Rate Limiting on the KIT Mail Servers

Motivation

Compromised KIT accounts are regularly misused for mass sending of SPAM or phishing emails. In these cases, the mail servers of the KIT are temporally flagged on so-called blacklists as known senders of SPAM. This may result that external mail providers using these lists will decline to accept mails from the black-listed KIT servers. Some examples in the past for such external providers have been Yahoo, Gmail and Hotmail.

Implemented Countermeasures

To alleviate this problem, rate limiting has been activated on the outgoing mail servers of the KIT. The rate limiting ensures that a sender can only send a certain amount of emails in a given time slot. If this threshold is exceeded, the outgoing mail servers will handle mails from this sender with a certain delay.

By log analysis and whitelisting of functional mail addresses known to us for regularly sending large volumes of emails, the following limits had been implemented:

• 60 mails per sender address within 30 seconds to external recipients
• 150 mails per sender address within 30 minutes to external recipients

Furthermore the number of bounces generated by non-deliverable emails are now closely monitored. With these limits the SCC is able to detect and block SPAM waves originating from compromised KIT accounts. This prevents that the outgoing mail servers of the KIT get listed on blacklists, which increases the availability and functionality of the mail service of the KIT.

The mail servers are closely monitored to adjust the rate limits if necessary or to determine if a sender should be added to the SCC-whitelist for mass email sender. Further information is available from the mail-host team mailhost-team∂scc.kit.edu.