[Mimedefang] Spammers who won't take no for an answer

Jonas Eckerman jonas_lists at frukt.org
Fri Oct 24 09:10:29 EDT 2003 

On Thu, 23 Oct 2003 09:22:21 -0400 (EDT), David F. Skoll wrote:

Thoughs of the top of my head following (meaning, I haven't applied 
all the necessary critical processing to them):

> if a given host retries a rejected message with the same SHA1 hash
> more than n times, where n is around 3-5, we could firewall off
> that host for a few hours or days.

Only problem I see with this is that the spammer might start 
pestering secondary MX servers instead.

For some people, that won't be a problem at all, but lots of people 
simply relies on friends beeing nice and providing backup servers. As 
this habit has the potential do create severe loads on servers, it'd 
be kind of rude to hand the problem over to those friends.

It could also be a problem when you use a slow cheap machine as mail 
backup.

Another thought:

Instead of firewalling, what about routing (through a NAT or 
something?) to another machine with a rather stupid mail server 
acting like this:

* listen
< connect
* sleep 30 seconds
> host.domain SMTP bla bla server; date
< helo stupid.spammer.host
* sleep 30 seconds
> 554 I'm as stupid as you are.
* disconnect

This server would of course use a small SMTP daemon that actually 
cant do anything but reject, so it shouldn't need much CPU or memory. 

I guess that if lots of spammers start behaving like this, the "sleep 
30 seconds" would have to be removed though.

If they actually sends all the data before receiving the replies 
(like when using CONNECT or POST through HTTP proxies), we'd also 
have to remove the sleep.

This has other problems of course. It will put a higher demand on the 
machine doing the routing for example, and it will have to have to 
somehow communicate with it in case the routing is done by a separate 
machine (wich I guess it is in most setups, using another machine as 
firewall/router/NAT). But it won't affect secondary mail servers more 
than all spam based rejecting does.

Of course, just adding the hosts to sendmails access database is 
probably still the easiest way to handle this, and as long as the 
amount of traffic of this kind isn't to big it'd work just fine.

Regards
/Jonas
-- 
Jonas Eckerman, jonas_lists at frukt.org
http://www.fsdb.org/

More information about the MIMEDefang mailing list