Hi! About tarpits and teergrubes: Am Wed, Feb 05, 2003 at 06:04:44PM -0500, Greg A. Woods schrieb: > If the connections come fast and furious from the same remote server > then you can introduce a delay before you send your reject reply status > code, or even send a "550-User unknown" line, then pause for up to a > minute or two, and finally a "550 Thanks for trying!" line. Some people > call this scheme a "tar pit" -- it slows down a rabid sender because it > forces it to wait for the last line of the multi-line 550 message. That's right. But this also has some side effects: The connection state for each hold connection must be stored somewhere in memory. If you have a lot of such connection, you may run out of memory in the tcp stack or so... Am Wed, Feb 05, 2003 at 09:01:26PM -0500, Kee Hinckley schrieb: > The only solution I know of is to tarpit the server based on number > of bounces. The more it bounces, the more slowly you get around to > handling responses from it. I don't know of any off-the-shelf > solutions that to do that though. There is a very fine teergrubing (from the German word for tarpit: Teergrube) FAQ from Lutz Donnerhacke at http://www.iks-jena.de/mitarb/lutz/usenet/teergrube.en.html or http://www.faqs.org/faqs/net-abuse-faq/teergrube-faq/ There is also the answer to Kee's indirect question: Q: Are there any ready to use teergrubes available? A: http://www.de.spam.abuse.net/webland/spam/ especially Axel Zinser's patch at ftp://ftp.hiss.han.de/pub/sendmail/. Systems unable to receive e-mail can supplied with a special perl script from Boston Business Computing. I developed a general purpose wrapper to use in front of your MTA. Another question/answer pair is also very interesting: Q: Does anyone have any experience with teergrubing? A: Axel was able to hold a spammer online for more than two days. I have similar records. In thur.net.admin there is a daily statistics posting from a real teergrube. But the following thread (German only, sorry) shows that this tarpit doesn't run anymore because of too much administrative work needed: http://groups.google.de/groups?hl=de&lr=&ie=UTF-8&threadm=2j0kb9.j97.ln%40news.lorenzmatthias.de&rnum=1&prev=/groups%3Fhl%3Dde%26lr%3D%26ie%3DISO-8859-1%26q%3Dteergrube%26btnG%3DGoogle-Suche%26meta%3Dgroup%253Dthur.net.admin Kind regards, Axel Beckert -- -------------------------------------------------------------- Axel Beckert ecos electronic communication services gmbh IT-Securitylösungen * dynamische Webapplikationen * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: beckertat_private Voice: +49 6133 939-220 WWW: http://www.ecos.de/ Fax: +49 6133 939-333 -------------------------------------------------------------- | | | Visit us at CeBIT from 12. to 19. March 2003 | | Messe Hannover * Halle 11 * Stand D42/18 | | http://www.cebit.de/ | | | -------------------------------------------------------------- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Feb 06 2003 - 13:43:08 PST