Michael Rathbun via mailop <mailop@mailop.org> wrote:
>> This means that each delivery attempt from a trapped host typically takes
>> between 300 and 700 seconds, with a few *extreme* outliers.
> After an initial email to a "sudden death" spamtrap here, the IP is put
on the
> no-connect list for 24 hours. On a second offense, it is now three days.
Then
> six days, then eleven days.
What? I would expect you do go by prime numbers. 3,7,11.. :-)
Actually, I seriously wonder if there are recurrences that are important.
I observer that many traces still see north american diurnal cycles in malicious
traffic, indicating that it's still being driven by enterprise desktop PCs
that get turned off at night.
> Recently an average day will see 52 first-time offenders, and several
hundred
> connection attempts from blocked IPs, often including retries from
> just-blocked sources. This morning the logs showed that on the previous
day
> we had 67 connection attempts from IPs which had offended at least
> twice.
Do you consider greytrapping (1-byte window, labrea tar-pit) them all rather
than blocking?
I'm trying to think of some way to encode enough state into a TCP SEQ NUMBER or
something like that in order to allow greytrapping without maintaining state
at your end.
> Two
> of those IPs belong to Google.
Someone just has to email to one of your trap addresses from gmail, right?
Your setup is one I've wanted to replicate for awhile.
I just haven't gotten around to it.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
signature.asc
Description: PGP signature
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
