Gary,
This is NOT like some arbitrary "DOS" attack. The sending server would only be choking on their -OWN- spam. As soon as the server admin kills all attempts to send spam from their server to my server (and others), everything goes back to normal. The tarpitting ONLY occurs as long as spam is actively being delivered from their server.
Hi William,
Yes, but while you are attacking the offending server you are also interfering with
the processing of legitimate email. This action may cause loss of customers and
result in legal action. How would you feel if I was crashing your server because
IMail had a bug (what are the odds of that :-) ) that someone had exploited and
was sending SPAM through your server? I just had someone exploit a statistic
server running on one of our machines. We received several reports of spam related
to one of our IP's. We were able to track down the problem and fix it quickly. I
realize that all providers are not so responsive. If someone had managed to crash
the machine it would have taken 100+ websites offline and punished many people
who were not at fault (not to mention it would really pizz me off :-)). All a "real"
spammer would have to do is block your IP and go back to business.
This is the same premise behind RBLs, in that if everyone used an RBL, an offensive spamming server would not be able to send mail (spam or legit) to anyone. In this case, the program simply throttles or kills the servers ability to send spam or other traffic until they have dealt with the issue and STOPPED SPAMMING.
RBL's are elective (we use them) and only affect delivery to our customers. This is a completely different thing than "attacking" someone else's server.
Also, this is a two-step process. A spamming server already has to have been blacklisted for spamming previously/recently before the daemon will be triggered. By the time it gets to that point, an admin should already know what's going on, and has had an opportunity to do something about it. As soon as they stop sending spam, the problem goes away. Seems fair enough to me. FYI, I am only considering installing this on my secondary MX, where absolutely NO legit traffic belongs in the first place. If everyone installed this program on their secondary MX, the abuse of secondaries would quickly vanish.
Believe me, I hate spam and spammers as much as anyone but I don't want to
crash legitimate servers that have been exploited. If I see a certain source of
persistent spam I have no problem with its IP being blocked (our IP blocking expires
after a time so if the problem is resolved the IP becomes useable again) or it being
reported to an RBL. But I completely understand how you feel and I used to feel the
same way before I had products like Declude (in my case) that have at least made the
problem more manageable.
Cheers,
Gary
William Van Hefner Network Administrator Vantek Communications, Inc.
> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gary Brumm > Sent: Thursday, January 27, 2005 10:31 AM > To: [email protected] > Subject: RE: [IMail Forum] Filanet InterJak 200 > > > At 10:02 AM 1/27/2005, you wrote: > >Len, > > > >Was wondering if you had taken a look at something called > SpamCannibal > >at http://www.spamcannibal.org . It is something akin to the Anvil > >feature you describe, but with a twist. The stated aim of > the daemon on > >its website is, "SpamCannibal's TCP/IP tarpit stops spam by > telling the > >spam server to send very small packets. SpamCannibal then causes the > >spam server to retry sending over and over - ideally > bringing the spam > >server to a virtual halt for a long time or perhaps indefinitely." > > ....and if you bring down a server that was exploited through > no fault of > the owner > then what? They trace the problem to software you > intentionally installed > on your > server knowing it would crash other peoples servers.....and you are > reported to your > upstream provider or you are sued. This is a very bad idea. Delete > incoming SPAM, > block the IP, report it to the source, or to SpamCop, ect., > but please > don't try to crash > servers that may be victims of exploits without anymore > information other > than "SPAM > was delivered from this address". > > > >I haven't tried setting up a Postfix box for this yet, but it sounds > >like fun. :-) > > > > > >William Van Hefner > >Network Administrator > >Vantek Communications, Inc. > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of > Len Conrad > > > Sent: Wednesday, January 26, 2005 7:22 AM > > > To: [email protected] > > > Subject: Re: [IMail Forum] Filanet InterJak 200 > > > > > > > > > > > > >If you're willing to get your hands dirty and learn a > bit of *nix I > > > >recommend pf on OpenBSD which is _very_ flexible and > will let you > > > >'tarpit' spammers (with spamd) if you wish. It's free and it'll > > > >run very well on a pII 350mhz with 128m of RAM. It is a bit of > > > a learning > > > >curve if you're a Windows only guy but well worth it IMHO. > > > > > > Even easier is IMGate/postfix's "anvil" feature which will > > > dynamically smtp-blocks/rate-limits any IP that connects > to postfix > > > more than x times > > > in y minutes. > > > > > > anvilled IPs connect to port 25, postfix sends an > immediate SMTP 421 > > > code, and hangs up. postfix can probably do that 200 times/second > > > without impacting legit operation. > > > > > > I would say the majority of msgs to unknown users come from > > > subscriber access networks of millions infected PCs, each of which > > > doesn't attack any > > > one MX at a high rate of attempts, so rate limiting is > not helpful. > > > > > > Len > > > > > > > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > > > List Archive: > > > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > > > > > >To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > >List Archive: > >http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > >Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > ComsecNet > Dedicated Data Services > Stockton, CA > Phone:(209) 463-2809 > Fax: (209) 938-0481 > Email: [EMAIL PROTECTED] > Web: www.comsec.net > > This message is intended for the use of the individual or > entity to which > it is addressed and may contain information that is privileged, > confidential, and exempt from disclosure under applicable law. If the > reader of this message is not the intended recipient or an > employee or > agent responsible for delivering to the intended recipient, > you are hereby > notified that any dissemination, distribution or copying of this > communication is strictly prohibited. If you have received this > communication in error please destroy this message and notify > the sender by > reply email. > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ >
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
ComsecNet Dedicated Data Services Stockton, CA Phone:(209) 463-2809 Fax: (209) 938-0481 Email: [EMAIL PROTECTED] Web: www.comsec.net
This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error please destroy this message and notify the sender by reply email.
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
