Author: Tor Slettnes Date: To: Matt Bernstein CC: Matthew Byng-Maddick, exim-users Subject: Re: [Exim] FW: Defending Against Rumplestiltskin Attacks???
On May 13, 2004, at 06:24, Matt Bernstein wrote: > Hmm.. I may have misled myself here. I take your point, and looking at
> chunks of mail logs does show some not to have completed. This seems
> to be
> because they were completed in the next log, or in the bit after head
> truncated the file.
>
> Oops.
Hmm, I was also under the impression that Exim would not deliver a
message is connection from the client was dropped, even after the final
".".
Well, if that's not the case, then MBM is right.. mostly. I can still
see the following benefits from tarpitting the sender after DATA:
- Delay them from moving on to the next victim. If 65535 recipient
hosts were doing this simultaneously, out of a total of 5 million
recipients^H^H^H^H^H^Hvictims, it would essentially increase the cost
of doing spam. Unfortunately, from my days of using SA-Exim, I
noticed that most ratware would not wait to suffer through its
punishment - the only peers I succeeded in tarpitting were "legitimate"
MTAs such as Comcast, SBC, Hotmail, &al.
- Use it for greylisting purposes - i.e. clients that disconnect
before a final status code will be blacklisted.
