Hi, three days ago I've sent the following suggestions to the ASSP-ML.
Maybe there are some interesting points for you: ------------------------- snip ---------------------------------------------- I've just considered the cases we have to handle: 1st ASSP: ASSP needs a traffic shaper (is this possible in Perl without causing high load? Otherwise we have to implement a interface to a system included one). For recognition of spammers we should implement two mechanisms: 1.) Check if a remote-SMTP tries to contact a lot adresses which do not exist 2.) setting up random addresses with common usernames for the domains. That way we get honeypots to analyze spam mails. From that we can create md5sums for Razor and Vipul, which we can use to filter mails from trusted remote-SMTPs (e.g. big providers). Behaviour: 1.) Trusted hosts - which means white-listed ones or hosts providing fixed IP, SPF (and in future DNSsec) should not have any restrictions. 2.) Unknown hosts and hosts from 1.) which deliver more than 25% spam mail should be throttled to a speed which is still usable for Email but slows down things. 3.) Verified Spammers (RBL, honeypots, ...) should be throttled to 500 Bytes/sec and tar-pitted for 72 hours (by tuning SMTP-headers). 2nd Honeypot-Client: The Honeypot client should run on workstations as a daemon and emulate a open SMTP-relay. As workstations usually have dynamic IPs, the spammers cannot blacklist them ;-) Hahaha! So they strike themself (If you fight an enemy, never waste your own resources but use his!). It should throttle any incoming connection on port 25 to 500 Bytes/second and tar-pit it like described for ASSP. But as spammers test the open relays, the single mails - lets say 20 per 180 seconds from a remote host, should not be restricted but sent and hashed with md5sum for Vipul and Razor. And when the big spamming starts from a remote SMTP-host, it get's tar-pitted for 72 hours! :-) Additionally there could be an option to pre-warn an ASSP-host when a spam-attack is starting. The client should be in Java to run it on every machine. This also allows the users to inspect the source code and proof we do not distribute trojan horses ;-) -------------------------------- snap ---------------------------------------- Regards Rene ---- : The tarproxy-list mailing list is archived at : http://www.mail-archive.com/tarproxy-list%40martiansoftware.com/ : : To unsubscribe from this list, follow the instructions at : http://www.martiansoftware.com/contact.html : : TarProxy's project page can be found at : http://www.martiansoftware.com/tarproxy
