Gary, This is NOT like some arbitrary "DOS" attack. The sending server would only be choking on their -OWN- spam. As soon as the server admin kills all attempts to send spam from their server to my server (and others), everything goes back to normal. The tarpitting ONLY occurs as long as spam is actively being delivered from their server.
This is the same premise behind RBLs, in that if everyone used an RBL, an offensive spamming server would not be able to send mail (spam or legit) to anyone. In this case, the program simply throttles or kills the servers ability to send spam or other traffic until they have dealt with the issue and STOPPED SPAMMING. Also, this is a two-step process. A spamming server already has to have been blacklisted for spamming previously/recently before the daemon will be triggered. By the time it gets to that point, an admin should already know what's going on, and has had an opportunity to do something about it. As soon as they stop sending spam, the problem goes away. Seems fair enough to me. FYI, I am only considering installing this on my secondary MX, where absolutely NO legit traffic belongs in the first place. If everyone installed this program on their secondary MX, the abuse of secondaries would quickly vanish. William Van Hefner Network Administrator Vantek Communications, Inc. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gary Brumm > Sent: Thursday, January 27, 2005 10:31 AM > To: [email protected] > Subject: RE: [IMail Forum] Filanet InterJak 200 > > > At 10:02 AM 1/27/2005, you wrote: > >Len, > > > >Was wondering if you had taken a look at something called > SpamCannibal > >at http://www.spamcannibal.org . It is something akin to the Anvil > >feature you describe, but with a twist. The stated aim of > the daemon on > >its website is, "SpamCannibal's TCP/IP tarpit stops spam by > telling the > >spam server to send very small packets. SpamCannibal then causes the > >spam server to retry sending over and over - ideally > bringing the spam > >server to a virtual halt for a long time or perhaps indefinitely." > > ....and if you bring down a server that was exploited through > no fault of > the owner > then what? They trace the problem to software you > intentionally installed > on your > server knowing it would crash other peoples servers.....and you are > reported to your > upstream provider or you are sued. This is a very bad idea. Delete > incoming SPAM, > block the IP, report it to the source, or to SpamCop, ect., > but please > don't try to crash > servers that may be victims of exploits without anymore > information other > than "SPAM > was delivered from this address". > > > >I haven't tried setting up a Postfix box for this yet, but it sounds > >like fun. :-) > > > > > >William Van Hefner > >Network Administrator > >Vantek Communications, Inc. > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of > Len Conrad > > > Sent: Wednesday, January 26, 2005 7:22 AM > > > To: [email protected] > > > Subject: Re: [IMail Forum] Filanet InterJak 200 > > > > > > > > > > > > >If you're willing to get your hands dirty and learn a > bit of *nix I > > > >recommend pf on OpenBSD which is _very_ flexible and > will let you > > > >'tarpit' spammers (with spamd) if you wish. It's free and it'll > > > >run very well on a pII 350mhz with 128m of RAM. It is a bit of > > > a learning > > > >curve if you're a Windows only guy but well worth it IMHO. > > > > > > Even easier is IMGate/postfix's "anvil" feature which will > > > dynamically smtp-blocks/rate-limits any IP that connects > to postfix > > > more than x times > > > in y minutes. > > > > > > anvilled IPs connect to port 25, postfix sends an > immediate SMTP 421 > > > code, and hangs up. postfix can probably do that 200 times/second > > > without impacting legit operation. > > > > > > I would say the majority of msgs to unknown users come from > > > subscriber access networks of millions infected PCs, each of which > > > doesn't attack any > > > one MX at a high rate of attempts, so rate limiting is > not helpful. > > > > > > Len > > > > > > > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > > > List Archive: > > > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > > > > > >To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > >List Archive: > >http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > >Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > ComsecNet > Dedicated Data Services > Stockton, CA > Phone:(209) 463-2809 > Fax: (209) 938-0481 > Email: [EMAIL PROTECTED] > Web: www.comsec.net > > This message is intended for the use of the individual or > entity to which > it is addressed and may contain information that is privileged, > confidential, and exempt from disclosure under applicable law. If the > reader of this message is not the intended recipient or an > employee or > agent responsible for delivering to the intended recipient, > you are hereby > notified that any dissemination, distribution or copying of this > communication is strictly prohibited. If you have received this > communication in error please destroy this message and notify > the sender by > reply email. > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
