Peter Eisch wrote:
I think there's a disconnect between the spammer and the MTA trying to deliver the spam to me. I would gamble that most of the spam getting dropped of to me is done via someone unrelated third-party's MTA. Tarpitting that unsuspecting, dimwitted, ignoramus's MTA seems harsh as it doesn't draw the attention to their real issue.
In this case, the poor, dimwitted MTA's are trojan proxies installed on cable modem and dsl users' Windows machines. From the behavior I've seen, it doesn't look like they're running real MTA's that receive, queue/spool, retransmit. These machines attempt delivery; if it fails, they retry again on some other machine almost instantly.
Granted, that's not all of them; I have seen a bunch of virus traffic come from ISP mail servers that aren't protected. But then, I'm not tarpitting "correctly configured" mail servers. My current tarpit implementation only triggers on IP's with no revDNS and on cable/dsl modem users.
Never send back a decline, only send back soft failures so it sits in their queue until it expires. Sure they keep trying to deliver it to me.
I've seen some of these open multiple connections, one right after the other, regardless of the failure type. However, by stalling them for a few seconds, it seems to be reducing the amount of connections opened every few seconds (i.e. instead of 5-10 per second, now only one or two, back to normal). If it's working the way I think it is, it keeps my machine from spawing 10 perl processes within that 5 second period, and spreads them out over a much nicer time frame.
Perhaps fire a squadron of 2M (some significant size that won't be auto-dropped) emails back at the MTA trying to slough off spam as legit junk and fill up their spool. Address each of those emails to a tarpitable email address on my server and I'll let those sessions time out and never deliver to me. It's like a sending in a missile that doesn't explode until it's well inside the walls.
My $0.02.
I *do* like that one. :) It would be just as fun to figure out how to use the trojan against itself, sort of like the cartoonish bending of the end of a rifle back into the shooter's face.
If I can stall a few of these long enough.. perhaps the real server behind the proxies will give up sooner (and possibly drop the email address from its list?)...
-- Bryan
