Alligate for example, and I am sure most other gateways should level this out for you anyway, and I don't think tarpitting would make a whole lot of difference. When we are forwarding to IMail, we set the forwarding threads fairly conservatively, and send mail only at the speed that IMail can handle it. It is spooled and send at a constant rate. I have seen the queue get backed up during heavy periods, and then clear up when the load lightens. We crashed IMail (sent processor load to 100%) a couple of times during testing by sending it too much mail and it simply stopped responding.
Tarpitting is more to discourage spammers from sending to your server (hopefully) and to reduce their output. We have seen a lot of them time out after 30 seconds. Some of these are home made spam blaster programs that are single threaded, do their own MX resolution, and can only send out messages one at a time. It really puts the hurt on them when it takes 5-10 minutes to send one message, so they tend to put timeouts in them and disconnect. Brian On 06/18/03 1:08pm you wrote... >Rick, > >Makes me wonder if spammers cause traffic surges/spikes that slow our >servers down and if this would also smooth those spikes down. Suppose a >given sending server had 100 copies of a particular message, running only 5 >sessions (speculation) at a time, could the sessions be dragged into off >peak hours. If the firewall (or Alligator) could be configured to open the >flood gates between midnight and 5am, the cues would be empty by the next >morning. > >Dan > > >On Wednesday, June 18, 2003 12:39, Rick Davidson <[EMAIL PROTECTED]> >wrote: >>I find the idea intriguing as well but if you start to slow down >connections >>wouldnt that just hold TCP connections open longer possibly making fewer >>connections available on the server? >> >>One of the methods of thwarting file sharing sites is to trickle download >>many files so that others cannot make connections, would this not have the >>same affect as tar pitting spammers? Especially since the pro spammers send >>the same spam run through many different servers. >> >>Just thinking outloud. >> >>Rick Davidson >>Buckeye Internet Inc >>www.buckeyeweb.com >>440-953-1900 ext: 222 >> >>----- Original Message ----- >>From: "Dan Patnode" <[EMAIL PROTECTED]> >>To: <[EMAIL PROTECTED]> >>Sent: Wednesday, June 18, 2003 3:16 PM >>Subject: Re: [Declude.JunkMail] Tar Pitting >> >> >>I'm intrigued by this idea. During a given minute of time I may get 1000 >>messages. 1/4 of them are slown down (occupying more SMTP/Declude >>sessions), but the burdon is spread out. >> >>Can this be applied to increase server capacity? If I throttle, at the >>firewall, the IPs of spammers, will the load on my server be >>less? >> >>Has anyone tried this on a maxed out server? >> >>Dan >> >> >>On Sunday, June 15, 2003 16:01, Rifat Levis <[EMAIL PROTECTED]> wrote: >>> >>>People intersted in tarpitting and Declude firewall integration can read >>>this. >>> >>> >>> >>>I just finished the tarpitting protection for my IMAIL server >>>I am sending logs to the kiwi syslog server and forwarding it to SQL to >>>analyse data >>> >>>When in a 2 min period a single ip send mail to more than 5 unknown >account >>>I am blocking the ip address on my netscreen firewall for 1 >>>hour. >>> >>> >>>The next step of this is to integrate Declude to the firewall >>> >>>I have 3 weight >>>weight 10 warn >>>weight 15 warn >>>weight 20 delete >>> >>>Instead of deleting weight 20 i will forward it to an account to send data >>>to SQL analyse it and then block it for 1 hour . >>> >>>NOTE : I am sure that KAMI will be interested :) >>> >>>Best Regards >>>Rifat Levis >>> >>>--- >>>[This E-mail was scanned for viruses by Declude Virus >>>(http://www.declude.com)] >>> >>>--- >>>This E-mail came from the Declude.JunkMail mailing list. To >>>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >>>type "unsubscribe Declude.JunkMail". The archives can be found >>>at http://www.mail-archive.com. >>> >> >>--- >>[This E-mail was scanned for viruses by Declude Virus >>(http://www.declude.com)] >> >>--- >>This E-mail came from the Declude.JunkMail mailing list. To >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >>type "unsubscribe Declude.JunkMail". The archives can be found >>at http://www.mail-archive.com. >> >> >>--- >>[This E-mail was scanned for viruses by Declude Virus >>(http://www.declude.com)] >> >>--- >>This E-mail came from the Declude.JunkMail mailing list. To >>unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >>type "unsubscribe Declude.JunkMail". The archives can be found >>at http://www.mail-archive.com. >> > >--- >[This E-mail was scanned for viruses by Declude Virus >(http://www.declude.com)] > >--- >This E-mail came from the Declude.JunkMail mailing list. To >unsubscribe, just send an E-mail to [EMAIL PROTECTED], and >type "unsubscribe Declude.JunkMail". The archives can be found >at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
