Re: email address probes

From: Axel Beckert - ecos gmbh (beckertat_private)
Date: Thu Feb 06 2003 - 09:30:15 PST

  • Next message: rocky_scottiat_private: "Netbios Name Scans/opaserv worm"

    About tarpits and teergrubes:
    Am Wed, Feb 05, 2003 at 06:04:44PM -0500, Greg A. Woods schrieb:
    > If the connections come fast and furious from the same remote server
    > then you can introduce a delay before you send your reject reply status
    > code, or even send a "550-User unknown" line, then pause for up to a
    > minute or two, and finally a "550 Thanks for trying!" line.  Some people
    > call this scheme a "tar pit" -- it slows down a rabid sender because it
    > forces it to wait for the last line of the multi-line 550 message.
    That's right. But this also has some side effects: The connection
    state for each hold connection must be stored somewhere in memory. If
    you have a lot of such connection, you may run out of memory in the
    tcp stack or so...
    Am Wed, Feb 05, 2003 at 09:01:26PM -0500, Kee Hinckley schrieb:
    > The only solution I know of is to tarpit the server based on number
    > of bounces.  The more it bounces, the more slowly you get around to
    > handling responses from it.  I don't know of any off-the-shelf
    > solutions that to do that though. 
    There is a very fine teergrubing (from the German word for tarpit:
    Teergrube) FAQ from Lutz Donnerhacke at or
    There is also the answer to Kee's indirect question:
      Q: Are there any ready to use teergrubes available?
      A: especially Axel
         Zinser's patch at Systems
         unable to receive e-mail can supplied with a special perl script
         from Boston Business Computing.
         I developed a general purpose wrapper to use in front of your
    Another question/answer pair is also very interesting:
      Q: Does anyone have any experience with teergrubing?
      A: Axel was able to hold a spammer online for more than two days. I
         have similar records.
         In there is a daily statistics posting from a real
    But the following thread (German only, sorry) shows that this tarpit
    doesn't run anymore because of too much administrative work needed:
                Kind regards, Axel Beckert
    Axel Beckert       ecos electronic communication services gmbh
    IT-Securitylösungen * dynamische Webapplikationen * Consulting
    Post:       Tulpenstrasse 5          D-55276 Dienheim b. Mainz
    E-Mail:     beckertat_private          Voice:   +49 6133 939-220
    WWW:      Fax:     +49 6133 939-333
    |                                                            |
    |   Visit us at CeBIT from 12. to 19. March 2003             |
    |   Messe Hannover * Halle 11 * Stand D42/18                 |
    |                                     |
    |                                                            |
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Thu Feb 06 2003 - 13:43:08 PST