On Thu, 2005-11-17 at 11:55, Christian Recktenwald wrote: > On Thu, Nov 17, 2005 at 11:42:44AM -0800, John Woolsey wrote: > > It would be an interesting addition to a honeypot. Make the mail server > > just hang up and not respond to tie up connections on the spammer. > > There's a cool piece of software holding tcp connections > alive as long as possible called "labrea". > But be careful: it saturated the NAT table of my firewall after > some hours by holding hundreds of "connections" alive. ;-)
The problem with LaBrea for tarpitting SMTP connections is it does not send the SMTP server greeting before tarpitting the connection, so the client will only be trapped for the duration of its own wait-for-greeting timeout. I tried to talk Tom into adding a port-number/response-string option to LaBrea to more effectively trap such protocols, but I haven't looked at it lately to see if anything along these lines has been done. -- John Hardin Development and Technology group (Seattle) CRS Retail Systems, Inc. 3400 188th Street SW, Suite 185 Lynnwood, WA 98037 voice: (425) 672-1304 fax: (425) 672-0192 email: [EMAIL PROTECTED] web: http://www.crsretail.com ----------------------------------------------------------------------- If you smash a computer to bits with a mallet, that appears to count as encryption in the state of Nevada. - CRYPTO-GRAM 12/2001 -----------------------------------------------------------------------
