[Top] [All Lists]

Re: Proposal: Using Conservative EHLO Response Parser Behaviour For Tarpitting

2007-06-18 16:15:18

Hi Arnt,

On 18 Jun 2007 at 9:59, Arnt Gulbrandsen <arnt(_at_)oryx(_dot_)com> said:

This reminds me of a technique some people are using: Delay responses by x
seconds, where x is a constant. x=46 and x=90 have been mentioned as good
numbers; apparently quite a few spambots drop off at 45 seconds or less,
while hardly any proper smtp clients do.

This is fine providing that the client can't pipeline.  If the client 
tries to, it should be shot.  The danger is, as David mentioned, in 
assuming that timeouts will be honoured by anyone.  That's why I propose 
my alternative.

By the way, just in case someone needs a rationale for killing off clients 
that talk prematurely: the idea is that a lot of broken spambots don't 
actually know what a continuation line is.  They will go on issuing 
commands under the assumption that they have a complete, one-line response 
when it becomes available.  It therefore makes sense to try to convince 
the client to give us a reason for terminating its connection by making it 
wait while it is being issued continuation lines.  My only fear is that 
some other, non-spam implementation will turn out to do the same. :-(

I see no reason why your variation should have less success, and would be
very interested in seeing a comparison if you're able to carry one out.

As I said in my previous message, not just yet.  I'm just floating an idea 
for the moment.  When I have some more time ...


Sabahattin Gucukoglu <mail<at>sabahattin<dash>gucukoglu<dot>com>
Address harvesters, snag this: feedme(_at_)yamta(_dot_)org
Phone: +44 20 88008915
Mobile: +44 7986 053399