Re: [Sqlgrey-users] Feature suggestion: kind of tarpitting

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Klaus Alexander Seistrup wrote the following on 17.05.2005 09:29 :

>On 17/05/05, Michel Bouissou <mi...@bo...> wrote:
>
>  
>
>>>Then a culprit will be able to prevent legitimate email originating from
>>>the same IP address, won't he?
>>>      
>>>
>>This won't happen if the considered IP only hosts one machine which is a
>>"normal" mailserver which retries all the messages that it has in queue.
>>
>>This could possibly happen if this IP has a NATted LAN behind it, hosting
>>both a legitimate mailserver and spam/virus sources, in which case it is
>>this network's admin job to make sure that his network doesn't pollute the
>>whole earth with junk. Even in this situation, already known "good"
>>addresses that have already made it to from_awl or domain_awl wouldn't be
>>blocked, only new connections.
>>    
>>
>
>It could happen if the Good Sender and the Evil Sender are both using
>the mail gateway of the same ISP.  And if Good Sender is not already
>in *_awl his mail could be blocked by Evil Sender's DoS'ing.
>
>I would like to be able to disable the feature in SQLgrey's config file.
>
>  
>
I see another problem with this:
when an ISP with which you have a lot of traffic will change a
mailserver IP address, your local MTA will get a lot of new connections
coming in. Having a ceiling for the number of connect entries with the
same src will more or less control the rate of new senders/IP address.
The problem is that you can't reliably detect which IP are legit MTAs
and which are Windows zombies based on this rate alone.
Any thoughts?

Lionel

Lionel.