And spammers have gotten smart; if they notice a teergrube (what this used to be called), they route their attempt through a different proxy, rotating them as they slow down. So it's only marginally effective against good ones (who are savvy enough to harvest in the manner you are observing). > -----Original Message----- > From: Axel Beckert - ecos gmbh [mailto:beckertat_private] > Sent: Thursday, February 06, 2003 12:30 PM > To: Andy Bastien > Cc: incidentsat_private > Subject: Re: email address probes > > > Hi! > > About tarpits and teergrubes: > > Am Wed, Feb 05, 2003 at 06:04:44PM -0500, Greg A. Woods schrieb: > > If the connections come fast and furious from the same > remote server > > then you can introduce a delay before you send your reject reply > > status code, or even send a "550-User unknown" line, then > pause for up > > to a minute or two, and finally a "550 Thanks for trying!" > line. Some > > people call this scheme a "tar pit" -- it slows down a rabid sender > > because it forces it to wait for the last line of the > multi-line 550 > > message. > > That's right. But this also has some side effects: The > connection state for each hold connection must be stored > somewhere in memory. If you have a lot of such connection, > you may run out of memory in the tcp stack or so... > > Am Wed, Feb 05, 2003 at 09:01:26PM -0500, Kee Hinckley schrieb: > > The only solution I know of is to tarpit the server based > on number of > > bounces. The more it bounces, the more slowly you get around to > > handling responses from it. I don't know of any off-the-shelf > > solutions that to do that though. > > There is a very fine teergrubing (from the German word for tarpit: > Teergrube) FAQ from Lutz Donnerhacke at > http://www.iks-jena.de/mitarb/lutz/usenet/teergrube.en.html > or http://www.faqs.org/faqs/net-abuse-faq/teergrube-faq/ > > There is also the answer to Kee's indirect question: > > Q: Are there any ready to use teergrubes available? > > A: http://www.de.spam.abuse.net/webland/spam/ especially Axel > Zinser's patch at ftp://ftp.hiss.han.de/pub/sendmail/. Systems > unable to receive e-mail can supplied with a special perl script > from Boston Business Computing. > > I developed a general purpose wrapper to use in front of your > MTA. > > Another question/answer pair is also very interesting: > > Q: Does anyone have any experience with teergrubing? > > A: Axel was able to hold a spammer online for more than two days. I > have similar records. > > In thur.net.admin there is a daily statistics posting from a real > teergrube. > > But the following thread (German only, sorry) shows that this > tarpit doesn't run anymore because of too much administrative > work needed: > http://groups.google.de/groups?hl=de&lr=&ie=UTF-8&threadm=2j0kb9.j97.ln%40ne ws.lorenzmatthias.de&rnum=1&prev=/groups%3Fhl%3Dde%26lr%3D%26ie%3DISO-8859-1 %26q%3Dteergrube%26btnG%3DGoogle-Suche%26meta%3Dgroup%253Dthur.net.admin Kind regards, Axel Beckert -- -------------------------------------------------------------- Axel Beckert ecos electronic communication services gmbh IT-Securitylösungen * dynamische Webapplikationen * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: beckertat_private Voice: +49 6133 939-220 WWW: http://www.ecos.de/ Fax: +49 6133 939-333 -------------------------------------------------------------- | | | Visit us at CeBIT from 12. to 19. March 2003 | | Messe Hannover * Halle 11 * Stand D42/18 | | http://www.cebit.de/ | | | -------------------------------------------------------------- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Feb 07 2003 - 10:57:33 PST