Re: [Exim] SA-Exim vs. ExiScan - at an initial glance

Top Page
Delete this message
Reply to this message
Author: Alan J. Flavell
Date:  
To: Exim users list
Subject: Re: [Exim] SA-Exim vs. ExiScan - at an initial glance
On Thu, 27 Nov 2003, Tom Kistner wrote:

> Tor Slettnes wrote:
>
> >   o Teergrubing! [3]   This alone is probably its biggest advantage,
> >     and perhaps enough to choose this over ExiScan...

>
> You can use exims 'delay' control statement to achive similar effects
> with exiscan-acl. I don't know how configurable that can be made, but
> you can use the full ACL power with it :)


There's been a fair bit of discussion about this in the past, but
without any conclusive answer on exim-users as far as I could make
out. Sadly I don't have the spare Round Tuits to start a project
myself.

With exim alone, you can delay for a period of time, and then
send a response. If the other MTA times-out before the response
gets sent, that's the end of the proceedings.

Normal MTAs will wait for at least 5 mins - because the RFC says so.

*Some* spamming software is inclined to give up earlier, and not try
again (nice hint: we manage to shrug off a modest number of spams that
way - by inserting a delay when the conditions look suspicious - with
nothing worse happening to false-positive'd bona fide senders than a
bit of extra delay. I say this with some reluctance, however, since
if it becomes common practice, it's only too obvious what the spammers
will do next). However, the other side of that coin is there's some
other ratware that will retry endlessly, if you cause it to time out.
But I'm digressing from the point I wanted to make here...

The full-scale "Teergrube" approach involves sending occasional
continuation response lines in the hope of keeping the spamming MTA
"on the line". In this way it's claimed that by sending a
continuation line every couple of minutes, the supposed spammer can be
held on the line for much longer than the RFC's 5-minute timeout.
However, others have disputed that this will be effective in practice.

The idea's been around for quite a number of years, but one doesn't
hear a great deal about its use in practice. Seems to me that there
would be no point in keeping it a secret weapon: if it really works,
then it'll work better and better, the more people are using it, no?
So, if it's so effective, I don't know why its users seem to be
keeping such a low profile?

It would be great to know from folks who have genuinely tried the
fullscale teergrube approach in production, whether this really
achieves what is being claimed.

I don't think exim has any possibility to do this for itself, e.g from
an ACL? The nearest option, as I said above, is a delay, and then a
complete rejection message, but with no continuation-message activity
in between. So it was rather interesting to see it offered in
sa-exim.

thanks for any user-experience reports...?