> On 5/28/05, Matt Fretwell <[EMAIL PROTECTED]> wrote: > G.W. Haywood wrote: > > > > We added a sort of tarpitting solution to our sendmail... > > > clamav-milter seems to be suffering. What happens is that the > > > maximum number of childs are reached in a 2-4 hour period > > > > People with far more experience than I tell me that this isn't the > > way. > > And the above is the exact reason why they say it isn't the correct way > to do it. Adding this 'delay' to smtp negotiations can literally lead to > you Dos'ing, (or whichever phraseology you prefer), yourself :)
> On 5/29/05, Joe Maimon <[EMAIL PROTECTED]> wrote: > To DOS your box, all I have to do is open a few hundred connections to > it and try to send email to a few dozen fake users. If that does not do > it, I can simply open a few hundred more. > > Cheap for me, expensive for you. > > > I would recommend a different approach, using this patch > [snip] Thank you all for your responses. Let me note two things: a) this tarpitting solution is not implemented on clamd, clamav-milter nor sendmail, but in the autentication layer. Sendmail seems to behave well with it, clamav-milter is the one "suffering" because of memory issues. b) Along with this tarpitting, a "firewall centered" solution is also in-place, preventing a single MTA to make too many connections concurrently, in order to avoid being DoS-ed by too many active connections. However, under normal circumstances, clamav-milter hits its max. memory limit, so I'll agree with you that I'm exposed to a DoS (its now turned off..so dont bother to try :-)) If this is not your preferred solution, how do you suggest to stop those scumbags searching for my user-database? Remember I'm not stopping spammers, I'm stopping user-db harvesters (probably future spammers). One proposed solution was to run another SMTP box, redirect SMTP traffic to it, and stop those attempts there, either with tarpitting, or directly terminate connections that reach a certain ratio of bad rcpts (as Joe Maimon suggested with a provided patch). This seems OK, but introduces another single point of failure, as this works if I disable SMTP directly to my real box (no secondary MX register allowed). The other thing with this is if I terminate the connection when a threshold is reached, what avoids having this client reconnect, and continue with its mission? The whole point of tarpitting is that it does not stop them, just make it more expensive. Regards. _______________________________________________ http://lurker.clamav.net/list/clamav-users.html