I heard of a similar idea a while back. The nice thing about it is that it avoided all possible legal problems. It also consumed some resources on your MTA but it is surely doable. The trick was that as soon as you've identified that the message is spam during you MTA's conversation, slow the conversation down to a crawl. Make each part of the conversation take as long as technically allowed. Keep this up until the remote MTA either quits or until the last command (QUIT) is received and then return an error code like 421. :) The idea of giving non fatal error codes came up too. That way the remote MTA will keep trying until the MTA eventually times out the message. The point is that this is supposed to consume large amounts of resources on the spammer's MTA if he hits enough site doing this. I like the idea but I'm not sure how to implement it. :)
Justin On Fri, 11 Oct 2002, Carl E. Mankinen wrote: > With all this talk of SA stalling, I decided to go ahead and post an idea > that a friend of mine posed to me a couple days ago. I don't think he is > interested in posting to the list, but he hates spam as much as I do. > > The idea is to do something like the "CodeRed" tarpit (labrea, heh) did for > infected IIS servers, but instead use the technique to slow down MTA's that > are being used to deliver spam. > > It would be trivial to modify spamassassin on a high score spam email, to > hand off the address of the offender to a tarpit daemon. > > So if your MTA receives some spam, start sending half open tcp session > requests to the spam source/openrelay and slow it down. If a spammer hits > enough tarpits, then it would have the effect of totally DoS'ing the relay > he is using. I know that some of you will say this is a big legal risk, but > I wonder... > > What if you changed your 220 line to say "By connecting you agree to legal > terms at http://blahblah"; ? > Would that be sufficient to prevent legal issues? (I am sure some company > will get pissed their mail server stopped working, and rather hire attornies > instead of geeks to fix the problem.) > > Has anyone done anything like this yet? or has the idea been shotdown? > > I didn't hear alot of noise from people that had issues with the CodeRed > tarpit. I see no difference between an unpatched IIS server that is being > used to firehose out a worm and a "misconfigured" open relay MTA that is > being used to firehose out a bunch of UCE. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
