[Asrg] Tarpitting

[Alessandro Vesely]

Chris Lewis wrote:
> Alessandro Vesely wrote:
> 
>> And what about filtering blacklisted IPs at the firewall level, i.e. 
>> blocking (reject, drop, or tarpit) their syn requests? Is it better 
>> than letting spammers consume our mailer daemon resources?
> 
> I have identified 957286 IP addresses infested with (just) Cutwail[+] in 
> the past week sending an average of 5.7 emails apiece (last (approx) 30 
> hours).

[OT] May I ask if you publish them on a DNSBL?

> Secondly, some bot operators know about banner delays and tarpitting, 
> and have relatively short timeouts to avoid damage from them.  Banner 
> delays, while not as effective as they once were, are still working 
> quite well.
> 
> The same reason that makes banner delays work (short timeout bots give 
> up), makes tarpitting work less well (short timeout bots give up).
> 
> Just how much trouble do you think tarpitting causes spammers like that?
> 
> Not much.

Thus, you are suggesting that drop, which can be considered a poor 
man's tarpit, wrt reject can be more effective. Or is the reason 
(short timeout bots give up) rooted in the fact that tarpitting exists?

> It may help in some unusual cases with extremely stupid spammers.  Like 
> Linhardt sending email to Comcast <evil grin>
> 
> Except in a few cases (very specialized MTAs or low email volumes) 
> tarpitting usually causes much more trouble to the receiver than the 
> sender.
> 
> Dropping 'em at the router is difficult, because routers (at present) 
> can't be configured to hold all the IPs you'd like it to, and can only 
> be used very selectively.

(Using a Linux box may overcome that limit)

> [+] and 669576 infested with Srizbi, with an average of 9.23/apiece 
> (currently 13.62% of all spam).  Etc.

Thanks for the insight