Tarpit SPAM trap

To: debian-isp@lists.debian.org, exim-users@exim.org
Cc: abuse@aol.com
Subject: Tarpit SPAM trap
From: "I. Forbes" <iforbes@zsd.co.za>
Date: Thu, 2 Mar 2000 11:08:20 +0200
Message-id: <E12QRgx-0003Kq-00@janus.localnet>
In-reply-to: <20000301203831.A8987@kropotkin.copyleft.de>
References: <NBBBIMLAEPCKBNMEMGDBMEPOICAA.robert@csnsys.com>; from robert@csnsys.com on Mon, Feb 28, 2000 at 12:13:09PM -0800

Hello All

A professional spammer is using a forged "From:" header line 
which quotes a non existant address at one of our domains.  Every 
spam he sends to a bad address gets bounced to us.  We are 
running qmail, which by default, accepts these bounces then 
handles them as "double bounces".

To give you an idea of the scope of the problem we have received 
about eleven thousand bounces with the same forged address over 
the last month.  All of the Spam was launced from AOL, and relayed 
using a whole list of open relays - many in Eastern Europe and the 
Far East.

We send copies of this spam  to abuse@aol.com on a daily basis. 
The only response I have ever had from AOL is from an 
autoresponder.   Sometimes we send copies to the relay machine 
admins, usually "abuse@<domain>" bounces and sometimes 
"postmaster@<domain>" bounces too.  I have never had a reponse 
from any of them.

The problem is an irritation to me and obviously to all of the people 
who are getting the spam.  My plan is to convert the qmail to exim 
(this is part of a larger project, which is why I have not done anything 
yet) then let exim refuse the bounce messages with a 500 error 
before they are accepted.

Then this was posted on debian-isp@lists.debian.org

On 1 Mar 00, at 20:38, Michael Koehne wrote:

>   Last (if you're realy desperate) install a "Teergrube". The so called
>   tar pit is abusing the dash ("-") feature SMTP uses to keep alive, to
>   hold an IP connection open for ever, if it comes from a host on the
>   rbl list. This will cause the spaming host to go down, as any operating
>   system has a limit on open sockets.
> 
>   Try to surf around with the keywords "Teergrube" or "Tarpit" and "SMTP"
>   to get some patches for sendmail.

Ouch!  This sounds pretty drastic and it is not normally my style.  
However it may be appropriate in this case.

All of those bounce messages come from open relays, while they 
are actively sending spam.  If I could run an effective DOS on them, 
then the spammer who is sending the spam would find his 
productivity gets hit quite hard.  Maybe he will notice and then 
choose to forge somebody elses address... which will make my 
problem go away.  The DOS should only be invoked on servers 
sending bounce messages to the non existant address.

Does anybody know of "Teergrube" patches for qmail, or exim.  
Has anybody tried this before.  What resources do I have to have 
available on my end to sink the other server without sinking my own?

Can anybody help I got another 35 bounces in the time it took to 
write this!

Thanks

Ian

---------------------------------------------------------------------
Ian Forbes ZSD
http://www.zsd.co.za
Office: +27 +21 683-1388  Fax: +27 +21 64-1106
Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa
---------------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: [Exim] Tarpit SPAM trap
  - From: Nigel Metheringham <Nigel.Metheringham@VData.co.uk>
- Re: Tarpit SPAM trap
  - From: "Smoerk" <smoerk@gmx.de>
- RE: [Exim] Tarpit SPAM trap
  - From: "Philipp Gaschütz" <philipp@gng.de>

References:
- Re: SPAM
  - From: Michael Koehne <kraehe@copyleft.de>

Prev by Date: Re: BIND and .nu
Next by Date: Re: [Exim] Tarpit SPAM trap
Previous by thread: Re: SPAM
Next by thread: Re: [Exim] Tarpit SPAM trap
Index(es):
- Date
- Thread