Mailing List SIMS@mail.stalker.com Message #14736
From: Lyle D. Gunderson <lyle@mac.com>
Subject: Re: SMTP Delay
Date: Mon, 23 Aug 2004 10:39:20 -0600
To: SIMS Discussions <SIMS@mail.stalker.com>
X-Mailer: Claris Emailer 2.0v3, January 22, 1998
On Sat, 21 Aug 2004 11:16:10 -0700, Warren Michelsen
<Warren@MDCCLXXVI.com> is alleged to have written:
>
>In the past, on this list, it's been suggested that having too many RBL
>entries was causing too long a delay in accepting mail.
>
>I note that an increasingly popular anti-spam tactic these days is to add
>an SMTP Delay. Some server admins report a 40% drop in spam with a
>30-second delay. So...
>
>Is this delay right at the very start, before accepting an initial SMTP
>connection? Or is it just a delay after the connection is established but
>before the mail is accepted -- like the delay introduced by the use of too
>many RBLs?

The term I've used for what you are describing is a Teergrube (in
English, tarpit):

<http://en.wikipedia.org/wiki/Tarpit_%28computing%29>

There are a variety of ways of introducing the delay, with different
levels of effectiveness and fiendishness. The link above is a nice intro.
>
>Either way, I'm wondering if I might be better off adding more RBLs to my
>SIMS server. Will less patient spammers quickly give up and go away?
>
I don't think there is a person monitoring the progress of the entry of
spam into your email system. The spammer is probably snoring away in the
U.S. while a server in Hong Kong or Hungary is hitting your server. If
there is any effect on the spam source, it would be an automated
threshold of some kind, as far as I know.

>Does SIMS in fact wait for responses from each RBL that is queried?

I believe it does, from watching logs. Otherwise, what would be the point?

>If so,
>I'm thinking that it might be possible to write a short delay daemon that
>I can run on my OS X box, whose only purpose is to respond to a RBL lookup
>with a not-blacklisted response -- after a delay of 30 seconds.

I don't know if a 30 second delay is needed or not. I've seen waits of a
few seconds discussed, which have no real effect on legitimate individual
emails but which would add up to lots of time for a spamming machine.
>
>I then add the address of this daemon to my RBL list and thereby implement
>a 30-second delay which SIMS is otherwise not capable of. (Or would
>caching of responses cause this to fail?)

When you started talking about a tarpit on this list, the approach you
are describing is what popped into my head as well. Just a DNS server
that takes 30 seconds to say "I dunno".
>
>Is there a way to add a SMTP delay to SIMS or to achieve the same effect?
>
>Will adding more RBL entries help to reduce spam (quite apart from
>additional RBL hits) by introducing a delay?

This is a good question, which applies to the whole subject of tarpits.
Obviously, if your server's behavior can cause an automated spamming
machine to go elsewhere, then it is a win for you. I don't know if that
will happen. One tarpit strategy is to detect a spamming machine (by
looking for multiple emails to nonexistant addresses, for example) and
then send a SYN/ACK response, then ignore the connection. This is like
answering a telemarker by saying "Wow! I just happen to be in the market
for a new septic tank, but there's somebody at the door. Can you hang on
for just a sec?", and going back to watching "Austin Powers". This would
occupy a spamming machine for quite some time, magnifying any effect on
its rate of spam shovelling (or any timer it might be using in a decision
to give up on your domain).
>
I think tarpitting would have the greatest effect if it were widely used.
Even if a spamming machine was infinitely patient, and burned up 30
seconds or more on each address it tries to send to your domain(s), that
might burn up a day's worth of its time instead of a couple of minutes,
which is one less day's worth of its spam in the world.

Imagine if every SMTP server had a tarpit.

<rant>
Personally, there are so many poorly-run servers, and so many idiots that
react positively to spam by buying whatever they are selling, that we'll
see no decrease until spam laws become universally adopted, international
in scope, and consistant in enforcement.

Or until somebody goes over the edge, tracks down a few of the worst
spammers, and puts bullets in their heads.
</rant>

>Finally, will adding a delay just cause spammers to move more quickly to
>secondary MXs for my domains?

I think secondary MXs are becoming somewhat out of fashion, anyway. I'm
sure others on the list will comment.

Good luck, Mr. 1776!

--Lyle
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster