>> >> On Tue, 1 Jan 2008, mouss wrote: >> >> > John D. Hardin wrote: >> > > On Mon, 31 Dec 2007, Mike Cisar wrote: >> > > >> > > >> > >> Even tried yanking the IP address off of the server over the >> > >> holidays in the hope that whatever it was would just give up. No >> > >> such luck, within a minute of reactivating the IP to the server >> > >> this morning the traffic was back to full flow. >> > > >> > > Tarpit 'em. >> > > >> > > http://sourceforge.net/projects/labrea >> > >> > Tarpitting may not be the right answer, because "they" have a lot >> > more resources than us >> >> I may have misunderstood what Mike was saying in his original post - I >> thought that the traffic was originating from a single IP and that was >> what he had firewalled. Later messages indicate he's being flooded by >> a botnet and he'd firewalled his local IP, so tarpitting is obviously >> a less attractive solution - but, consider: if a few thousand bots get >> snared in his tarpit, are they blocked from spamming others for as >> long as they are snared? A tarpit is as much a community defense as it >> is a personal defense.
I would guess that spambots would work sequentially (or probably a fixed number of processes sending sequentially) so that they - and others they want to send to - benefit from tarpitting. However, labrea may be great software ... but it is certainly not the software one wants to compete with a live machine for incoming connections. If the target mailserver offers unlimited connections, sleeping a while might help (but consume process resources). If it has a maximum incoming connections setiing, tarpitting would cause the server to block itself Wolfgang Hamann
