William,
I believe that reporting to a RBL, blocking an IP, or deleting email that you classify as spam is relatively "passive"
as opposed to disabling someone's server which is a bit more of an "active" approach (IMHO).
I see that you appear to be a small provider (as am I) and are located in California. As a fellow Californian I am sure
you are aware that in this state more than just about anywhere else a lawsuit doesn't have to make sense
to be filed or even won. If you take down a server from a company with "deep pockets" they can bankrupt you
even if they don't win just by running up the cost of your defense. For the record this is one of the things that I
absolutely hate about this state but it is an unfortunate reality at this time. I would give it a great deal of thought
before using doing something that could potentially damage another companies business. I hope your frustration
with the spam problem doesn't backfire on you. If you ever receive spam from one of our servers please forward
the details and we will fix it (we don't like being hijacked anymore than we like receiving spam:-)).
Regards,
Gary
At 01:57 PM 1/27/2005, you wrote:
Gary,
I think that we vastly differ on what constitutes an "attack". This is not "revenge", as you probably see it. It is pure defense, from my point of view. Keep in mind, the spamming server can stop the tarpitting AT ANY TIME, simply by stopping the stream of spam they are sending to me. He stops, I stop. Period. No revenge. No vigilante party. I am purely reflecting the attack back at them. Just as my own mail servers can be slowed down to a crawl or stopped entirely by spammers, I am simply shifting the burden back where it actually belongs. I am sending their spam back to them, with postage due.
THEY are the ones launching the "attack" on MY server, not the other way around! All I am doing is making them choke on their OWN messages. I am no more blocking the delivery of legitimate e-mail than blacklists or RBLs are. These people are illegally trespassing on my property. Anyone reading our anti-spam policies knows that they are unwanted, and the vast majority of spams are in violation of the wussy CAN-SPAM Act.
In my home, and on my servers, anyone attempting to break-in is shot on sight. Questions asked later. If other admins don't like it, all they have to do is kill the queued spam they are sending to me and to others. It's the incompetent admin who is responsible if their other subscriber's e-mails don't get through, not me, just as it is for mail admins who run open relays. No jury in the world who has ever received spam would convict me!
William Van Hefner Network Administrator Vantek Communications, Inc.
> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gary Brumm > Sent: Thursday, January 27, 2005 12:37 PM > To: IMail_Forum@list.ipswitch.com > Subject: Re: [IMail Forum] SpamCannibal (was another topic) > > > At 11:09 AM 1/27/2005, you wrote: > >Gary, > > > >This is NOT like some arbitrary "DOS" attack. The sending > server would > >only be choking on their -OWN- spam. As soon as the server > admin kills > >all attempts to send spam from their server to my server > (and others), > >everything goes back to normal. The tarpitting ONLY occurs > as long as > >spam is actively being delivered from their server. > > Hi William, > Yes, but while you are attacking the offending server you are also > interfering with > the processing of legitimate email. This action may cause loss of > customers and > result in legal action. How would you feel if I was crashing > your server > because > IMail had a bug (what are the odds of that :-) ) that someone > had exploited > and > was sending SPAM through your server? I just had someone > exploit a statistic server running on one of our machines. > We received several reports of spam > related > to one of our IP's. We were able to track down the problem > and fix it > quickly. I > realize that all providers are not so responsive. If someone > had managed > to crash > the machine it would have taken 100+ websites offline and > punished many people who were not at fault (not to mention it > would really pizz me off > :-)). All a "real" > spammer would have to do is block your IP and go back to business. > > > >This is the same premise behind RBLs, in that if everyone > used an RBL, > >an offensive spamming server would not be able to send mail (spam or > >legit) to anyone. In this case, the program simply throttles > or kills > >the servers ability to send spam or other traffic until they > have dealt > >with the issue and STOPPED SPAMMING. > > RBL's are elective (we use them) and only affect delivery to > our customers. This is a completely different thing than > "attacking" someone else's server. > > > >Also, this is a two-step process. A spamming server already > has to have > >been blacklisted for spamming previously/recently before the daemon > >will be triggered. By the time it gets to that point, an > admin should > >already know what's going on, and has had an opportunity to do > >something about it. As soon as they stop sending spam, the > problem goes > >away. Seems fair enough to me. FYI, I am only considering installing > >this on my secondary MX, where absolutely NO legit traffic > belongs in > >the first place. If everyone installed this program on their > secondary > >MX, the abuse of secondaries would quickly vanish. > > Believe me, I hate spam and spammers as much as anyone but I > don't want to crash legitimate servers that have been > exploited. If I see a certain > source of > persistent spam I have no problem with its IP being blocked (our IP > blocking expires > after a time so if the problem is resolved the IP becomes > useable again) or > it being > reported to an RBL. But I completely understand how you feel > and I used to > feel the > same way before I had products like Declude (in my case) that > have at least > made the > problem more manageable. > > Cheers, > > Gary > > > > >William Van Hefner > >Network Administrator > >Vantek Communications, Inc. > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of > Gary Brumm > > > Sent: Thursday, January 27, 2005 10:31 AM > > > To: IMail_Forum@list.ipswitch.com > > > Subject: RE: [IMail Forum] Filanet InterJak 200 > > > > > > > > > At 10:02 AM 1/27/2005, you wrote: > > > >Len, > > > > > > > >Was wondering if you had taken a look at something called > > > SpamCannibal > > > >at http://www.spamcannibal.org . It is something akin to > the Anvil > > > >feature you describe, but with a twist. The stated aim of > > > the daemon on > > > >its website is, "SpamCannibal's TCP/IP tarpit stops spam by > > > telling the > > > >spam server to send very small packets. SpamCannibal then causes > > > >the spam server to retry sending over and over - ideally > > > bringing the spam > > > >server to a virtual halt for a long time or perhaps > indefinitely." > > > > > > ....and if you bring down a server that was exploited through no > > > fault of the owner > > > then what? They trace the problem to software you > > > intentionally installed > > > on your > > > server knowing it would crash other peoples > servers.....and you are > > > reported to your > > > upstream provider or you are sued. This is a very bad > idea. Delete > > > incoming SPAM, > > > block the IP, report it to the source, or to SpamCop, ect., > > > but please > > > don't try to crash > > > servers that may be victims of exploits without anymore > > > information other > > > than "SPAM > > > was delivered from this address". > > > > > > > > > >I haven't tried setting up a Postfix box for this yet, but it > > > >sounds like fun. :-) > > > > > > > > > > > >William Van Hefner > > > >Network Administrator > > > >Vantek Communications, Inc. > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: [EMAIL PROTECTED] > > > > > [mailto:[EMAIL PROTECTED] On Behalf Of > > > Len Conrad > > > > > Sent: Wednesday, January 26, 2005 7:22 AM > > > > > To: IMail_Forum@list.ipswitch.com > > > > > Subject: Re: [IMail Forum] Filanet InterJak 200 > > > > > > > > > > > > > > > > > > > > >If you're willing to get your hands dirty and learn a > > > bit of *nix I > > > > > >recommend pf on OpenBSD which is _very_ flexible and > > > will let you > > > > > >'tarpit' spammers (with spamd) if you wish. It's free and > > > > > >it'll run very well on a pII 350mhz with 128m of > RAM. It is a > > > > > >bit of > > > > > a learning > > > > > >curve if you're a Windows only guy but well worth it IMHO. > > > > > > > > > > Even easier is IMGate/postfix's "anvil" feature which will > > > > > dynamically smtp-blocks/rate-limits any IP that connects > > > to postfix > > > > > more than x times > > > > > in y minutes. > > > > > > > > > > anvilled IPs connect to port 25, postfix sends an > > > immediate SMTP 421 > > > > > code, and hangs up. postfix can probably do that 200 > > > > > times/second without impacting legit operation. > > > > > > > > > > I would say the majority of msgs to unknown users come from > > > > > subscriber access networks of millions infected PCs, each of > > > > > which doesn't attack any one MX at a high rate of > attempts, so > > > > > rate limiting is > > > not helpful. > > > > > > > > > > Len > > > > > > > > > > > > > > > > > > > > To Unsubscribe: > > > > > http://www.ipswitch.com/support/mailing-lists.html > > > > > List Archive: > > > > > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > > > > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > > > > > > > > > > > > > >To Unsubscribe: > http://www.ipswitch.com/support/mailing-lists.html > > > >List Archive: > > > >http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > > >Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > > > ComsecNet > > > Dedicated Data Services > > > Stockton, CA > > > Phone:(209) 463-2809 > > > Fax: (209) 938-0481 > > > Email: [EMAIL PROTECTED] > > > Web: www.comsec.net > > > > > > This message is intended for the use of the individual or > entity to > > > which it is addressed and may contain information that is > > > privileged, confidential, and exempt from disclosure under > > > applicable law. If the reader of this message is not the intended > > > recipient or an employee or > > > agent responsible for delivering to the intended recipient, > > > you are hereby > > > notified that any dissemination, distribution or copying of this > > > communication is strictly prohibited. If you have received this > > > communication in error please destroy this message and notify > > > the sender by > > > reply email. > > > > > > > > > > > > > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > > > List Archive: > > > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > > > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > > > > > > > >To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > >List Archive: > >http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > >Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > > ComsecNet > Dedicated Data Services > Stockton, CA > Phone:(209) 463-2809 > Fax: (209) 938-0481 > Email: [EMAIL PROTECTED] > Web: www.comsec.net > > This message is intended for the use of the individual or > entity to which > it is addressed and may contain information that is privileged, > confidential, and exempt from disclosure under applicable law. If the > reader of this message is not the intended recipient or an > employee or > agent responsible for delivering to the intended recipient, > you are hereby > notified that any dissemination, distribution or copying of this > communication is strictly prohibited. If you have received this > communication in error please destroy this message and notify > the sender by > reply email. > > > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ >
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
ComsecNet Dedicated Data Services Stockton, CA Phone:(209) 463-2809 Fax: (209) 938-0481 Email: [EMAIL PROTECTED] Web: www.comsec.net
This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error please destroy this message and notify the sender by reply email.
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
