>> We are also thinking of writing a program to detect a spam attack
>> and automatically hold E-mail once more than X E-mails comes through from
>> the same IP address within Y minutes.
> If they think they are getting through, they will pump as many messages
> into the system as the data line will permit.
Actually, almost all spammers that hijack mail servers are using dialup
lines to send their spam, limiting them to 33.6K (since 56K modems are
really only 56K one way).
The majority of the resources used in relaying a message are for sending it,
where DNS lookups and spooling and retries are needed. That would get
avoided if the messages were quietly tucked away.
> This reduces system performance for the other users.
Certainly, the only way to ensure peak performance is to stop the spammer
cold. Not allowing relaying will prevent this mess in the first place.
But, if that isn't an option, I like the idea of just sucking up all the
spam -- as it cuts into the spammer's profits while doing minimal damage to
you (in my opinion, at least). And, quite a bit less damage is done to the
victim this way.
> I've seen the multi-connections slow SMTP connection response for everyone
(I use a tarpit setting
> of 150 mSec, which may be part of the overall slowdown).
I'm going to see if I can get some testing done on this. It would be
interesting to know what the threshold is for incoming messages before
performance starts decreasing.
Just an interesting sidenote about tarpitting: Technically, what IMail does
(letting you delay a certain amount of time between recipients) and what
some mail servers such as MailShield do (delaying each SMTP response)
technically aren't tarpitting, according to the original design.
The "true" tarpitting involves huge delays -- often hours or days -- to
deliver a message from an untrusted source. It uses multi-line SMTP
responses to accomplish this (with large delays in between), so that
timeouts don't get reached. When this is done, legitimate mail from
blacklisted servers will go through, just very slowly. But, a spammer (or
open relay that a spammer used) trying to send 100,000's of mails will find
that slowly his connections start getting eaten up, and that he can't send
out as much mail as he could before. As soon as one of the outgoing spams
is sent to someone on a server using tarpitting, that connection is held for
hours at a time. If you were to, say, get dozens to hundreds of such
connections made, it would effectively block outgoing E-mail. If this
happened on a legitimate open relay, then it would minimize the amount of
spam going out before the situation was noticed and could be fixed.
The idea of tarpitting could work very well if it was widely implemented.
Our program doesn't support it, because it needs to be done at a lower level
than the interface that IMail offers. But, the concept has a lot of
potential if used on a widespread basis.
-Scott
Declude: Anti-spam and Anti-virus solutions for IMail.
http://www.declude.com
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
