On Sat, 26 Jun 2004 15:50:06 +0100, Tim Meadowcroft wrote
I use qpsmtpd (http://smtpd.develooper.com/) at home and it has a
plugin module that specifically looks for this behaviour (it sleeps
for a second on connection, and then checks to see if the other end
has been sending data already).
Yes...Exim essentially has this check built in.
I thought maybe the problem was my identd lookup -- if the host at the other
end was blackholing packets to the identd port, it would take 30 seconds to
time out. I disabled it, and this solved the problem with another site, but
AOL's servers are still sending data before they get the 220 banner. The
*only* delay they see now should be the wait for the reverse DNS lookup to
complete.
I haven't checked my logs, but I know plenty of qpsmtpd users find
this to be one of the single most successful spam/virus filters.
It's amazingly effective, especially if coupled with a longer delay for hosts
that are on a spam blacklist. I delay hosts that are on a few dynamic IP and
spam blacklists, or that have no reverse DNS, for 40 seconds before the 220
greeting. Any RFC-compliant mailer will have no problem with this, but a lot
of spam software starts blissfully sending away before the delay is up. Those
connections are sent a 5xx response and dropped.
Delaying 60 seconds after each bad RCPT TO: command also seems to help with
"dictionary attack" spammers. Often they give up after a couple rounds; if
not, at least it bogs them down.