> > If a host receives 1,000,000 e-mails from a single host in a day, can't it
> > be flagged as suspicious activity and rerouted to a temp account or
>dumped?
>
>Many mail servers are capable of this or some similar behavior. For
>instance, as you probably guessed by watching this thread :), our shop uses
>VOPmail (among other mail servers).
>
>VOPmail has a feature that forces the server to wait a period time in
>between each message over a certain number of legitimate or illegitimate
>messages from a single source.
This is called tarpitting, where the sender/spammer is held "on line"
while the attacked server twiddles its thumbs for x seconds or
minutes, tying up an SMTP sending process in the attacker's
machine. (yahoo has been doing this to EVERBODY recently but not a
spam defense, yahoo's seem just to be overwhelmed).
Tarpitting can also be triggered by x number of SMTP protocol errors
in a session, with exponentially increasing response delays per by
the attacked per error. ie, the more errors the attacker makes, the
longer he has to wait to get a response from the attacked.
Another tactic is to limit the number of RCTP TO: in single SMTP session.
Another tactic is to block SMTP command pipelining (senders sends
many commands without waitnig for a response, a classic spam tactic)
Although this is a nice feature for decreasing the amount of mail that
>accumulates through a dictionary attack, this is not good relay protection
>because it only take one piece to get through and get reported to the ORBS
>database.
NO relaying unless some kind of AUTH succeeds, a totally different
situation from dictionary attack or mail bomb.
Len
http://BIND8NT.MEIway.com: ISC BIND 8.2.2 p5 & 8.2.3 T6B for NT4 & W2K
http://IMGate.MEIway.com: Build free, hi-perf, anti-spam mail gateways
------------------------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists or send a message
with 'unsubscribe' in the body to [EMAIL PROTECTED]
