Rate Limiting on the KIT Mail Servers

Motivation

Compromised KIT accounts are regularly misused for mass sending of SPAM or phishing emails. In these cases, the mail servers of the KIT are temporally flagged on so-called blacklists as known senders of SPAM. This may result that external mail providers using these lists will decline to accept mails from the black-listed KIT servers. Some examples in the past for such external providers have been Yahoo, Gmail and Hotmail.

Implemented Countermeasures

To alleviate this problem, rate limiting has been activated on the outgoing mail servers of the KIT. The rate limiting ensures that a sender can only send a certain amount of emails in a given time slot. If this threshold is exceeded, the outgoing mail servers will still accept the remaining emails from the sender, but they will be handled with a certain delay.

In the past the rate limit was very low. This limit had to be adjusted to react to an increasing number of necessary exceptions. Therefore the limit for each sender has been increased to 3000 mails per 5 minutes.

Furthermore the number of bounces generated by non-deliverable emails are now closely monitored. With these limits the SCC is able to detect and block SPAM waves originating from compromised KIT accounts. This prevents that the outgoing mail servers of the KIT get listed on blacklists, which increases the availability and functionality of the mail service of the KIT.

The mail servers are closely monitored to adjust the rate limits if necessary or to determine if a sender should be added to the SCC-whitelist for mass email sender. Further information is available from the mail-host team mailhost-team∂scc.kit.edu.