ietf-asrg
[Top] [All Lists]

Re: [Asrg] Tarpitting

2008-08-07 00:41:36
Chris Lewis wrote:
Alessandro Vesely wrote:

And what about filtering blacklisted IPs at the firewall level, i.e. blocking (reject, drop, or tarpit) their syn requests? Is it better than letting spammers consume our mailer daemon resources?

I have identified 957286 IP addresses infested with (just) Cutwail[+] in the past week sending an average of 5.7 emails apiece (last (approx) 30 hours).

[OT] May I ask if you publish them on a DNSBL?

Secondly, some bot operators know about banner delays and tarpitting, and have relatively short timeouts to avoid damage from them. Banner delays, while not as effective as they once were, are still working quite well.

The same reason that makes banner delays work (short timeout bots give up), makes tarpitting work less well (short timeout bots give up).

Just how much trouble do you think tarpitting causes spammers like that?

Not much.

Thus, you are suggesting that drop, which can be considered a poor man's tarpit, wrt reject can be more effective. Or is the reason (short timeout bots give up) rooted in the fact that tarpitting exists?

It may help in some unusual cases with extremely stupid spammers. Like Linhardt sending email to Comcast <evil grin>

Except in a few cases (very specialized MTAs or low email volumes) tarpitting usually causes much more trouble to the receiver than the sender.

Dropping 'em at the router is difficult, because routers (at present) can't be configured to hold all the IPs you'd like it to, and can only be used very selectively.

(Using a Linux box may overcome that limit)

[+] and 669576 infested with Srizbi, with an average of 9.23/apiece (currently 13.62% of all spam). Etc.

Thanks for the insight
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/asrg

<Prev in Thread] Current Thread [Next in Thread>