On Sat, 21 Aug 2004 11:16:10 -0700, Warren Michelsen <[EMAIL PROTECTED]> is alleged to have written: > >In the past, on this list, it's been suggested that having too many RBL >entries was causing too long a delay in accepting mail. > >I note that an increasingly popular anti-spam tactic these days is to add >an SMTP Delay. Some server admins report a 40% drop in spam with a >30-second delay. So... > >Is this delay right at the very start, before accepting an initial SMTP >connection? Or is it just a delay after the connection is established but >before the mail is accepted -- like the delay introduced by the use of too >many RBLs?
The term I've used for what you are describing is a Teergrube (in English, tarpit): <http://en.wikipedia.org/wiki/Tarpit_%28computing%29> There are a variety of ways of introducing the delay, with different levels of effectiveness and fiendishness. The link above is a nice intro. > >Either way, I'm wondering if I might be better off adding more RBLs to my >SIMS server. Will less patient spammers quickly give up and go away? > I don't think there is a person monitoring the progress of the entry of spam into your email system. The spammer is probably snoring away in the U.S. while a server in Hong Kong or Hungary is hitting your server. If there is any effect on the spam source, it would be an automated threshold of some kind, as far as I know. >Does SIMS in fact wait for responses from each RBL that is queried? I believe it does, from watching logs. Otherwise, what would be the point? >If so, >I'm thinking that it might be possible to write a short delay daemon that >I can run on my OS X box, whose only purpose is to respond to a RBL lookup >with a not-blacklisted response -- after a delay of 30 seconds. I don't know if a 30 second delay is needed or not. I've seen waits of a few seconds discussed, which have no real effect on legitimate individual emails but which would add up to lots of time for a spamming machine. > >I then add the address of this daemon to my RBL list and thereby implement >a 30-second delay which SIMS is otherwise not capable of. (Or would >caching of responses cause this to fail?) When you started talking about a tarpit on this list, the approach you are describing is what popped into my head as well. Just a DNS server that takes 30 seconds to say "I dunno". > >Is there a way to add a SMTP delay to SIMS or to achieve the same effect? > >Will adding more RBL entries help to reduce spam (quite apart from >additional RBL hits) by introducing a delay? This is a good question, which applies to the whole subject of tarpits. Obviously, if your server's behavior can cause an automated spamming machine to go elsewhere, then it is a win for you. I don't know if that will happen. One tarpit strategy is to detect a spamming machine (by looking for multiple emails to nonexistant addresses, for example) and then send a SYN/ACK response, then ignore the connection. This is like answering a telemarker by saying "Wow! I just happen to be in the market for a new septic tank, but there's somebody at the door. Can you hang on for just a sec?", and going back to watching "Austin Powers". This would occupy a spamming machine for quite some time, magnifying any effect on its rate of spam shovelling (or any timer it might be using in a decision to give up on your domain). > I think tarpitting would have the greatest effect if it were widely used. Even if a spamming machine was infinitely patient, and burned up 30 seconds or more on each address it tries to send to your domain(s), that might burn up a day's worth of its time instead of a couple of minutes, which is one less day's worth of its spam in the world. Imagine if every SMTP server had a tarpit. <rant> Personally, there are so many poorly-run servers, and so many idiots that react positively to spam by buying whatever they are selling, that we'll see no decrease until spam laws become universally adopted, international in scope, and consistant in enforcement. Or until somebody goes over the edge, tracks down a few of the worst spammers, and puts bullets in their heads. </rant> >Finally, will adding a delay just cause spammers to move more quickly to >secondary MXs for my domains? I think secondary MXs are becoming somewhat out of fashion, anyway. I'm sure others on the list will comment. Good luck, Mr. 1776! --Lyle ############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
