Re: [Declude.JunkMail] Tar Pitting
I'm intrigued by this idea. During a given minute of time I may get 1000 messages. 1/4 of them are slown down (occupying more SMTP/Declude sessions), but the burdon is spread out. Can this be applied to increase server capacity? If I throttle, at the firewall, the IPs of spammers, will the load on my server be less? Has anyone tried this on a maxed out server? Dan On Sunday, June 15, 2003 16:01, Rifat Levis [EMAIL PROTECTED] wrote: People intersted in tarpitting and Declude firewall integration can read this. I just finished the tarpitting protection for my IMAIL server I am sending logs to the kiwi syslog server and forwarding it to SQL to analyse data When in a 2 min period a single ip send mail to more than 5 unknown account I am blocking the ip address on my netscreen firewall for 1 hour. The next step of this is to integrate Declude to the firewall I have 3 weight weight 10 warn weight 15 warn weight 20 delete Instead of deleting weight 20 i will forward it to an account to send data to SQL analyse it and then block it for 1 hour . NOTE : I am sure that KAMI will be interested :) Best Regards Rifat Levis --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Tar Pitting
I'm intrigued by this idea. During a given minute of time I may get 1000 messages. 1/4 of them are slown down (occupying more SMTP/Declude sessions), but the burdon is spread out. Actually, with true tarpitting, there would be slightly fewer SMTP32.exe and Declude.exe processes (they would only get started after the E-mail was received). The number of SMTPD connections (live TCP/IP connections) would increase, but IMail can technically handle 1,000+ simultaneous SMTPD connections. Can this be applied to increase server capacity? If I throttle, at the firewall, the IPs of spammers, will the load on my server be less? It would be less, assuming that IMail can handle it (and that your firewall can do the tarpitting). I'm not aware of any firewalls that can do true SMTP tarpitting (which requires sending short bits of data occasionally to prevent timeouts), but you could simulate it with throttling. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Tar Pitting
Alligate does it :) (The gateway version anyway) On 06/18/03 3:25pm you wrote... It would be less, assuming that IMail can handle it (and that your firewall can do the tarpitting). I'm not aware of any firewalls that can do true SMTP tarpitting (which requires sending short bits of data occasionally to prevent timeouts), but you could simulate it with throttling. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Tar Pitting
I find the idea intriguing as well but if you start to slow down connections wouldnt that just hold TCP connections open longer possibly making fewer connections available on the server? One of the methods of thwarting file sharing sites is to trickle download many files so that others cannot make connections, would this not have the same affect as tar pitting spammers? Especially since the pro spammers send the same spam run through many different servers. Just thinking outloud. Rick Davidson Buckeye Internet Inc www.buckeyeweb.com 440-953-1900 ext: 222 - Original Message - From: Dan Patnode [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 3:16 PM Subject: Re: [Declude.JunkMail] Tar Pitting I'm intrigued by this idea. During a given minute of time I may get 1000 messages. 1/4 of them are slown down (occupying more SMTP/Declude sessions), but the burdon is spread out. Can this be applied to increase server capacity? If I throttle, at the firewall, the IPs of spammers, will the load on my server be less? Has anyone tried this on a maxed out server? Dan On Sunday, June 15, 2003 16:01, Rifat Levis [EMAIL PROTECTED] wrote: People intersted in tarpitting and Declude firewall integration can read this. I just finished the tarpitting protection for my IMAIL server I am sending logs to the kiwi syslog server and forwarding it to SQL to analyse data When in a 2 min period a single ip send mail to more than 5 unknown account I am blocking the ip address on my netscreen firewall for 1 hour. The next step of this is to integrate Declude to the firewall I have 3 weight weight 10 warn weight 15 warn weight 20 delete Instead of deleting weight 20 i will forward it to an account to send data to SQL analyse it and then block it for 1 hour . NOTE : I am sure that KAMI will be interested :) Best Regards Rifat Levis --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Tar Pitting
Interesting Scott, I'm not sure I want to do true tarpitting, I want the spam to get through eventually (just in case its not), just way after the legitimate stuff. I use Netscreen firewalls and their technical info says throttling to less than 10kbps risks dropping the connection. The idea would be to slow it down enough to: 1) Give priority to non spam 2) Push spam back in time to momment of low server load 3) Make spammers sending less effecient Would throttling to 15kbps be slow enough to still make a difference? Brian, Alligate looks like a good complement to Declude. Given that it includes features provided by Declude's decode option, do you know if it takes a smaller CPU hit? Does running DECODE OFF and Aligate on take less, more, or about the same load on a server? Thanks! Dan On Wednesday, June 18, 2003 12:25, R. Scott Perry [EMAIL PROTECTED] wrote: I'm intrigued by this idea. During a given minute of time I may get 1000 messages. 1/4 of them are slown down (occupying more SMTP/Declude sessions), but the burdon is spread out. Actually, with true tarpitting, there would be slightly fewer SMTP32.exe and Declude.exe processes (they would only get started after the E-mail was received). The number of SMTPD connections (live TCP/IP connections) would increase, but IMail can technically handle 1,000+ simultaneous SMTPD connections. Can this be applied to increase server capacity? If I throttle, at the firewall, the IPs of spammers, will the load on my server be less? It would be less, assuming that IMail can handle it (and that your firewall can do the tarpitting). I'm not aware of any firewalls that can do true SMTP tarpitting (which requires sending short bits of data occasionally to prevent timeouts), but you could simulate it with throttling. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Tar Pitting
I had one customer that told me that he had over 5000 simultaneous open connections with no problems and a large number of these were being tarpitted. I have seen postings in newsgroups that claim to have had 7000 open connections on Win2k Pro. I have not yet been able to determine a hard number for this and don't have enough machines here to create that many connections. We have been able to get up to about 1200 or so. Brian On 06/18/03 3:39pm you wrote... I find the idea intriguing as well but if you start to slow down connections wouldnt that just hold TCP connections open longer possibly making fewer connections available on the server? One of the methods of thwarting file sharing sites is to trickle download many files so that others cannot make connections, would this not have the same affect as tar pitting spammers? Especially since the pro spammers send the same spam run through many different servers. Just thinking outloud. Rick Davidson Buckeye Internet Inc www.buckeyeweb.com 440-953-1900 ext: 222 - Original Message - From: Dan Patnode [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 3:16 PM Subject: Re: [Declude.JunkMail] Tar Pitting I'm intrigued by this idea. During a given minute of time I may get 1000 messages. 1/4 of them are slown down (occupying more SMTP/Declude sessions), but the burdon is spread out. Can this be applied to increase server capacity? If I throttle, at the firewall, the IPs of spammers, will the load on my server be less? Has anyone tried this on a maxed out server? Dan On Sunday, June 15, 2003 16:01, Rifat Levis [EMAIL PROTECTED] wrote: People intersted in tarpitting and Declude firewall integration can read this. I just finished the tarpitting protection for my IMAIL server I am sending logs to the kiwi syslog server and forwarding it to SQL to analyse data When in a 2 min period a single ip send mail to more than 5 unknown account I am blocking the ip address on my netscreen firewall for 1 hour. The next step of this is to integrate Declude to the firewall I have 3 weight weight 10 warn weight 15 warn weight 20 delete Instead of deleting weight 20 i will forward it to an account to send data to SQL analyse it and then block it for 1 hour . NOTE : I am sure that KAMI will be interested :) Best Regards Rifat Levis --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Tar Pitting
Rick, Makes me wonder if spammers cause traffic surges/spikes that slow our servers down and if this would also smooth those spikes down. Suppose a given sending server had 100 copies of a particular message, running only 5 sessions (speculation) at a time, could the sessions be dragged into off peak hours. If the firewall (or Alligator) could be configured to open the flood gates between midnight and 5am, the cues would be empty by the next morning. Dan On Wednesday, June 18, 2003 12:39, Rick Davidson [EMAIL PROTECTED] wrote: I find the idea intriguing as well but if you start to slow down connections wouldnt that just hold TCP connections open longer possibly making fewer connections available on the server? One of the methods of thwarting file sharing sites is to trickle download many files so that others cannot make connections, would this not have the same affect as tar pitting spammers? Especially since the pro spammers send the same spam run through many different servers. Just thinking outloud. Rick Davidson Buckeye Internet Inc www.buckeyeweb.com 440-953-1900 ext: 222 - Original Message - From: Dan Patnode [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 3:16 PM Subject: Re: [Declude.JunkMail] Tar Pitting I'm intrigued by this idea. During a given minute of time I may get 1000 messages. 1/4 of them are slown down (occupying more SMTP/Declude sessions), but the burdon is spread out. Can this be applied to increase server capacity? If I throttle, at the firewall, the IPs of spammers, will the load on my server be less? Has anyone tried this on a maxed out server? Dan On Sunday, June 15, 2003 16:01, Rifat Levis [EMAIL PROTECTED] wrote: People intersted in tarpitting and Declude firewall integration can read this. I just finished the tarpitting protection for my IMAIL server I am sending logs to the kiwi syslog server and forwarding it to SQL to analyse data When in a 2 min period a single ip send mail to more than 5 unknown account I am blocking the ip address on my netscreen firewall for 1 hour. The next step of this is to integrate Declude to the firewall I have 3 weight weight 10 warn weight 15 warn weight 20 delete Instead of deleting weight 20 i will forward it to an account to send data to SQL analyse it and then block it for 1 hour . NOTE : I am sure that KAMI will be interested :) Best Regards Rifat Levis --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Tar Pitting
I'm not sure I want to do true tarpitting, I want the spam to get through eventually (just in case its not), just way after the legitimate stuff. True tarpitting will allow the E-mail through. The idea is that it will have to wait a long, long time -- something that a legitimate mailserver will do, but most spammers will not. If you're looking at under a minute per SMTP command, non-traditional tarpitting (simple delays) will work. But after about 30 seconds or so, some legitimate mailservers will disconnect. For hours/days, traditional tarpitting would be required. I use Netscreen firewalls and their technical info says throttling to less than 10kbps risks dropping the connection. The idea would be to slow it down enough to: Hmmm... 10kbps is just slightly less fast than a 14.4Kbps modem. At 10kbps, at 1400 byte packet (close to the maximum packet size usually seen) would take about a second and a half to transfer. That isn't going to cause any timeouts in SMTP. On the other hand, that isn't going to cause any real delays, either. A short text spam could be transferred in less than 5 seconds at 10kbps. I don't think that short of a delay would cause the spammer any problems, and I doubt it would provide you with any benefit. 1) Give priority to non spam 2) Push spam back in time to momment of low server load 3) Make spammers sending less effecient Would throttling to 15kbps be slow enough to still make a difference? Unfortunately, I think that it would have to go down to about 1kbps to start to make a difference (at that rate, it would take perhaps 30 seconds to transfer a short spam, or 10+ minutes for a large HTML spam). Even at a minute or so, you really aren't tying up much of the spammers resources. The original idea behind tarpitting was that the sending server (probably an open relay, when the idea came about) was that if a lot of people were doing tarpitting, it would tie up enough of the resources on the sending server to significantly slow down the spam for others. For example, if an IMail server was used to send spam, and it hit 30 servers running tarpitting, it would almost entirely block the outgoing spam. -Scott --- Declude JunkMail: The advanced anti-spam solution for IMail mailservers. Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection. Find out what you have been missing: Ask for a free 30-day evaluation. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Tar Pitting
and send mail only at the speed that IMail can handle I'm curious, what rate did you find Imail capable of handling before it stopped responding? Bill -Original Message- From: [EMAIL PROTECTED] Sent: Wed, 18 Jun 2003 13:36:44 -0700 Subject: Re: [Declude.JunkMail] Tar Pitting Alligate for example, and I am sure most other gateways should level this out for you anyway, and I don't think tarpitting would make a whole lot of difference. When we are forwarding to IMail, we set the forwarding threads fairly conservatively, and send mail only at the speed that IMail can handle it. It is spooled and send at a constant rate. I have seen the queue get backed up during heavy periods, and then clear up when the load lightens. We crashed IMail (sent processor load to 100%) a couple of times during testing by sending it too much mail and it simply stopped responding. Tarpitting is more to discourage spammers from sending to your server (hopefully) and to reduce their output. We have seen a lot of them time out after 30 seconds. Some of these are home made spam blaster programs that are single threaded, do their own MX resolution, and can only send out messages one at a time. It really puts the hurt on them when it takes 5-10 minutes to send one message, so they tend to put timeouts in them and disconnect. Brian On 06/18/03 1:08pm you wrote... Rick, Makes me wonder if spammers cause traffic surges/spikes that slow our servers down and if this would also smooth those spikes down. Suppose a given sending server had 100 copies of a particular message, running only 5 sessions (speculation) at a time, could the sessions be dragged into off peak hours. If the firewall (or Alligator) could be configured to open the flood gates between midnight and 5am, the cues would be empty by the next morning. Dan On Wednesday, June 18, 2003 12:39, Rick Davidson [EMAIL PROTECTED] wrote: I find the idea intriguing as well but if you start to slow down connections wouldnt that just hold TCP connections open longer possibly making fewer connections available on the server? One of the methods of thwarting file sharing sites is to trickle download many files so that others cannot make connections, would this not have the same affect as tar pitting spammers? Especially since the pro spammers send the same spam run through many different servers. Just thinking outloud. Rick Davidson Buckeye Internet Inc www.buckeyeweb.com 440-953-1900 ext: 222 - Original Message - From: Dan Patnode [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 3:16 PM Subject: Re: [Declude.JunkMail] Tar Pitting I'm intrigued by this idea. During a given minute of time I may get 1000 messages. 1/4 of them are slown down (occupying more SMTP/Declude sessions), but the burdon is spread out. Can this be applied to increase server capacity? If I throttle, at the firewall, the IPs of spammers, will the load on my server be less? Has anyone tried this on a maxed out server? Dan On Sunday, June 15, 2003 16:01, Rifat Levis [EMAIL PROTECTED] wrote: People intersted in tarpitting and Declude firewall integration can read this. I just finished the tarpitting protection for my IMAIL server I am sending logs to the kiwi syslog server and forwarding it to SQL to analyse data When in a 2 min period a single ip send mail to more than 5 unknown account I am blocking the ip address on my netscreen firewall for 1 hour. The next step of this is to integrate Declude to the firewall I have 3 weight weight 10 warn weight 15 warn weight 20 delete Instead of deleting weight 20 i will forward it to an account to send data to SQL analyse it and then block it for 1 hour . NOTE : I am sure that KAMI will be interested :) Best Regards Rifat Levis --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http
Re: [Declude.JunkMail] Tar Pitting
Hi Bill, We were testing Alligate at a sustained rate of 8 message per second, relaying to 4 servers, all with different email server software. We ran this test for 4 hours. One was running IMail with Declude, SpamManager, and Declude Virus. Each server was receiving 2 messages per second, or 7200 per hour. The IMail server (as configured) was the second slowest. It was ~3000 messages behind after the first hour, and had to reboot 2 or 3 times as I recall during the test. It about 3 hours to recover after we stopped sending mail for Alligate to deliver the balance to the IMail server. The only one that could handle the load was a Postfix server, and it even fell behind about 200-300 messages. The messages we were sending were made up of 25% ~2k, 25% ~10k, 25% ~25k and 25% had a 100k EXE attachment. Because IMail was the only one running virus checking and secondary spam scanning, it is probably not a fair comparison, however weren't really trying to benchmark the servers, only our product. We were able to deliver all messages successfully to the IMail server despite the reboots and problems, and that was more the point of the test. Brian On 06/18/03 3:37pm you wrote... and send mail only at the speed that IMail can handle I'm curious, what rate did you find Imail capable of handling before it stopped responding? Bill -Original Message- From: [EMAIL PROTECTED] Sent: Wed, 18 Jun 2003 13:36:44 -0700 Subject: Re: [Declude.JunkMail] Tar Pitting Alligate for example, and I am sure most other gateways should level this out for you anyway, and I don't think tarpitting would make a whole lot of difference. When we are forwarding to IMail, we set the forwarding threads fairly conservatively, and send mail only at the speed that IMail can handle it. It is spooled and send at a constant rate. I have seen the queue get backed up during heavy periods, and then clear up when the load lightens. We crashed IMail (sent processor load to 100%) a couple of times during testing by sending it too much mail and it simply stopped responding. Tarpitting is more to discourage spammers from sending to your server (hopefully) and to reduce their output. We have seen a lot of them time out after 30 seconds. Some of these are home made spam blaster programs that are single threaded, do their own MX resolution, and can only send out messages one at a time. It really puts the hurt on them when it takes 5-10 minutes to send one message, so they tend to put timeouts in them and disconnect. Brian On 06/18/03 1:08pm you wrote... Rick, Makes me wonder if spammers cause traffic surges/spikes that slow our servers down and if this would also smooth those spikes down. Suppose a given sending server had 100 copies of a particular message, running only 5 sessions (speculation) at a time, could the sessions be dragged into off peak hours. If the firewall (or Alligator) could be configured to open the flood gates between midnight and 5am, the cues would be empty by the next morning. Dan On Wednesday, June 18, 2003 12:39, Rick Davidson [EMAIL PROTECTED] wrote: I find the idea intriguing as well but if you start to slow down connections wouldnt that just hold TCP connections open longer possibly making fewer connections available on the server? One of the methods of thwarting file sharing sites is to trickle download many files so that others cannot make connections, would this not have the same affect as tar pitting spammers? Especially since the pro spammers send the same spam run through many different servers. Just thinking outloud. Rick Davidson Buckeye Internet Inc www.buckeyeweb.com 440-953-1900 ext: 222 - Original Message - From: Dan Patnode [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, June 18, 2003 3:16 PM Subject: Re: [Declude.JunkMail] Tar Pitting I'm intrigued by this idea. During a given minute of time I may get 1000 messages. 1/4 of them are slown down (occupying more SMTP/Declude sessions), but the burdon is spread out. Can this be applied to increase server capacity? If I throttle, at the firewall, the IPs of spammers, will the load on my server be less? Has anyone tried this on a maxed out server? Dan On Sunday, June 15, 2003 16:01, Rifat Levis [EMAIL PROTECTED] wrote: People intersted in tarpitting and Declude firewall integration can read this. I just finished the tarpitting protection for my IMAIL server I am sending logs to the kiwi syslog server and forwarding it to SQL to analyse data When in a 2 min period a single ip send mail to more than 5 unknown account I am blocking the ip address on my netscreen firewall for 1 hour. The next step of this is to integrate Declude to the firewall I have 3 weight weight 10 warn weight 15 warn weight 20 delete Instead of deleting weight 20 i will forward it to an account to send data to SQL analyse it and then block it for 1 hour . NOTE : I am sure that KAMI will be interested :) Best Regards Rifat Levis