i am trying to explain what i did in a simple way. İn fact On my firewall i am not really blocking but reducing the bandwith for the specified ip address to 33.6 Kb /sec like a dial-up connection speed . So my Server spend more cpu time to real user than spammers.
This is a tarpitting. I have also made some more complex setup ,but it is useless to say it here. In the future i will also reduce the bandwith for those who have weights over 10 and 15. I think that IDS (intrusion detection systems) type approach is a good start to protect the server. Declude is the key to decide what to do with the firewall Rifat ----- Original Message ----- From: "Jason Newland" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, June 16, 2003 4:04 PM Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration Sorry to burst your bubble, but that's not a tarpit. You have a dynamic IP blocker. Tarpitting doesn't block, it slows the attack down, consuming more of their resources, and making their connection seem like it is stuck in a pit of tar (hence the name) Jason ----- Original Message ----- From: "Rifat Levis" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, June 16, 2003 7:51 AM Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration integration > Hi Bill , > > I wrote a small VB program . > ---------------------------------- > Here is more details about the system. > > I am using the KIWI syslog server software to send the logs to the SQL > You can specify in IMAIL syslogs server ip address .(IF you run KIWI on the > same machine ,you have to stop IMAIL syslog ) > > I have wrote a small Visual Basic Program which scan the SQL database for " > ERR .... INVALID USER " lines every 2 min. > > And my little program Open a telnet connection to the firewall ADD the ip > address to block . > Then the program remove the ip address after 1 hour. > > On my firewall i wrote a global policie group to deny access to port 25 > So the software add the ip address and specify that it belong to that group > lls. > > I decided also to integrate DECLUDE JUNKMAIL with my firewall. > For weight over 20 i will block for 1 hour > For weight over 30 will block for 2 hour > And so on. > > Rifat > > > > > > ----- Original Message ----- > From: "Bill B." <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, June 16, 2003 3:11 PM > Subject: Re: [Declude.JunkMail] DSN:Tarpitting and declude firewall > integration integration > > > Rifat, > > What software are you using to do the tarpitting? Are you running it on the > same server as IMail, or on a separate box? > > Bill > > > -----Original Message----- > From: "Rifat Levis" > Sent: Mon, 16 Jun 2003 02:01:45 +0300 > Subject: [Declude.JunkMail] DSN:Tarpitting and declude firewall integration > > > > People intersted in tarpitting and Declude firewall integration can read > this. > > > > I just finished the tarpitting protection for my IMAIL server > I am sending logs to the kiwi syslog server and forwarding it to SQL to > analyse data > > When in a 2 min period a single ip send mail to more than 5 unknown account > I am blocking the ip address on my netscreen firewall for 1 hour. > > > The next step of this is to integrate Declude to the firewall > > I have 3 weight > weight 10 warn > weight 15 warn > weight 20 delete > > Instead of deleting weight 20 i will forward it to an account to send data > to SQL analyse it and then block it for 1 hour . > > NOTE : I am sure that KAMI will be interested :) > > Best Regards > Rifat Levis > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > > > --- > [This E-mail was scanned for viruses by Declude Virus > (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > > --- > [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be found > at http://www.mail-archive.com. > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.