Alessandro Vesely wrote:
And what about filtering blacklisted IPs at the firewall level, i.e.
blocking (reject, drop, or tarpit) their syn requests? Is it better than
letting spammers consume our mailer daemon resources?
I have identified 957286 IP addresses infested with (just) Cutwail[+] in
the past week sending an average of 5.7 emails apiece (last (approx) 30
hours).
Secondly, some bot operators know about banner delays and tarpitting,
and have relatively short timeouts to avoid damage from them. Banner
delays, while not as effective as they once were, are still working
quite well.
The same reason that makes banner delays work (short timeout bots give
up), makes tarpitting work less well (short timeout bots give up).
Just how much trouble do you think tarpitting causes spammers like that?
Not much.
It may help in some unusual cases with extremely stupid spammers. Like
Linhardt sending email to Comcast <evil grin>
Except in a few cases (very specialized MTAs or low email volumes)
tarpitting usually causes much more trouble to the receiver than the sender.
Dropping 'em at the router is difficult, because routers (at present)
can't be configured to hold all the IPs you'd like it to, and can only
be used very selectively.
[+] and 669576 infested with Srizbi, with an average of 9.23/apiece
(currently 13.62% of all spam). Etc.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/asrg