ietf-smtp
[Top] [All Lists]

Re: Proposal: Using Conservative EHLO Response Parser Behaviour For Tarpitting

2007-06-19 10:57:22

Sabahattin Gucukoglu wrote:

[...]

But putting that aside, aren't you giving these spammers quite a bit
of credit for brains and familiarity with these swish programming
ideas?

No; the average spammer is as dumb as a post.  However, there are talented
spamware authors out there who make a tidy profit selling their software,
some of which is quite high-quality.

[...]

There is no way to "make" optimized ratware clients written and used by
criminals to do anything either.

No, there isn't, but the objective is to make those who are willing to 
wait, wait (including spammers that take the bate).  Normally, clients 
that give up before the RFC-defined timeout are a problem, which is why 
greet_pause has limited usefulness.  So this is a greylisting replacement 
and/or a glorified greet_pause option.

OK, but I don't see the advantage of this over a short (<2s) greet_pause
combined with reasonable (~10 minute) greylisting.

The proposal suggests a very short tarpitting time; the objective is
to hang on to the address that's calling so that the delivery
doesn't have to be delayed any further than the initial tarpitting
time per cycle, because otherwise the mail may arrive on another
address and be delayed further.

The problem is this does not scale.  For example: We have a customer
who processes approximately 120 inbound messages per second.  If he
added five minutes to each SMTP transaction length, he'd be dead in
the water, at least with standard UNIX open-source MTAs.

So the idea is infeasible for large sites that process lots of mail.
And spammers won't particularly care/notice if small sites that don't
process lots of mail use the technique.

But so long as your mailer were sufficiently robust, it probably
wouldn't actually notice any given delivery being tarpitted briefly
and the likelihood of its being simultaneously tarpitted by enough
destination sites as to cause it ill-health is probably quite small
(and, in any event, something the client should not be trying to do
anyway).

It depends on who "you" are.  If you're an ISP delivering 100 outbound
messages/second, I would guess that a substantial portion of them are
to a few domains like hotmail.com, aol.com, gmail.com, etc.  If one
of those big sites started tarpitting, you'd *definitely* feel the pain.

Regards,

David.

<Prev in Thread] Current Thread [Next in Thread>