Re: relaydb and tarpit
Michael Monnerie wrote: On Donnerstag, 13. April 2006 18:15 mouss wrote: pfff. just reading the two first paragraphs is enough to look elsewhere. some people seem to redefine what a false positive is. I didn't mean that, I meant the tarpitting approach. Of course you have to set some (much) harder policy on which systems to put on your tarpit-blackhole list. But *if* you have such a "tarpit decider without FP" (not sure how to do that...), couldn't this be a very good countermeasure to spam? The issue is that: - to tarpit, you need to devote some process or thread to that. and this is not unix specific. however you do, you'll need something to handle it. even with a packet filter, this still means many unnecessary states. - the best you can do (at user level) is have an asynchronous process (which can handle many connections) to do so. now, either it is the listener, but then it needs to pass "good" connections to "good" listeners (which ones support this?) or the opposite (which ones support this?). of course, you can tune this to the point that you'd write a spam-OS. just to discover that spamers found othre ways to get to you. - the most severe problem is to find a criteria to decide who is bad. This is what we're all trying to do! If I knew which clients are used by spamers, I would need no tarpit nor DNSBL nor SA nor bayes. I would just block these. - sometimes, some ideas seem fine. but they don't resist serious analysis. you want to protect yourself, but that's just part of your goal. you want to do so at a limited cost and under some (non explicit but real) conditions (killing all the non-white people will statistically reduce terrorism, but would you do that?). I have already seen systems that get idle when I connect to them. These systems just make me use my resources in vain, which is not a good practice. And I tend to believe these systems are driven by nuts, so are easily attacked (I never do that, for both personal and professional reasons. The best way to deal with them is to ignore them. route add, transport_maps, ... are enough to build one's own internet:)
Re: relaydb and tarpit
On Donnerstag, 13. April 2006 18:15 mouss wrote: > pfff. just reading the two first paragraphs is enough to look > elsewhere. some people seem to redefine what a false positive is. I didn't mean that, I meant the tarpitting approach. Of course you have to set some (much) harder policy on which systems to put on your tarpit-blackhole list. But *if* you have such a "tarpit decider without FP" (not sure how to do that...), couldn't this be a very good countermeasure to spam? mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660/4156531 .network.your.ideas. // PGP Key: "lynx -source http://zmi.at/zmi3.asc | gpg --import" // Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE // Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE pgpBPBcyjNZ8J.pgp Description: PGP signature
Re: relaydb and tarpit
Michael Monnerie wrote: Sorry for x-posting, but that's a program useful to postfix and/or SA users. http://www.benzedrine.cx/relaydb.html Does anybody use or know about this program with tarpitting? It sounds very interesting, and for the author it seems to work, but I'd like to know if others made good or bad experience with it. After all, we're all fighting spammers, and if there are solutions really working, I'm ready to implement it into our servers. pfff. just reading the two first paragraphs is enough to look elsewhere. some people seem to redefine what a false positive is. they think that just because they reject mail or because the client/sender/... misbehaves, then it's not a false positive. This is just silly. a false positive is when a classifier considers a legitimate mail as spam, be that by rejection, by discarding, by delivering to a junk folder, ... etc. just say no...
relaydb and tarpit
Sorry for x-posting, but that's a program useful to postfix and/or SA users. http://www.benzedrine.cx/relaydb.html Does anybody use or know about this program with tarpitting? It sounds very interesting, and for the author it seems to work, but I'd like to know if others made good or bad experience with it. After all, we're all fighting spammers, and if there are solutions really working, I'm ready to implement it into our servers. mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660/4156531 .network.your.ideas. // PGP Key: "lynx -source http://zmi.at/zmi3.asc | gpg --import" // Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE // Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE pgpX4owGiqKRK.pgp Description: PGP signature
