Security Incidents mailing list archives
Re: email address probes
From: Axel Beckert - ecos gmbh <beckert () ecos de>
Date: Thu, 6 Feb 2003 18:30:15 +0100
Hi! About tarpits and teergrubes: Am Wed, Feb 05, 2003 at 06:04:44PM -0500, Greg A. Woods schrieb:
If the connections come fast and furious from the same remote server then you can introduce a delay before you send your reject reply status code, or even send a "550-User unknown" line, then pause for up to a minute or two, and finally a "550 Thanks for trying!" line. Some people call this scheme a "tar pit" -- it slows down a rabid sender because it forces it to wait for the last line of the multi-line 550 message.
That's right. But this also has some side effects: The connection state for each hold connection must be stored somewhere in memory. If you have a lot of such connection, you may run out of memory in the tcp stack or so... Am Wed, Feb 05, 2003 at 09:01:26PM -0500, Kee Hinckley schrieb:
The only solution I know of is to tarpit the server based on number of bounces. The more it bounces, the more slowly you get around to handling responses from it. I don't know of any off-the-shelf solutions that to do that though.
There is a very fine teergrubing (from the German word for tarpit: Teergrube) FAQ from Lutz Donnerhacke at http://www.iks-jena.de/mitarb/lutz/usenet/teergrube.en.html or http://www.faqs.org/faqs/net-abuse-faq/teergrube-faq/ There is also the answer to Kee's indirect question: Q: Are there any ready to use teergrubes available? A: http://www.de.spam.abuse.net/webland/spam/ especially Axel Zinser's patch at ftp://ftp.hiss.han.de/pub/sendmail/. Systems unable to receive e-mail can supplied with a special perl script from Boston Business Computing. I developed a general purpose wrapper to use in front of your MTA. Another question/answer pair is also very interesting: Q: Does anyone have any experience with teergrubing? A: Axel was able to hold a spammer online for more than two days. I have similar records. In thur.net.admin there is a daily statistics posting from a real teergrube. But the following thread (German only, sorry) shows that this tarpit doesn't run anymore because of too much administrative work needed: http://groups.google.de/groups?hl=de&lr=&ie=UTF-8&threadm=2j0kb9.j97.ln%40news.lorenzmatthias.de&rnum=1&prev=/groups%3Fhl%3Dde%26lr%3D%26ie%3DISO-8859-1%26q%3Dteergrube%26btnG%3DGoogle-Suche%26meta%3Dgroup%253Dthur.net.admin Kind regards, Axel Beckert -- -------------------------------------------------------------- Axel Beckert ecos electronic communication services gmbh IT-Securitylösungen * dynamische Webapplikationen * Consulting Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz E-Mail: beckert () ecos de Voice: +49 6133 939-220 WWW: http://www.ecos.de/ Fax: +49 6133 939-333 -------------------------------------------------------------- | | | Visit us at CeBIT from 12. to 19. March 2003 | | Messe Hannover * Halle 11 * Stand D42/18 | | http://www.cebit.de/ | | | -------------------------------------------------------------- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- email address probes Andy Bastien (Feb 05)
- Re: email address probes Kee Hinckley (Feb 06)
- Re: email address probes Brad Arlt (Feb 06)
- Re: email address probes james (Feb 06)
- Re: email address probes Brad Arlt (Feb 07)
- Re: email address probes Greg A. Woods (Feb 06)
- Re: email address probes Axel Beckert - ecos gmbh (Feb 06)
- RE: email address probes Rob Shein (Feb 07)
- Re: email address probes Axel Beckert - ecos gmbh (Feb 06)
- Re: email address probes Dave Laird (Feb 06)
- Re: email address probes Ned Fleming (Feb 06)
- Re: email address probes Andy Bastien (Feb 07)
- <Possible follow-ups>
- RE: email address probes Johann Kruse (Feb 06)