On Mon, 2004-03-08 at 17:00, Christopher D. Lewis wrote: > I read it to mean that over the lifespan of the connection it had > slowly transferred 13M while the spammer had to keep a socket open, > re-establish connections, etc. Sure the packets crossed your line, but > unless you felt it impact your service, it was basically withoug > incremental cost to you while to the spammer actions like yours, in the > aggregate, drive up the cost of spamming by keeping emails in his send > queue, wasting cycles re-estaablishing connections, etc. If more > followed the example you follow, spamming would be a more expensive > proposition, costing spammers and their clients more to pull it off.
Mmmm, not necessarily. It would take pretty much every MX host on the Internet to make a significant impact on spammers with dedicated equipment, such as the IronPort A60 that can maintain (it claims) 10,000 simultaneous connections. The spammers that don't use dedicated Spam MTAs (and IronPort is by far not the only one) are using compromised boxen on broadband, so they don't even have to pay for the bandwidth or other resources. This doesn't necessarily have anything to do with PF, other than there's not a whole lot of value in tarpitting spammers nowadays and IMHO you would be better off just dropping their SYN (at least let them time-out rather than politely RST'ing the connection for them). -- Brian Keefer, CISSP Systems Engineer CipherTrust Inc, www.CipherTrust.com
