On Tue, 2003-03-04 at 12:30, Andrew Rose wrote: *snip* > > My understanding is that the purpose of tarpits is to cause spammers to > use up a critical resource - namely bandwidth. However, from where I > stand, they don't appear to do that. Under the proposals at > http://www.martiansoftware.com/articles/spammerpain.html, the SMTP > server would "throttle" spammy connections by slowing responses from > the server to the client. It doesn't make clear what level the > connection would be slowed at (SMTP or TCP) but even assuming TCP > (which appears to be the better of the two), tarpits don't actually > cause a significant increase in the bandwidth required to transmit > spam. > > What a tarpit does do is use up another resource - elapsed time. > However, this is not a critical resource for a spammer. A spammer can > easily open several simultaneous connections to the same SMTP server. > If each connection is throttled 10- or 100-fold, the spammer only needs > to create 10 or 100 connections to get the same throughput. > Furthermore, those 10 or 100 connections don't need to be to the same > server (because the email addresses in their database will cover many > servers). In that way, the spammer avoids a tarpit modification which > gives a total effective speed to an IP address (for example). > Essentially, a spam sender may as well keep creating connections up to > the point where their bandwidth has become exhausted. *snip*
There's a subtle but important distinction I need to make here: tarpits aren't necessarily meant to *consume* the remote host's bandwidth, but rather to *deny* it. The bandwidth scarcity occurs because the tarpit doesn't accept data at its full rate. This minimize victim cost - I'd hate to have to pay my ISP more because I'm being spammed, which is what would happen if I took measures to dramatically increase the amount of data on the wire (as you pointed out later in your message). A spammer can certainly open several simultaneous connections to an SMTP server, which is easily accommodated by enabling TarProxy to limit the number of simultaneous connections from any given address. Of course, the spammer can then simply spawn more connections to other machines, but that's work, which in turn is at least a little pain. Assuming a large number of TarProxies out there (an optimistic assumption, I know), this could place a large burden on their servers, increasing their cost in hardware and time. It's been mentioned on the list already but I think it's appropriate to note here that open relays will NOT modify their software to increase the number of simultaneous connections they make. Since open relays are most likely the bulk of the problem (I'd love to see numbers that can substantiate or refute this), TarProxy might have significant impact. - Marty -- Marty Lamb Martian Software <mlamb at martiansoftware dot com>
