Re: Abort data transfer?

John R Levine wrote:
> [...]  The infamous Ron Guilmette had an amazing tarpit 
> MTA about a decade ago that used that technique to keep 4000 
> simultaneous connections open, running on a 486.  But since the rise of 
> botnets, tarpitting lost whatever effectiveness it might have had, so I 
> don't know of anyone still doing it.
Courier-MTA does it, for one. I cannot think of another method for 
handling dictionary attacks, targeting either user/passwd or rcpt. 
It's obviously not enough against a botnet, but I think it's a good 
practice. In such scenario, it is normal to have some SMTP daemons 
loitering about with their tarpits; IME they usually arrive to a 
regular disconnection. However, in case the maximum number of daemons 
is reached, one should force some of those connections to abort. I 
think that can happen by chance, not necessarily implying a deliberate 
DoS attack.
Forcefully aborting connections, as well as disallowing further access 
from those IPs, is better dealt with at the system's firewall level: 
If knowledge about bad behavior is encapsulated within the SMTP 
software, different daemons have to duplicate both the functionality 
and the data, resulting in an overall weaker system. BTW, I reckon 
4000 IPs can be handled with a ~400K .db file keyed on the IP number, 
and would need ~400G to map the whole IPv4 address space that way.