qmail spam filter question
This is a discussion on qmail spam filter question within the alt.comp.mail.qmail forums, part of the Mail Servers and Related category; Hi, I am having a lot of problems from spammers that try to send faked emails with Mail From: invalid_user@...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-28-2004
|
|||
|
|||
qmail spam filter question
Hi,
I am having a lot of problems from spammers that try to send faked emails with Mail From: invalid_user@existingdomain.com and a fake Return-Path to a valid user where they want to send spam. In /var/log/qmail/current I can not see their IP's. 1. I would like to put a system that will overhead their servers by just dropping the TCP connection without FIN or CLOSE when I saw that the intended delivery recipient is not valid. 2. Or better to keep their connection blocked and send a keepalive or ACK every 30 sec without getting real traffic - just to tale out one thread, memory and buffers from their server. I think if a system like above if will be installed on most mail servers, spammers will have their server crashed by having all connections blocked without sending much traffic; what do you think, can this be a solution? How can be done? Thank you, Chris 
|
|
02-28-2004
|
|||
|
|||
|
Re: qmail spam filter question
Zorba@nonexistent.com <nospam@nonexistent.com> wrote:
> Hi, > > I am having a lot of problems from spammers that try to send faked > emails with Mail From: invalid_user@existingdomain.com and a fake > Return-Path to a valid user where they want to send spam. In > /var/log/qmail/current I can not see their IP's. > > 1. I would like to put a system that will overhead their servers by > just dropping the TCP connection without FIN or CLOSE when I saw that > the intended delivery recipient is not valid. > > 2. Or better to keep their connection blocked and send a keepalive or > ACK every 30 sec without getting real traffic - just to tale out one > thread, memory and buffers from their server. > > > I think if a system like above if will be installed on most mail > servers, spammers will have their server crashed by having all > connections blocked without sending much traffic; what do you think, > can this be a solution? How can be done? > > > Thank you, > > Chris Not that hard. There are already patches for a nice badrcptto/ badmailfrom filtering, for additional logging and for tarpitting (if the rcpts are too many). -> combine it :-) Hm... if you drop the connection, the sender wil try again and so he will still use your mailslots/ available smtp connections. But you could tarpit a sender with some <code> please wait a little bit.... message - the smtp session will therefore persist until some maximum transmission timeout takes place. You could slow down the transmission itself as well but this would be more difficult to implement I guess; it would be easier to slow things down after the sender sent "DATA" and before your mail server sends it's "ok - go ahead". If many servers are set up like this, the spammers will get themselves better machines and simply flood your server with connections - I don't think this would help very much. I prefer a message like "I don't like you - go away!"; a sender might be on your black list by accident - with simply tarpitting the connection he/she will not find out what went wrong. Best regards Thomas.
|
|
02-28-2004
|
|||
|
|||
|
Re: qmail spam filter question
My server is protected, I will not accept more than 200 concurrent connections from any IP.
I searched more and I found this patch http://spamthrottle.qmail.ca/man/qma...hrottle.5.html I will try to see if I can integrate with other patches. Thank you, Chris "Thomas Krug" <dont-even-think-of-sending-me-spam@siw.de> wrote in message news:c1p7fi$ail$02$1@news.t-online.com... Zorba@nonexistent.com <nospam@nonexistent.com> wrote: > Hi, > > I am having a lot of problems from spammers that try to send faked > emails with Mail From: invalid_user@existingdomain.com and a fake > Return-Path to a valid user where they want to send spam. In > /var/log/qmail/current I can not see their IP's. > > 1. I would like to put a system that will overhead their servers by > just dropping the TCP connection without FIN or CLOSE when I saw that > the intended delivery recipient is not valid. > > 2. Or better to keep their connection blocked and send a keepalive or > ACK every 30 sec without getting real traffic - just to tale out one > thread, memory and buffers from their server. > > > I think if a system like above if will be installed on most mail > servers, spammers will have their server crashed by having all > connections blocked without sending much traffic; what do you think, > can this be a solution? How can be done? > > > Thank you, > > Chris Not that hard. There are already patches for a nice badrcptto/ badmailfrom filtering, for additional logging and for tarpitting (if the rcpts are too many). -> combine it :-) Hm... if you drop the connection, the sender wil try again and so he will still use your mailslots/ available smtp connections. But you could tarpit a sender with some <code> please wait a little bit.... message - the smtp session will therefore persist until some maximum transmission timeout takes place. You could slow down the transmission itself as well but this would be more difficult to implement I guess; it would be easier to slow things down after the sender sent "DATA" and before your mail server sends it's "ok - go ahead". If many servers are set up like this, the spammers will get themselves better machines and simply flood your server with connections - I don't think this would help very much. I prefer a message like "I don't like you - go away!"; a sender might be on your black list by accident - with simply tarpitting the connection he/she will not find out what went wrong. Best regards Thomas.
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 07:38 AM.
