RE: Honeypot/net IDS System

["Michael" <michael () insulin-pumpers org>]

> > The tarpit in question is not an smtp dummy, but a true TCP/IP tarpit 
> > that slams the transmission window shut and hangs on to the server 
> > until it gives up or times out., this is sometime days.... and... it 
> > is a single thread for all trapped messages.
>
> this a very cool idea... guys any one have good pointers about how
> to do this with postfix ?

This is MTA independent. The tarpit runs at the kernel level and is 
integrated into the firewall code. It will run with any MTA or even 
with an MTA that is on another host behind the firewall. Basically 
all you are doing is screening traffic that is incoming on port 25. 
The message is not received until after the transmitting host has 
presented it IP address in the first TCP/IP packet that carries the 
SYN flag. It it's a bad guy, he's told to proceed but with a very 
small transmission window. If he responds, the window is set to zero 
and he's told to continue :-)    very effective.

The only downside at the moment is that since it uses IPTABLES, it 
only can be deployed on Linux at the moment --- that is a lot of 
hosts fortunately.

Michael
Michael () Insulin-Pumpers org