Tarpitting Spam With Traffic Control

Discussion in 'NZ Computing' started by Lawrence D'Oliveiro, Oct 16, 2006.

  1. Filtering spam doesn't really cause spammers any pain. The way to cause them
    pain is to take action while they're still in the process of sending the
    spam to you. This article
    <http://www.martiansoftware.com/articles/spammerpain.html> from a few years
    ago describes a way of doing just that, by performing spam filtering
    incrementally, while the message is still being received. If the message
    turns out to be spam, then you "tarpit" the connection--slow down the rate
    at which you receive data, without actually disconnecting--which means
    tying up the spammer's resources and reducing their ability to send out
    spam.

    This article
    <http://www.onlamp.com/pub/a/onlamp/2006/10/12/asynchronous_events.html>
    describes a higher-performance implementation of the same idea, allowing
    for thousands of incoming SMTP connections at once without chewing up huge
    amounts of resources.
     
    Lawrence D'Oliveiro, Oct 16, 2006
    #1
    1. Advertising

  2. Lawrence D'Oliveiro

    thingy Guest

    Lawrence D'Oliveiro wrote:
    > Filtering spam doesn't really cause spammers any pain. The way to cause them
    > pain is to take action while they're still in the process of sending the
    > spam to you. This article
    > <http://www.martiansoftware.com/articles/spammerpain.html> from a few years
    > ago describes a way of doing just that, by performing spam filtering
    > incrementally, while the message is still being received. If the message
    > turns out to be spam, then you "tarpit" the connection--slow down the rate
    > at which you receive data, without actually disconnecting--which means
    > tying up the spammer's resources and reducing their ability to send out
    > spam.
    >
    > This article
    > <http://www.onlamp.com/pub/a/onlamp/2006/10/12/asynchronous_events.html>
    > describes a higher-performance implementation of the same idea, allowing
    > for thousands of incoming SMTP connections at once without chewing up huge
    > amounts of resources.


    The issue is DoSing your own servers, spammers servers are set to
    connect fast and dump and disconnect our load goes from 0.2 to 48 in
    about 2 minutes........seems to have been a huge issue for them....

    This complexity? but why? greylisting still works and is dead
    simple....plus of course it is freely downloadable. I have cut my spam
    to about 1 a week....while Clear manages to spam me at 10~30 a
    day...ditto work despite our expensive solution we still look at 30 odd
    spam a day....

    regards

    Thing
     
    thingy, Oct 16, 2006
    #2
    1. Advertising

  3. In message <>, thingy wrote:

    > This complexity? but why? greylisting still works and is dead
    > simple....


    May be true, but remember if you rely too much on any single technique, then
    you run the risk of the spammers finding workarounds for that technique.
    Whereas if you hit them with more than one countermeasure at once (e.g.
    greylisting + tarpitting + filtering + blacklists), then it makes it much
    harder for them to fight back.
     
    Lawrence D'Oliveiro, Oct 17, 2006
    #3
  4. Lawrence D'Oliveiro

    thingy Guest

    Lawrence D'Oliveiro wrote:
    > In message <>, thingy wrote:
    >
    >> This complexity? but why? greylisting still works and is dead
    >> simple....

    >
    > May be true, but remember if you rely too much on any single technique, then
    > you run the risk of the spammers finding workarounds for that technique.
    > Whereas if you hit them with more than one countermeasure at once (e.g.
    > greylisting + tarpitting + filtering + blacklists), then it makes it much
    > harder for them to fight back.


    It also makes it harder to manage and control, KISS, Keep It Simple and
    Stupid....Spammers would have to abandon their botnets and send through
    those hacks machines ISPs, which leaves them open to being
    dis-connected. While yes it is possible, I dont see that happening
    myself anytime soon.

    regards

    Thing
     
    thingy, Oct 17, 2006
    #4
  5. Lawrence D'Oliveiro

    steve Guest

    Lawrence D'Oliveiro wrote:

    > If the message
    > turns out to be spam, then you "tarpit" the connection--slow down the rate
    > at which you receive data, without actually disconnecting--which means
    > tying up the spammer's resources and reducing their ability to send out
    > spam.


    A lot of spam is barely 2k in size......

    Even at a slow speed, it would almost certainly have to have been received
    by the time you throttled it. :)
     
    steve, Oct 17, 2006
    #5
  6. In message <>, thingy wrote:

    > Lawrence D'Oliveiro wrote:
    >> In message <>, thingy wrote:
    >>
    >>> This complexity? but why? greylisting still works and is dead
    >>> simple....

    >>
    >> May be true, but remember if you rely too much on any single technique,
    >> then you run the risk of the spammers finding workarounds for that
    >> technique. Whereas if you hit them with more than one countermeasure at
    >> once (e.g. greylisting + tarpitting + filtering + blacklists), then it
    >> makes it much harder for them to fight back.

    >
    > It also makes it harder to manage and control, KISS, Keep It Simple and
    > Stupid....


    Unfortunately, that's not how it works in an arms race.
     
    Lawrence D'Oliveiro, Oct 17, 2006
    #6
  7. Lawrence D'Oliveiro

    Alan Guest

    "thingy" <> wrote in message
    news:...
    >
    > This complexity? but why? greylisting still works and is dead
    > simple....plus of course it is freely downloadable. I have cut my
    > spam to about 1 a week....while Clear manages to spam me at 10~30 a
    > day...ditto work despite our expensive solution we still look at 30
    > odd spam a day....
    >


    Hi Thing,

    I haven't really played around much with Greylisting, just for the
    address below in fact via Sneamemail which, I believe, Greylists with
    a one hour pause (if I understand it correctly).

    Do you use Greylisting on your own mail server?

    If so, have you experimented with shorter pauses?

    The reason I ask is that, I believe Greylisting would be the single
    most effective filter method (if I was to apply only one) for stopping
    spam but allowing through legitimate email.

    However, a 60 minute delay is a bit too long for what I would want to
    do, but perhaps 10 mins would be viable. However, would 10 mins be
    enough to make the Greylisting effective still I wonder?

    Thanks,

    Alan.
    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
     
    Alan, Oct 17, 2006
    #7
  8. Lawrence D'Oliveiro

    Zipper Guest

    steve wrote:
    > Lawrence D'Oliveiro wrote:
    >
    >> If the message
    >> turns out to be spam, then you "tarpit" the connection--slow down the rate
    >> at which you receive data, without actually disconnecting--which means
    >> tying up the spammer's resources and reducing their ability to send out
    >> spam.

    >
    > A lot of spam is barely 2k in size......
    >
    > Even at a slow speed, it would almost certainly have to have been received
    > by the time you throttled it. :)


    You throttle the command states not the data.
    Tying up a channel for a minute on each rcpt etc
     
    Zipper, Oct 17, 2006
    #8
  9. Lawrence D'Oliveiro

    Zipper Guest

    Alan wrote:
    > "thingy" <> wrote in message
    > news:...
    >> This complexity? but why? greylisting still works and is dead
    >> simple....plus of course it is freely downloadable. I have cut my
    >> spam to about 1 a week....while Clear manages to spam me at 10~30 a
    >> day...ditto work despite our expensive solution we still look at 30
    >> odd spam a day....
    >>

    >
    > Hi Thing,
    >
    > I haven't really played around much with Greylisting, just for the
    > address below in fact via Sneamemail which, I believe, Greylists with
    > a one hour pause (if I understand it correctly).
    >
    > Do you use Greylisting on your own mail server?
    >
    > If so, have you experimented with shorter pauses?
    >
    > The reason I ask is that, I believe Greylisting would be the single
    > most effective filter method (if I was to apply only one) for stopping
    > spam but allowing through legitimate email.
    >
    > However, a 60 minute delay is a bit too long for what I would want to
    > do, but perhaps 10 mins would be viable. However, would 10 mins be
    > enough to make the Greylisting effective still I wonder?


    Yes, spammers supposedly don't resend, so any 400 error should be
    neough. Remember that greylisting slows down mail acceptance from
    legitimate people sending to you also and busy servers might only retry
    sending mail every 4 hours etc. So what used to be an a near instant
    mail delivery system is now delayed by hours, just something to keep in
    mind as many users get upset that their mail can be delayed because of
    such measures, so whitelisting certain domains can be an idea,
    especially if they have been validated (spf/domain keys etc)

    Greylisting is effective but it certainly won't eliminate all spam, not
    even close. As someone else pointed out, you cant just rely on one method.


    >
    > Thanks,
    >
    > Alan.
     
    Zipper, Oct 17, 2006
    #9
  10. Lawrence D'Oliveiro

    Anony Mouse Guest

    Lawrence D'Oliveiro wrote:
    > Filtering spam doesn't really cause spammers any pain. The way to cause them
    > pain is to take action while they're still in the process of sending the
    > spam to you. This article
    > <http://www.martiansoftware.com/articles/spammerpain.html> from a few years
    > ago describes a way of doing just that, by performing spam filtering
    > incrementally, while the message is still being received. If the message
    > turns out to be spam, then you "tarpit" the connection--slow down the rate
    > at which you receive data, without actually disconnecting--which means
    > tying up the spammer's resources and reducing their ability to send out
    > spam.
    >
    > This article
    > <http://www.onlamp.com/pub/a/onlamp/2006/10/12/asynchronous_events.html>
    > describes a higher-performance implementation of the same idea, allowing
    > for thousands of incoming SMTP connections at once without chewing up huge
    > amounts of resources.

    Putting higher fences up does not keep burglars out.
    Arresting and locking them up is the only deterrent.

    Would you be happy living in a society that says put higher fences up?

    Seems that way to me.

    FUSSP bullshit as usual.

    Anony Mouse
     
    Anony Mouse, Oct 17, 2006
    #10
  11. In message <eh1rtk$oo3$>, Anony Mouse wrote:

    > Putting higher fences up does not keep burglars out.
    > Arresting and locking them up is the only deterrent.
    >
    > Would you be happy living in a society that says put higher fences up?


    You're talking about "gated communities". Yes, they exist.

    Though what this has to do with the discussion at hand, I'm waiting for you
    to explain...
     
    Lawrence D'Oliveiro, Oct 17, 2006
    #11
  12. Lawrence D'Oliveiro

    Craig Shore Guest

    On Tue, 17 Oct 2006 19:04:25 +1300, Anony Mouse <> wrote:

    >Lawrence D'Oliveiro wrote:
    >> Filtering spam doesn't really cause spammers any pain. The way to cause them
    >> pain is to take action while they're still in the process of sending the
    >> spam to you. This article
    >> <http://www.martiansoftware.com/articles/spammerpain.html> from a few years
    >> ago describes a way of doing just that, by performing spam filtering
    >> incrementally, while the message is still being received. If the message
    >> turns out to be spam, then you "tarpit" the connection--slow down the rate
    >> at which you receive data, without actually disconnecting--which means
    >> tying up the spammer's resources and reducing their ability to send out
    >> spam.
    >>
    >> This article
    >> <http://www.onlamp.com/pub/a/onlamp/2006/10/12/asynchronous_events.html>
    >> describes a higher-performance implementation of the same idea, allowing
    >> for thousands of incoming SMTP connections at once without chewing up huge
    >> amounts of resources.

    >Putting higher fences up does not keep burglars out.
    >Arresting and locking them up is the only deterrent.
    >
    >Would you be happy living in a society that says put higher fences up?
    >
    >Seems that way to me.
    >
    >FUSSP bullshit as usual.
    >
    >Anony Mouse


    You said yourself that it's the Russian Mafia behind some of it. How do you
    propose to arrest and lock them up?
     
    Craig Shore, Oct 17, 2006
    #12
  13. T'was the Tue, 17 Oct 2006 19:04:25 +1300 when I remembered Anony
    Mouse <> saying something like this:

    >Putting higher fences up does not keep burglars out.
    >Arresting and locking them up is the only deterrent.
    >
    >Would you be happy living in a society that says put higher fences up?


    An interesting note, when I was in the Philippines, their fences were
    super high (2m+) with broken glass set into the top. I really did
    think they kept burglars out.

    I think I read someone in my journeys on the internet that around 78%
    of all email sent these days is spam. That's a lot. Whoever solves
    this problem is going to be rich! I'm surprised the spammers don't
    work on solving the issue.
    --
    Cheers,

    Waylon Kenning.
     
    Waylon Kenning, Oct 17, 2006
    #13
  14. Lawrence D'Oliveiro

    thingy Guest

    Lawrence D'Oliveiro wrote:
    > In message <>, thingy wrote:
    >
    >> Lawrence D'Oliveiro wrote:
    >>> In message <>, thingy wrote:
    >>>
    >>>> This complexity? but why? greylisting still works and is dead
    >>>> simple....
    >>> May be true, but remember if you rely too much on any single technique,
    >>> then you run the risk of the spammers finding workarounds for that
    >>> technique. Whereas if you hit them with more than one countermeasure at
    >>> once (e.g. greylisting + tarpitting + filtering + blacklists), then it
    >>> makes it much harder for them to fight back.

    >> It also makes it harder to manage and control, KISS, Keep It Simple and
    >> Stupid....

    >
    > Unfortunately, that's not how it works in an arms race.


    Not necessarily....

    Grey-listing is highly effective, if everyone in the world went to
    grey-listing yes there would have to be a change, but look on the bright
    side.

    Spammers would be forced to use the hacked hosts ISP. The ISP would then
    be forced to do something about it as their servers would get
    blacklisted....also the ISP's smtp servers would follow correct smtp
    protocol and not fire and forget, this would mean a huge decrease in the
    short term available bandwidth (ie the 5~15mins a spammer relies on to
    send his billion emails).

    At the moment we have no one taking responsibility for the problem, an
    ISP is not going to ring up the end user to fix his PC, but would ring
    up and say you have to dis-connect right now and fix your machine, if it
    is not fixed in x days, we terminate your contract....then the user has
    to pay to clean it up...or find another ISP.

    regards

    Thing
     
    thingy, Oct 18, 2006
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Hypno999

    traffic-shaping limit ftp traffic

    Hypno999, Oct 7, 2005, in forum: Cisco
    Replies:
    5
    Views:
    3,665
  2. Skybuck Flying
    Replies:
    0
    Views:
    4,877
    Skybuck Flying
    Jan 19, 2006
  3. C A Preston

    Spam-Spam and more Spam

    C A Preston, Apr 12, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    708
    Hywel
    Apr 12, 2004
  4. Replies:
    0
    Views:
    3,271
  5. Clwddncr
    Replies:
    6
    Views:
    778
    Dave - Dave.net.nz
    Feb 7, 2005
Loading...

Share This Page