BLD stands for “blacklist daemon” and is intended to serve a blacklist. The blacklist is built by simply inserting IP addresses or by using submission rate limits based on a maximum number of submissions of the same IP address within a minimum time interval. You can build a BLD cluster by configuring the daemon to notify other similar daemon(s) every time an IP address is added to the blacklist. BLD was primarily designed to fight against dictionnary-based spams (by making the MTA report to BLD any host that tries to send a mail to an unknown user) but can be used by any program.
As of now, it is highly recommended to USE IT IN A SAFE ENVIRONMENT: access control is based on clients IP addresses. This is why, by default, BLD binds to localhost and should not accept requests from a machine where non-trusted users can be logged in or establish network connections to via other means (PHP for example).
How does it work?
BLD requests can be insertions (to add an address to the list), submissions (to add an address if its submission rate is too high) queries (to ask if an address is blacklisted) or decrements (to decrease the internal counter of submissions for an IP).
BLD uses a very simple algorithm to decide whether to add submitted IP addresses to the blacklist or not. The first time an IP address is submitted, it is added to an internal list with a timestamp and all further requests increment a counter for this IP. As soon as the minimum time interval is elapsed (default: 30 seconds), and if a maximum requests ratio is reached (default: 10 submissions in the 30 seconds interval), the IP is put in the blacklist. It is then blacklisted for a configurable time (default: 900 seconds).