Discussion:
TARPIT ACL - for Spam Control
Marc Perkel
2003-05-05 15:33:43 UTC
Permalink
I'd like to propose a new feature to be added to Exim as part of ACLs.
In addition to ACCEPT and DENY I'd like to see TARPIT which is to accept
- but to do so at a very slow rate. And - there would have to be other
commands to define what a slow rate means.

The reson I think this would be worthwhile is to help control spam. Not
only to protect the server from overload - but to be able to slow down
spammers to the point where they are delivering far less spam. I don't
know if this will work - but I think it's worth finding out. And - if
it's as easy (easy is very important) as using TARPIT instead of ACCEPT
that a lot of people will try it.

Example:

TARPIT dnslists = blackholes.mail-abuse.org

I believe this would be effective in that hard core spammers are running
at 100% of their capacity. Once they deliver their list they start over
and resend it. If they were slowed by 50% then they could send 50% less
spam.

OTOH, often legitimate email is blocked by accidentally being on a
blacklist and free speech is often infringed accidentally by wrongly
blocking hosts. I've done it myself and it is embarrasing when it
happens. If a legitimate newsletter were wrongly tarpitted - which will
happen to someone - it's no big deal. The newsletter will get delivered
- just more slowly. Since the newsletter isn't trying to saturate it's
capacity with spam - a slowdown isn't something that will even be that
noticeable. So - it's my theory that it's something that will hurt
spammers only.

So - I'm proposing that TARPIT be added to Exim and let's try it out.



--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Mark Boyd
2003-05-05 17:30:52 UTC
Permalink
Rather than re-inventing this you should check out sa-exim, it works in
conjunction with exim and spamassassin and among other things does what
you're asking for.

- Mark

-----Original Message-----
From: Marc Perkel [mailto:***@perkel.com]
Sent: Monday, May 05, 2003 8:34 AM
To: exim-***@exim.org
Subject: [Exim] TARPIT ACL - for Spam Control

I'd like to propose a new feature to be added to Exim as part of ACLs.
In addition to ACCEPT and DENY I'd like to see TARPIT which is to accept
- but to do so at a very slow rate. And - there would have to be other
commands to define what a slow rate means.

The reson I think this would be worthwhile is to help control spam. Not
only to protect the server from overload - but to be able to slow down
spammers to the point where they are delivering far less spam. I don't
know if this will work - but I think it's worth finding out. And - if
it's as easy (easy is very important) as using TARPIT instead of ACCEPT
that a lot of people will try it.

Example:

TARPIT dnslists = blackholes.mail-abuse.org

I believe this would be effective in that hard core spammers are running
at 100% of their capacity. Once they deliver their list they start over
and resend it. If they were slowed by 50% then they could send 50% less
spam.

OTOH, often legitimate email is blocked by accidentally being on a
blacklist and free speech is often infringed accidentally by wrongly
blocking hosts. I've done it myself and it is embarrasing when it
happens. If a legitimate newsletter were wrongly tarpitted - which will
happen to someone - it's no big deal. The newsletter will get delivered
- just more slowly. Since the newsletter isn't trying to saturate it's
capacity with spam - a slowdown isn't something that will even be that
noticeable. So - it's my theory that it's something that will hurt
spammers only.

So - I'm proposing that TARPIT be added to Exim and let's try it out.

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Philip Hazel
2003-05-06 09:00:35 UTC
Permalink
Post by Marc Perkel
TARPIT dnslists = blackholes.mail-abuse.org
A simple implementation of this is

accept dnslists = blackholes.mail-abuse.org
delay = 4m

--
Philip Hazel University of Cambridge Computing Service,
***@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Marc Perkel
2003-05-06 12:38:10 UTC
Permalink
This is a multi-part message in MIME format.
--
[ Picked text/plain from multipart/alternative ]
Is this in the documentation anywhere? I was trying to look it up and
can't find it.
Post by Philip Hazel
Post by Marc Perkel
TARPIT dnslists = blackholes.mail-abuse.org
A simple implementation of this is
accept dnslists = blackholes.mail-abuse.org
delay = 4m
--
Philip Hazel University of Cambridge Computing Service,
--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
--


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Philip Hazel
2003-05-06 13:17:32 UTC
Permalink
Post by Marc Perkel
Is this in the documentation anywhere? I was trying to look it up and
can't find it.
In doc/NewStuff currently; will be in manual for 4.20.


--
Philip Hazel University of Cambridge Computing Service,
***@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Andreas Metzler
2003-05-06 15:35:40 UTC
Permalink
[Quoting fixed - please don't produce fullquotes!]
Post by Marc Perkel
Post by Philip Hazel
Post by Marc Perkel
TARPIT dnslists = blackholes.mail-abuse.org
A simple implementation of this is
accept dnslists = blackholes.mail-abuse.org
delay = 4m
Is this in the documentation anywhere? I was trying to look it up and
can't find it.
In the file named NewStuff
cu andreas

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Nico van der Dussen
2003-05-06 12:53:18 UTC
Permalink
Post by Philip Hazel
A simple implementation of this is
accept dnslists = blackholes.mail-abuse.org
delay = 4m
Seems as if a new verb like "deny-delay" would be appreciated.

But I'm sure there are already ways of achieving this :-)

Regards

Nico


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
William Thompson
2003-05-06 13:03:16 UTC
Permalink
Post by Nico van der Dussen
Post by Philip Hazel
A simple implementation of this is
accept dnslists = blackholes.mail-abuse.org
delay = 4m
Seems as if a new verb like "deny-delay" would be appreciated.
But I'm sure there are already ways of achieving this :-)
IIRC, that would be:
deny dnslists = blackholes.mail-abuse.org
delay = 4m

Now something like a control = tarpit would be more interesting. If set, it
would make the connection slow. Only read so many bytes a second (say
512/sec) and when sending, only send one line of text or one responce within
a time.

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Dean Brooks
2003-05-06 13:06:58 UTC
Permalink
Post by Nico van der Dussen
Post by Philip Hazel
A simple implementation of this is
accept dnslists = blackholes.mail-abuse.org
delay = 4m
Seems as if a new verb like "deny-delay" would be appreciated.
But I'm sure there are already ways of achieving this :-)
Does anyone with a large email site actually implement
tarpit/teergrubbing?

What do you do when a spammer opens 10 channels to you every 20
seconds and you keep them open for a while? Your box would basically
become filled with idle connections, and since Exim uses a forking
model, it would potentially slow the process table runs due to the
number of processes. Depends on power of box, obviously, but still
would seem to be a potential problem.

Since the majority of the world's spam is headed towards larger ISPS
(who may not be implementing this) does all this talk of delaying
spammer connections really do anything significant, or does it just
make the owner of the victim SMTP server feel good about themselves?

I'm sort of playing devils advocate here, but I just dont see this
as being any significant deterrent to spammers unless the AOLs,
Hotmails, MSNs of the world are implementing this. After all, that's
where the majority of spammers want to go to reach the largest part
of their audience.

--
Dean Brooks
***@iglou.com

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Giuliano Gavazzi
2003-05-06 17:57:27 UTC
Permalink
Post by Dean Brooks
Does anyone with a large email site actually implement
tarpit/teergrubbing?
What do you do when a spammer opens 10 channels to you every 20
seconds and you keep them open for a while? Your box would basically
become filled with idle connections, and since Exim uses a forking
model, it would potentially slow the process table runs due to the
number of processes. Depends on power of box, obviously, but still
would seem to be a potential problem.
Since the majority of the world's spam is headed towards larger ISPS
(who may not be implementing this) does all this talk of delaying
spammer connections really do anything significant, or does it just
make the owner of the victim SMTP server feel good about themselves?
I'm sort of playing devils advocate here, but I just dont see this
as being any significant deterrent to spammers unless the AOLs,
Hotmails, MSNs of the world are implementing this. After all, that's
where the majority of spammers want to go to reach the largest part
of their audience.
I personally find tarpitting/teergrubing not an incredibly effective idea.
If machine resources (and partly network bandwidth) are unlimited,
you will receive exactly the same amount of spam, as soon as the
system reaches equilibrium again.
Of course machine resources are not unlimited, but spammers use a
large amount of machines (not their own), and one could also reach
his own resource limits before the spammers do.

Giuliano
--
H U M P H
|| |||
software

Java & C++ Server/Client/Human Interface applications on MacOS - MacOS X
http://www.humph.com/

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Alexey Promokhov
2003-05-06 22:01:53 UTC
Permalink
6 May 2003, Giuliano Gavazzi wrote:

GG> I personally find tarpitting/teergrubing not an incredibly effective idea.
GG> If machine resources (and partly network bandwidth) are unlimited,
GG> you will receive exactly the same amount of spam, as soon as the
GG> system reaches equilibrium again.

What about exponential backoff algotithm? Each new message from same
host is delayed to increasing time. Administrator will have a time to
check logs and take measures against spammer (block the host, for
example), or release all these messages if they are legitimate.

Delay can also be accomplished by returning 4xx code to sending host, or
by leaving messages in queue for specified time.

BTW, many spam runs aren't coming from MTAs. So, if spam message is
temporary rejected, there are chances that it will not appear again in
future.

--
Alexey Y. Promokhov, system administrator
Joint Stock Venture "GP Telecom", Moscow, Russia


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Greg A. Woods
2003-05-07 16:53:39 UTC
Permalink
[ On Tuesday, May 6, 2003 at 18:57:27 (+0100), Giuliano Gavazzi wrote: ]
Subject: Re: [Exim] TARPIT ACL - for Spam Control
If machine resources (and partly network bandwidth) are unlimited,
you will receive exactly the same amount of spam, as soon as the
system reaches equilibrium again.
The quantity of resources needed to hold a connection open but quiescent
while waiting for a timeout before sending another line of a response is
really quite low.
Of course machine resources are not unlimited, but spammers use a
large amount of machines (not their own), and one could also reach
his own resource limits before the spammers do.
Yes, but spammers will always have fewer machines doing their end of the
job than the number of machines they're targetting. It only takes a few
more on the receiving end to do good response rate limiting and we can
slow down the spammers enough that they can't help but notice.

--
Greg A. Woods

+1 416 218-0098; <***@ieee.org>; <***@robohack.ca>
Planix, Inc. <***@planix.com>; VE3TCP; Secrets of the Weird <***@weird.com>

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Tony Earnshaw
2003-05-06 14:30:05 UTC
Permalink
Post by Philip Hazel
Post by Marc Perkel
TARPIT dnslists = blackholes.mail-abuse.org
A simple implementation of this is
accept dnslists = blackholes.mail-abuse.org
delay = 4m
Maybe I've misunderstood things, but isn't tarpitting already supported
fully - in 4.14 ACLs, at least? I use it against dictionary attacks and
as far as I can see, there's no reason for not being to use the same
technique in all ACLs.

Tony

--
Tony Earnshaw

Do not come to visit me with both arms the same length.

e-post: ***@billy.demon.nl
www: http://www.billy.demon.nl

Tony Earnshaw



--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Don Walker
2003-05-06 16:46:58 UTC
Permalink
This is a multi-part message in MIME format.
--
[ Picked text/plain from multipart/alternative ]
How can you use this to delay the spam server and then reject the message?
Post by Marc Perkel
TARPIT dnslists = blackholes.mail-abuse.org
A simple implementation of this is

accept dnslists = blackholes.mail-abuse.org
delay = 4m

--
Philip Hazel University of Cambridge Computing Service,
***@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.


--


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
William Thompson
2003-05-06 17:01:10 UTC
Permalink
Post by Don Walker
How can you use this to delay the spam server and then reject the message?
Replace accept with warn then deny later. Just remember, any message =
lines will show up in the message as a header.
Post by Don Walker
Post by Marc Perkel
TARPIT dnslists = blackholes.mail-abuse.org
A simple implementation of this is
accept dnslists = blackholes.mail-abuse.org
delay = 4m
--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Philip Hazel
2003-05-07 09:36:37 UTC
Permalink
Post by Don Walker
How can you use this to delay the spam server and then reject the message?
deny dnslists = whatever
delay = 4m

--
Philip Hazel University of Cambridge Computing Service,
***@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Marc Perkel
2003-05-11 16:17:12 UTC
Permalink
Yes - the ide would be to make it slow and expensive for spammers to
connect to our servers. So expensive perhaps that they create a
blacklist to avoid us! I would love to be on that blacklist.
Now I had a different idea based on the fact that sending spam is
cheaper than handling the mail for the receiver.
Delaying/tarpitting makes sending a bit more expensive. But it being
just an open conection means it doesn't help a lot. But it can limit
the amount of mail getting into your system if you set a limit on
simultaneous connections per IP.
Now, if we would send a lot of continuation lines in the response, for
every RCPT, the session would use real resources for the spammer. The
current situation is perhaps 60 bytes per recipient. We could raise
that to 1200 bytes.
A dial-up spammer would drop from sending 100 mails per second to 5
mails per second.
Of course it is pretty inelegant. But it could be a suitable resonse
for hosts one a dynamic IP list if you do not want to totally block
them, and think delaying alone is not effective enough. Just because
it raises the effort for non legitimate mail more than it is for real
mail.
And it only helps in cases where the spammer bandwidth is limited, and
the victim has soem bandwidth to spare. That means it would work for
large ISPs.
BTW while setting up tarpitting I've noticed that using message = in a
deny statement does not give anything back in the SMTP session. Any
way around that? It would at least be nice to send some indication why
our mail server seems so slow.
Thomas
--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Thomas Tonino
2003-05-11 21:52:56 UTC
Permalink
Post by Marc Perkel
Yes - the ide would be to make it slow and expensive for spammers to
connect to our servers. So expensive perhaps that they create a
blacklist to avoid us! I would love to be on that blacklist.
BTW while setting up tarpitting I've noticed that using message = in a
deny statement does not give anything back in the SMTP session.
Oops... I meant to say 'message in an accept statement'. Any way to tell the
connected host some information while I am tarpitting it while accepting the
mail? Message = in a deny works fine.

I'd see it as a 'soft block' for hosts on a dynhost DNS list for example, and it
would be nice if someone who was running a legitimate mailing list from such a
connection could understand what was going on.


Thomas



--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Philip Hazel
2003-05-12 16:13:23 UTC
Permalink
Post by Thomas Tonino
BTW while setting up tarpitting I've noticed that using message = in a
deny statement does not give anything back in the SMTP session.
Oops... I meant to say 'message in an accept statement'. Any way to tell the
connected host some information while I am tarpitting it while accepting the
mail? Message = in a deny works fine.
The only place a message in an "accept" response is going to end up is
the sending host's log, *if* it cares to log such text (Exim does). What
Exim actually sends is the message id of the accepted message, so that
it can be logged in case of a later query. Nothing gets back to the
sending user, of course. That's why "message" does nothing on an
"accept" statement. (It is documented that it only has an effect if
access is denied.)


--
Philip Hazel University of Cambridge Computing Service,
***@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Alan J. Flavell
2003-05-12 17:57:35 UTC
Permalink
Post by Philip Hazel
The only place a message in an "accept" response is going to end up is
the sending host's log, *if* it cares to log such text (Exim does).
What you _could_ do in an ACL is a "warn" followed by an "accept",
with similar conditions specified on both. Then the message from the
"warn" will turn up in the full headers, if the recipient ever cares
to look.

Of course, it depends what one is trying to achieve. ;-)
I doubt it was the solution that was wanted on this thread, but
YMMV...

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Thomas Tonino
2003-05-12 20:06:51 UTC
Permalink
Post by Philip Hazel
The only place a message in an "accept" response is going to end up is
the sending host's log, *if* it cares to log such text (Exim does). What
Exim actually sends is the message id of the accepted message, so that
it can be logged in case of a later query. Nothing gets back to the
sending user, of course. That's why "message" does nothing on an
"accept" statement. (It is documented that it only has an effect if
access is denied.)
I see two uses for being able to send something when a message is accepted:

- one is to warn someone troubleshooting. They connect by hand from their mail
server to ours, and see something like '250 you are being throttled because your
host is on the DUL list, see http://www.someblacklist.org/'

- the other is the less friendly plan to send (relatively) a lot of data back
per recipient. This would slow down spammers on slow lines a lot. Again, I'd
personally use this for you you didn't want to block but that you would not
expect to send a lot of mail to you. DUL hosts again.

Sending back a lot more data per recipient may be one way to make mass mailing
more expensive, but it won't be effective against spam I suppose.

It is not a bug, but having the possibility to add text to accept mesages could
be nice.

BTW I just did a dual language bounce message. If a bounce gets adressed to a
.nl domain a Dutch text is used. The nice flexibility of Exim shows.

I also send a small part of the message body back in the bounce, but the minimum
of 8K that exim wants to send is to big for me. I want bounces to be unusable
for sending spam. Thus I use $message_body to echo part of the message. It
containing spaces instead of newlines if not really a problem (keeps the compact
on screen), though it would be nice if it could be word wrapped.

Then again, the MUA will probably take care of that.


Thomas


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Philip Hazel
2003-05-13 09:22:33 UTC
Permalink
I have added an item to the Wish List.

--
Philip Hazel University of Cambridge Computing Service,
***@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Leonardo Boselli
2003-05-12 17:47:58 UTC
Permalink
Is possible to both accept and deny ?
that is after gottig the full message delivery as if accepoted, but
reply a 551 code ?
Post by Philip Hazel
The only place a message in an "accept" response is going to end up is
the sending host's log, *if* it cares to log such text (Exim does).
What Exim actually sends is the message id of the accepted message, so
that it can be logged in case of a later query. Nothing gets back to
the sending user, of course. That's why "message" does nothing on an
"accept" statement. (It is documented that it only has an effect if
access is denied.)
--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Philip Hazel
2003-05-13 09:17:50 UTC
Permalink
Post by Leonardo Boselli
Is possible to both accept and deny ?
that is after gottig the full message delivery as if accepoted, but
reply a 551 code ?
No.

--
Philip Hazel University of Cambridge Computing Service,
***@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Leonardo Boselli
2003-05-13 13:06:26 UTC
Permalink
Post by Leonardo Boselli
Is possible to both accept and deny ?
No.
Is that a program limit or a protocol limit ot just a netiquette problem ?
You could accept the message, except thet after having received the data
(and sent to deliver) you couild reply with a 5xx error saying that you no
nonger accept message from that address.
If the same message come in again it will get the 554 immediately after
rcpt-to phase.



--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Philip Hazel
2003-05-13 13:27:05 UTC
Permalink
Post by Leonardo Boselli
You could accept the message, except thet after having received the data
(and sent to deliver) you couild reply with a 5xx error saying that you no
nonger accept message from that address.
Well, obviously you could. But Exim doesn't have the ability to do this.
That's what I meant by "no".

--
Philip Hazel University of Cambridge Computing Service,
***@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Alexander Sabourenkov
2003-05-13 14:31:59 UTC
Permalink
Post by Leonardo Boselli
Is that a program limit or a protocol limit ot just a netiquette problem ?
You could accept the message, except thet after having received the data
(and sent to deliver) you couild reply with a 5xx error saying that you no
nonger accept message from that address.
This is not that 550 after DATA means according to RFC. Thus it is a violation
of the RFC.
Post by Leonardo Boselli
If the same message come in again it will get the 554 immediately after
rcpt-to phase.
How would you know if this is the same message at the rcpt stage?

--

./lxnt



--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Leonardo Boselli
2003-05-13 15:03:41 UTC
Permalink
Post by Alexander Sabourenkov
Post by Leonardo Boselli
If the same message come in again it will get the 554 immediately after
rcpt-to phase.
How would you know if this is the same message at the rcpt stage?
true ... you could just thow after data, this way the addressee won't
see a duplicate. And if it is a real spam, that try to send again, it
would be a real tarpit !

--
Leonardo Boselli
Nucleo informatico e Telematico
Dipartimento Ingegneria Civile
Universita` di Firenze
Via Santa Marta 3
I-50139 Firenze
+39 055-4796-431
+39 348-8605-348
fax 055-495-333

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Marc MERLIN
2003-05-31 22:01:27 UTC
Permalink
Post by Leonardo Boselli
Is possible to both accept and deny ?
that is after gottig the full message delivery as if accepoted, but
reply a 551 code ?
No.
Actually, you can with sa-exim, but that's 3rd party
(for that matter, you could write any small local_scan program to send a
reject, and accept the mail anyway. Note that by 'accept', I mean do
something with it, sa-exim stores it on disk in a maildir folder, but
also re-pipe it to exim while the listening exim does reject the said
mail)

Marc
--
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
.... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/ | Finger ***@merlins.org for PGP key

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Thomas Tonino
2003-05-11 09:00:40 UTC
Permalink
Post by Marc Perkel
I'd like to propose a new feature to be added to Exim as part of ACLs.
In addition to ACCEPT and DENY I'd like to see TARPIT which is to accept
- but to do so at a very slow rate. And - there would have to be other
commands to define what a slow rate means.
So.. that's easy enough with delay = these days.

Now I had a different idea based on the fact that sending spam is cheaper than
handling the mail for the receiver.

Delaying/tarpitting makes sending a bit more expensive. But it being just an
open conection means it doesn't help a lot. But it can limit the amount of mail
getting into your system if you set a limit on simultaneous connections per IP.

Now, if we would send a lot of continuation lines in the response, for every
RCPT, the session would use real resources for the spammer. The current
situation is perhaps 60 bytes per recipient. We could raise that to 1200 bytes.

A dial-up spammer would drop from sending 100 mails per second to 5 mails per
second.

Of course it is pretty inelegant. But it could be a suitable resonse for hosts
one a dynamic IP list if you do not want to totally block them, and think
delaying alone is not effective enough. Just because it raises the effort for
non legitimate mail more than it is for real mail.

And it only helps in cases where the spammer bandwidth is limited, and the
victim has soem bandwidth to spare. That means it would work for large ISPs.

BTW while setting up tarpitting I've noticed that using message = in a deny
statement does not give anything back in the SMTP session. Any way around that?
It would at least be nice to send some indication why our mail server seems so slow.



Thomas


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Philip Hazel
2003-05-12 09:07:29 UTC
Permalink
Post by Thomas Tonino
BTW while setting up tarpitting I've noticed that using message = in a deny
statement does not give anything back in the SMTP session. Any way around that?
It would at least be nice to send some indication why our mail server seems so slow.
Use of "delay" shouldn't affect the use of "message". If you can send a
real example that I can reproduce, I will investigate (but not
immediately).


--
Philip Hazel University of Cambridge Computing Service,
***@cus.cam.ac.uk Cambridge, England. Phone: +44 1223 334714.


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Thomas Tonino
2003-05-12 09:40:43 UTC
Permalink
Post by Philip Hazel
Use of "delay" shouldn't affect the use of "message". If you can send a
real example that I can reproduce, I will investigate (but not
immediately).
I'm sorry, I made a mistake in my post: what I meant to say was that "message"
doesn't seem to produce anything when used in an "accept" (in combination with a
delay, but that should not matter). In any case it does not message back to the
SMTP session.

I'd like to use this to warn a sender why they see a slow response: they are on
a DUL list.


Thomas


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Giuliano Gavazzi
2003-05-12 11:32:46 UTC
Permalink
Post by Thomas Tonino
Post by Philip Hazel
Use of "delay" shouldn't affect the use of "message". If you can send a
real example that I can reproduce, I will investigate (but not
immediately).
I'm sorry, I made a mistake in my post: what I meant to say was that "message"
doesn't seem to produce anything when used in an "accept" (in
combination with a
delay, but that should not matter). In any case it does not message back to the
SMTP session.
I'd like to use this to warn a sender why they see a slow response: they are on
a DUL list.
the sender is not a human (at this level). If you accept it means
that the message will be delivered. So it cannot generate a temporary
or permanent failure, the only way to have an error message generated
and sent back to the sender. And note that under temporary error
conditions the error message is only generated after the delivery
attempt has failed for a certain amount of time.

Giuliano

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Tony Earnshaw
2003-05-12 16:05:04 UTC
Permalink
Post by Giuliano Gavazzi
Post by Thomas Tonino
I'd like to use this to warn a sender why they see a slow response: they are on
a DUL list.
the sender is not a human (at this level). If you accept it means
that the message will be delivered. So it cannot generate a temporary
or permanent failure, the only way to have an error message generated
and sent back to the sender. And note that under temporary error
conditions the error message is only generated after the delivery
attempt has failed for a certain amount of time.
Then why would a seasoned mailadmin like Marc Merlin both have built
just this facility into SA-Exim and take great pleasure in exploiting
it? (http://marc.merlins.org/linux/exim/sa.html) His version tarpits and
taunts with an exhortation per line of data.

I use SA-Exim with huge profit, but don't use this method personally,
since I agree with you that there is a machine on the other end.
However, the MTA submitting the spam would definitely have this in its
logs - if the spammer is bright enough to know about logs.

Personally, I don't give an eff about tarpitting or spam, as long as I
never receive the latter, which is what I use SA-Exim and SpamAssassin
for.

Best,

Tony

--
Tony Earnshaw

There's none so daft as them as will not learn.

http://www.billy.demon.nl
Mail: ***@billy.demon.nl


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Giuliano Gavazzi
2003-05-12 16:34:53 UTC
Permalink
Post by Tony Earnshaw
Post by Giuliano Gavazzi
Post by Thomas Tonino
I'd like to use this to warn a sender why they see a slow response: they are on
a DUL list.
the sender is not a human (at this level). If you accept it means
that the message will be delivered. So it cannot generate a temporary
or permanent failure, the only way to have an error message generated
and sent back to the sender. And note that under temporary error
conditions the error message is only generated after the delivery
attempt has failed for a certain amount of time.
Then why would a seasoned mailadmin like Marc Merlin both have built
just this facility into SA-Exim and take great pleasure in exploiting
it? (http://marc.merlins.org/linux/exim/sa.html) His version tarpits and
taunts with an exhortation per line of data.
My fault, I should have made a distinction between message (as
message returned to the peer server as a line of text prepended by
some code) and message (as email message, in this case generated by
the peer server as a result of a temporary/permanent error code being
received).
Post by Tony Earnshaw
I use SA-Exim with huge profit, but don't use this method personally,
since I agree with you that there is a machine on the other end.
However, the MTA submitting the spam would definitely have this in its
logs - if the spammer is bright enough to know about logs.
logs? Do you say that spammers keep logs?
Post by Tony Earnshaw
Personally, I don't give an eff about tarpitting or spam, as long as I
never receive the latter, which is what I use SA-Exim and SpamAssassin
for.
and I'd rather not even have my logs littered by what amounts to
(roughly) 95% of spam, as spam tends to generate more log lines...

another day, another spam defeated


g
--
H U M P H
|| |||
software

Java & C++ Server/Client/Human Interface applications on MacOS - MacOS X
http://www.humph.com/

--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
Loading...