Re: [Exim] FW: Defending Against Rumplestiltskin Attacks???

Top Page
Delete this message
Reply to this message
Author: Ian A B Eiloart
Date:  
To: exim-users
Subject: Re: [Exim] FW: Defending Against Rumplestiltskin Attacks???

--On Thursday, May 13, 2004 10:43 am +0100 Matthew Byng-Maddick
<exim@???> wrote:

> On Thu, May 13, 2004 at 10:27:23AM +0100, Ian A B Eiloart wrote:
>> Wouldn't you have to be prescient to delay *before* detecting the spam?
>
> I delay on the basis of errors, such as recipients who are non-deliverable
> but have high spam count. Bad HELO names, unverifiable MAIL FROM, being on
> an RBL, looking like a dialup incur other penalties.
>
> But after final dot a delay is either useless (as a connection drop has to
> be treated as a timeout, and hence the message will be delivered anyway,
> if it was going to be, if it wasn't, you weren't going to deliver it
> anyway, so you might as well just reject) or will cause a duplicate
> delivery. Th delay is useless, because it doesn't stop your spammer
> giving up before he's tried to deliver the message - he's already
> delivered it.
>


True, the delay doesn't help with the current message, but it could modify
the future behaviour of the sending host.

My guess is that the rationale is this. They aren't going to reject the
message, since it could be a false positive. However, the strongly believe
that the message is spam, since false positives are rare.

The choices now are to just accept the spam, or to try to impose a small
penalty on the sender. The penalty is small for a sender of legitimate
email, but large for a host trying to send lots of spam (indeed,
proportionate to the amount of spam). In the best case, the delay could
stem the flow of heavy dictionary attack.


--
Ian Eiloart
Servers Team
Sussex University ITS