[Top] [All Lists]

Re: Proposal: Using Conservative EHLO Response Parser Behaviour For Tarpitting

2007-06-18 16:13:29

Chris Callahan wrote:

On Mon, 18 Jun 2007, David F. Skoll wrote:
That's not my experience.  We use a greet_pause of only 5 seconds, and
we still get quite a few:
We get about 1000 a day, which is negligible compared to the rest of our
traffic and compared to the 100,000 per day we got two years ago.

Perhaps people are still pointing old bots at us or something. We use
the Sendmail greet_pause feature with a 5 second delay, and are still
averaging about 120K rejects per day based on that hurdle.

+1, there is no overwhelming pattern.

For us, our philosophy is to design for query dissemination and minimal session residence time. It all came down to enforce "obvious" SMTP compliance and providing connection limits, load limits, monitoring your connection queues, balancing, etc based on the system's scalability needs.

IOW, rather than pull your hair trying figure out the randomness of the bad guy, just set your controls and limits to handle the loading you need and it pretty much works itself out.

For example, one server may have:

Maximum Accept Load: X
Maximum Accept Connections:  X+5

This means that X sessions can be active at a given time, with 5 put into a wait queue, i.e. no greeting response until a new slot is available.

If there is an DoS, it is handled gracefully, and if the bad guys are impatience can't wait for the SMTP standard 5 minutes, they typically drop pretty quickly. It tickles me pink to watch these randomly occurring attacks quickly peter off.

If and when the greeting is presented, we found the following observations:

- Multi-line greetings will knock out a good bit of the non-SMTP compliant bulk spammer not expecting it multiple line responses of any kind.

- Strict EHLO/HELO domain literal checking knocks out a significant amount of these type of bulk spammers.


Hector Santos, CTO

<Prev in Thread] Current Thread [Next in Thread>