Re: Moron ratware

2004-09-14 Thread Kenneth Porter
--On Friday, September 10, 2004 9:35 PM -0700 Kenneth Porter <[EMAIL PROTECTED]> wrote: I've been getting the same bad RCPT TO from 200.232.195.50 for the last 13 hours. I've now got 3 hosts connected to me submitting the same bad address over and over. The address is the bogus one I use in the

Re: Moron ratware

2004-09-13 Thread Kenneth Porter
--On Monday, September 13, 2004 1:42 PM -0700 John Hardin <[EMAIL PROTECTED]> wrote: The way the SMTP protocol is constructed, the client opens a connection and waits for a welcome banner before sending data. If the connection is tarpitted immediately, then the client never receives the welcome b

Re: Moron ratware

2004-09-13 Thread John Hardin
On Sat, 2004-09-11 at 12:21, Kenneth Porter wrote: > --On Saturday, September 11, 2004 12:10 PM -0700 John Hardin > <[EMAIL PROTECTED]> wrote: > > > Unfortunately, unless the tarpit responds to the first packet with a > > SMTP welcome banner, the connection won't be tarpitted for longer than > >

Re: Moron ratware

2004-09-11 Thread Kenneth Porter
--On Saturday, September 11, 2004 12:10 PM -0700 John Hardin <[EMAIL PROTECTED]> wrote: Unfortunately, unless the tarpit responds to the first packet with a SMTP welcome banner, the connection won't be tarpitted for longer than the "wait for SMTP welcome" timeout in the client. You need to convin

Re: Moron ratware

2004-09-11 Thread John Hardin
On Sat, 2004-09-11 at 00:09, Kenneth Porter wrote: > --On Friday, September 10, 2004 10:05 PM -0700 Jeff Chan <[EMAIL PROTECTED]> > wrote: > > > Sounds like a good application for a tarpit, i.e.: > > > > http://www.spamcannibal.org/ > > Good idea. Alas, the FC2 kernel lacks the netfilter tarpi

Re: Moron ratware

2004-09-11 Thread Kenneth Porter
--On Friday, September 10, 2004 10:05 PM -0700 Jeff Chan <[EMAIL PROTECTED]> wrote: Sounds like a good application for a tarpit, i.e.: http://www.spamcannibal.org/ Good idea. Alas, the FC2 kernel lacks the netfilter tarpit module. Otherwise I could say something like "iptables -s nasty-spammer

Re: Moron ratware

2004-09-11 Thread Jeff Chan
On Friday, September 10, 2004, 9:35:26 PM, Kenneth Porter wrote: > I've been getting the same bad RCPT TO from 200.232.195.50 for the last 13 > hours. I can see the same sendmail process in /var/log/maillog for that > amount of time, with "last message repeated xxx times" a lot. I tcpdump'd > th

Moron ratware

2004-09-11 Thread Kenneth Porter
I've been getting the same bad RCPT TO from 200.232.195.50 for the last 13 hours. I can see the same sendmail process in /var/log/maillog for that amount of time, with "last message repeated xxx times" a lot. I tcpdump'd the connection and see the RCPT TO and rejection over and over. (System is