Re: email address probes

[Axel Beckert - ecos gmbh <beckert () ecos de>]

Hi!

About tarpits and teergrubes:

Am Wed, Feb 05, 2003 at 06:04:44PM -0500, Greg A. Woods schrieb:
> If the connections come fast and furious from the same remote server
> then you can introduce a delay before you send your reject reply status
> code, or even send a "550-User unknown" line, then pause for up to a
> minute or two, and finally a "550 Thanks for trying!" line.  Some people
> call this scheme a "tar pit" -- it slows down a rabid sender because it
> forces it to wait for the last line of the multi-line 550 message.

That's right. But this also has some side effects: The connection
state for each hold connection must be stored somewhere in memory. If
you have a lot of such connection, you may run out of memory in the
tcp stack or so...

Am Wed, Feb 05, 2003 at 09:01:26PM -0500, Kee Hinckley schrieb:
> The only solution I know of is to tarpit the server based on number
> of bounces.  The more it bounces, the more slowly you get around to
> handling responses from it.  I don't know of any off-the-shelf
> solutions that to do that though. 

There is a very fine teergrubing (from the German word for tarpit:
Teergrube) FAQ from Lutz Donnerhacke at
http://www.iks-jena.de/mitarb/lutz/usenet/teergrube.en.html or
http://www.faqs.org/faqs/net-abuse-faq/teergrube-faq/

There is also the answer to Kee's indirect question:

  Q: Are there any ready to use teergrubes available?

  A: http://www.de.spam.abuse.net/webland/spam/ especially Axel
     Zinser's patch at ftp://ftp.hiss.han.de/pub/sendmail/. Systems
     unable to receive e-mail can supplied with a special perl script
     from Boston Business Computing.
          
     I developed a general purpose wrapper to use in front of your
     MTA.

Another question/answer pair is also very interesting:

  Q: Does anyone have any experience with teergrubing?

  A: Axel was able to hold a spammer online for more than two days. I
     have similar records.
          
     In thur.net.admin there is a daily statistics posting from a real
     teergrube.

But the following thread (German only, sorry) shows that this tarpit
doesn't run anymore because of too much administrative work needed:

http://groups.google.de/groups?hl=de&lr=&ie=UTF-8&threadm=2j0kb9.j97.ln%40news.lorenzmatthias.de&rnum=1&prev=/groups%3Fhl%3Dde%26lr%3D%26ie%3DISO-8859-1%26q%3Dteergrube%26btnG%3DGoogle-Suche%26meta%3Dgroup%253Dthur.net.admin

            Kind regards, Axel Beckert
-- 
--------------------------------------------------------------
Axel Beckert       ecos electronic communication services gmbh
IT-Securitylösungen * dynamische Webapplikationen * Consulting

Post:       Tulpenstrasse 5          D-55276 Dienheim b. Mainz
E-Mail:     beckert () ecos de          Voice:   +49 6133 939-220
WWW:        http://www.ecos.de/      Fax:     +49 6133 939-333
--------------------------------------------------------------
|                                                            |
|   Visit us at CeBIT from 12. to 19. March 2003             |
|   Messe Hannover * Halle 11 * Stand D42/18                 |
|   http://www.cebit.de/                                     |
|                                                            |
--------------------------------------------------------------

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com