[Sqlgrey-users] Feature suggestion: kind of tarpitting

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi there,

I've seen these last days a growing number of spam attacks that use =20
dictionnaries or a high number of random addresses.

This results in the connect table building several dozens of entries from=
 the=20
same IP address, with a lot of different RCPTS, and also different=20
sender_name and sender_domain (even though there are generally more recip=
ient=20
addresses than senders addresses).

This behaviour is very significative of spambots, and I was thinking that=
 a=20
feature such as the following would be helpful in avoiding polluting the=20
connect table:

1/ When a new entry should be added to the connect table;

2/ BUT there are already more than "n" (a configurable number, default 10=
 ?)=20
entries in connect from the same SRC (messages that were not yet correctl=
y=20
resent);

3/ THEN do NOT add the new entry to connect, but instead reject with "450=
=20
Incoming rate too high, try again later".

With this, new messages will be accepted from this source only when messa=
ges=20
already waiting to be re-presented have been ; if they are not, no new en=
try=20
will be accepted from this source, and it will not uselessly pollute the=20
connect table.

Such a system would also probabbly minimize the risk of seeing random att=
acks=20
succeed in the end.

Comments ?

--=20
Michel Bouissou <mi...@bo...> OpenPGP ID 0xDDE8AC6E
Appel de 200 Informaticiens pour le NON au Trait=E9 Constitutionnel
Europ=E9en: http://www.200informaticiens.ras.eu.org