Thread: qmail spam filter question
View Single Post

  #2 (permalink)  
Old 02-28-2004
Thomas Krug
 
Posts: n/a
Default Re: qmail spam filter question
Zorba@nonexistent.com <nospam@nonexistent.com> wrote:
> Hi,
>
> I am having a lot of problems from spammers that try to send faked
> emails with Mail From: invalid_user@existingdomain.com and a fake
> Return-Path to a valid user where they want to send spam. In
> /var/log/qmail/current I can not see their IP's.
>
> 1. I would like to put a system that will overhead their servers by
> just dropping the TCP connection without FIN or CLOSE when I saw that
> the intended delivery recipient is not valid.
>
> 2. Or better to keep their connection blocked and send a keepalive or
> ACK every 30 sec without getting real traffic - just to tale out one
> thread, memory and buffers from their server.
>
>
> I think if a system like above if will be installed on most mail
> servers, spammers will have their server crashed by having all
> connections blocked without sending much traffic; what do you think,
> can this be a solution? How can be done?
>
>
> Thank you,
>
> Chris



Not that hard. There are already patches for a nice badrcptto/ badmailfrom
filtering,
for additional logging and for tarpitting (if the rcpts are too many).
-> combine it :-)

Hm... if you drop the connection, the sender wil try again and so he will
still use your mailslots/ available smtp connections.
But you could tarpit a sender with some
<code> please wait a little bit....
message - the smtp session will therefore persist until some maximum
transmission timeout takes place.

You could slow down the transmission itself as well but this would be more
difficult to implement I guess; it would be easier to slow things down after
the sender sent "DATA" and before your mail server sends it's "ok - go
ahead".

If many servers are set up like this, the spammers will get themselves
better machines and simply flood your server with connections - I don't
think this would help very much. I prefer a message like "I don't like you -
go away!"; a sender might be on your black list by accident - with simply
tarpitting the connection he/she will not find out what went wrong.

Best regards
Thomas.



Reply With Quote