
c.log.Debug("connection restored to regular pace")
}
c.slow = on
}
// Write writes to the connection. It panics on i/o errors, which is handled by the
// connection command loop.
func (c *conn) Write(buf []byte) (int, error) {
// We set a single deadline for Write and Read. This may be a TLS connection.
// SetDeadline works on the underlying connection. If we wouldn't touch the read
// deadline, and only set the write deadline and do a bunch of writes, the TLS
// library would still have to do reads on the underlying connection, and may reach
// a read deadline that was set for some earlier read.
if err := c.conn.SetDeadline(c.earliestDeadline(30 * time.Second)); err != nil {
c.log.Errorx("setting deadline for write", err)
chunk := len(buf)
if c.slow {
chunk = 1
}
n, err := c.conn.Write(buf)
if err != nil {
panic(fmt.Errorf("write: %s (%w)", err, errIO))
var n int
for len(buf) > 0 {
// We set a single deadline for Write and Read. This may be a TLS connection.
// SetDeadline works on the underlying connection. If we wouldn't touch the read
// deadline, and only set the write deadline and do a bunch of writes, the TLS
// library would still have to do reads on the underlying connection, and may reach
// a read deadline that was set for some earlier read.
if err := c.conn.SetDeadline(c.earliestDeadline(30 * time.Second)); err != nil {
c.log.Errorx("setting deadline for write", err)
}
nn, err := c.conn.Write(buf[:chunk])
if err != nil {
panic(fmt.Errorf("write: %s (%w)", err, errIO))
}
n += nn
buf = buf[chunk:]
if len(buf) > 0 && badClientDelay > 0 {
mox.Sleep(mox.Context, badClientDelay)
}
}
return n, err
return n, nil
}
// Read reads from the connection. It panics on i/o errors, which is handled by the
// connection command loop.
func (c *conn) Read(buf []byte) (int, error) {
if c.slow && badClientDelay > 0 {
mox.Sleep(mox.Context, badClientDelay)
}
// todo future: make deadline configurable for callers, and through config file? ../rfc/5321:3610 ../rfc/6409:492
// See comment about Deadline instead of individual read/write deadlines at Write.
if err := c.conn.SetDeadline(c.earliestDeadline(30 * time.Second)); err != nil {
@ -819,6 +857,13 @@ func (c *conn) cmdAuth(p *parser) {
mox.Sleep(mox.Context, time.Duration(c.authFailed-3)*time.Second)
}
c.authFailed++ // Compensated on success.
defer func() {
// On the 3rd failed authentication, start responding slowly. Successful auth will
// cause fast responses again.
if c.authFailed >= 3 {
c.setSlow(true)
}
}()
var authVariant string
authResult := "error"
@ -903,6 +948,12 @@ func (c *conn) cmdAuth(p *parser) {
authz := string(plain[0])
authc := string(plain[1])
password := string(plain[2])
if authz != "" && authz != authc {
authResult = "badcreds"
xsmtpUserErrorf(smtp.C535AuthBadCreds, smtp.SePol7AuthBadCreds8, "cannot assume other role")
}
acc, err := store.OpenEmailAuth(authc, password)
if err != nil && errors.Is(err, store.ErrUnknownCredentials) {
// ../rfc/4954:274
@ -910,13 +961,10 @@ func (c *conn) cmdAuth(p *parser) {
xsmtpUserErrorf(smtp.C535AuthBadCreds, smtp.SePol7AuthBadCreds8, "bad user/pass")
}
xcheckf(err, "verifying credentials")
if authz != "" && authz != authc {
authResult = "badcreds"
xsmtpUserErrorf(smtp.C535AuthBadCreds, smtp.SePol7AuthBadCreds8, "cannot assume other role")
}
authResult = "ok"
c.authFailed = 0
c.setSlow(false)
c.account = acc
c.username = authc
// ../rfc/4954:276
@ -985,6 +1033,7 @@ func (c *conn) cmdAuth(p *parser) {
authResult = "ok"
c.authFailed = 0
c.setSlow(false)
c.account = acc
acc = nil // Cancel cleanup.
c.username = addr
@ -1068,6 +1117,7 @@ func (c *conn) cmdAuth(p *parser) {
authResult = "ok"
c.authFailed = 0
c.setSlow(false)
c.account = acc
acc = nil // Cancel cleanup.
c.username = ss.Authentication
@ -1733,7 +1783,7 @@ func (c *conn) deliver(ctx context.Context, recvHdrFor func(string) string, msgW
// Crude attempt to slow down someone trying to guess names. Would work better
// with connection rate limiter.
mox.Sleep(ctx, 1*time.Second)
mox.Sleep(ctx, 5*time.Second)
// todo future: if remote does not look like a properly configured mail system, respond with generic 451 error? to prevent any random internet system from discovering accounts. we could give proper response if spf for ehlo or mailfrom passes.
xsmtpUserErrorf(smtp.C550MailboxUnavail, smtp.SeAddr1UnknownDestMailbox1, "no such user(s)")
@ -2048,6 +2098,7 @@ func (c *conn) deliver(ctx context.Context, recvHdrFor func(string) string, msgW
} else if err != nil {
log.Debugx("refusing due to high delivery rate", err)
metricDelivery.WithLabelValues("highrate", "").Inc()
c.setSlow(true)
addError(rcptAcc, smtp.C452StorageFull, smtp.SeMailbox2Full2, true, err.Error())
continue
}
@ -2122,6 +2173,7 @@ func (c *conn) deliver(ctx context.Context, recvHdrFor func(string) string, msgW
log.Info("incoming message rejected", mlog.Field("reason", a.reason))
metricDelivery.WithLabelValues("reject", a.reason).Inc()
c.setSlow(true)
addError(rcptAcc, a.code, a.secode, a.userError, a.errmsg)
continue
}
@ -2145,6 +2197,14 @@ func (c *conn) deliver(ctx context.Context, recvHdrFor func(string) string, msgW
}
}
// If not dmarc or tls report (Seen set above), and this is a first-time sender,
// wait before actually delivering. If this turns out to be a spammer, we've kept
// one of their connections busy.
if !m.Flags.Seen && a.reason == reasonNoBadSignals && reputationlessSenderDeliveryDelay > 0 {
log.Debug("delaying before delivering from sender without reputation", mlog.Field("delay", reputationlessSenderDeliveryDelay))
mox.Sleep(mox.Context, reputationlessSenderDeliveryDelay)
}
acc.WithWLock(func() {
// Gather the message-id before we deliver and the file may be consumed.
if !parsedMessageID {

6
smtpserver/server_test.go
View file

@ -38,6 +38,12 @@ import (
"github.com/mjl-/mox/tlsrptdb"
)
func init() {
// Don't make tests slow.
badClientDelay = 0
reputationlessSenderDeliveryDelay = 0
}
func tcheck(t *testing.T, err error, msg string) {
if err != nil {
t.Helper()