Re: *** MAKE SPAM () INTERRAMP COM DIE FAST!!! *** (fwd)

[Martin Cooper <mjc () cooper org uk>]

Matthew Kaufman wrote:

> Original message <9608221609.AA21172 () wisdom home vix com>
> From: Paul A Vixie <paul () vix com>
> Date: Aug 22,  9:09
> Subject: Re: *** MAKE SPAM () INTERRAMP COM DIE FAST!!! *** (fwd)
> > > Even if I wanted to do this, I don't think I could take the performance
> > > hit running an access list that large on my incoming ports would create.
> >
> > Thus the beauty of a Null0 route.  The initial SYN from their spam maker
> > gets through to your SMTP server, but the initial ACK goes into the hole
> > rather than back out to their spam maker.  It costs you a TCP PCB for a
> > short while on the SMTP server, but there are never enough packets to make
> > this expensive.  And no spam gets through.  Try it, you'll like it.
> > -- End of excerpt from Paul A Vixie
>
>
>
> Our mail server regularly gets stuck with a full listen queue due to
> occasional cases of one-way routing out on the net,... deliberately
> introducing this would kill it. Consider, for instance, that the spammer
> is probably sending mail to dozens of accounts on your system, and each
> attempt will generate multiple SYN's, and each one of those wastes a slot
> for several minutes. Even if you've cranked it up from the default of 5,
> you'll be hosed for hours.
>
> Of course, I suspect that any evidence that multiple providers were filtering
> mail based on some agreed-upon list would land all of them in court, though
> I'm not a lawyer.

I'd have thought the people likely to take you to court would be your
customers - for not letting people from particular sites send them
email (this assumes that your contract actually guarantees any
conncectivity to the Internet of course, and I get the impression
many Internet service contracts read mostly like disclaimers. :) ).

> Imagine, for a minute, that some spammer discovers that one of YOUR unix
> boxes can be used to forward mail for them, some weekend when you're out
> of town,... and your IP address gets blacklisted. How soon would you call
> your lawyer to help you recover from what could be a total loss of business?

I like the application level rejection thing - tying rejections to
domain names means that you only have to worry about the "what" and "who"
not the "where from", which is handy given how easy it is to a) claim to
have a From address that is not yours, and b) bounce mail through
different mail relays with the <user%domain@relay-domain> or
<@relay-domain,@other-relay-domain:user@domain> hacks.

Unfortunately your backup MXs can still accept the mail before it
gets rejected by your mail machine, but it shouldn't be too tricky for
them to stop accepting mail for *@somedomain addressed to you with the
same app. level filtering.

MAIL FROM:<user () interramp com>
252 Sorry, we don't accept mail from Interramp due to continued "spamming"

> -matthew kaufman
>  matthew () scruz net

Martin
-- 
Martin Cooper <mjc () cooper org uk>


- - - - - - - - - - - - - - - - -