[Top] [All Lists]

Re: Proposal: Using Conservative EHLO Response Parser Behaviour For Tarpitting

2007-06-18 05:59:03

Sabahattin Gucukoglu wrote:

Greylisting ( ) would be a neat trick but for 
one essential problem that is overlooked too often: it makes the 
assumption that all mail transactions, having been issued at least once, 
are always issued again and again until the delivery is successful from 
the same host that made the initial attempt.

Not necessarily.  Our greylisting implementation only considers the
first three octets of the IP address.  So while it's true that many
organizations have a pool of sending machines, it's also true that they're
almost all within a class-C network (or a handful of class-C's, which means
maybe a couple more attempts before they break through greylisting.)

My idea is to replace greylisting with a connection-delaying technique 
that will make the SMTP client wait until we're certain it is genuine.

This is a very bad idea on a number of levels:

1) Tarpitting occupies server resources, making it easier to DoS the

2) Tarpitting is useless against an attacker with essentially infinite
CPU and bandwidth resources --- and that's the kind of attacker a serious
spammer is.

3) Relying on "genuine" clients to adhere strictly to RFC-defined timeouts
is dangerous.

4) It is perfectly possible to delay the client before EHLO.  That's what
Sendmail's greet_pause feature does.  However, it's *not* designed to be
a tarpitting mechanism.  Rather, it's designed to detect SMTP clients
that send everything in one burst without waiting for the initial greeting
(and also to detect clients that use broken proxy servers.)



<Prev in Thread] Current Thread [Next in Thread>