Re: blacklists
--On Friday, December 10, 2004 22:48 +1100 Craig Sanders <cas@taz.net.au>
wrote:
On Thu, Dec 09, 2004 at 11:18:16PM -0700, Michael Loftis wrote:
--On Friday, December 10, 2004 16:43 +1100 Craig Sanders
<cas@taz.net.au> wrote:
> DoS is a huge exaggeration. a few smtpd processes waiting to timeout
> does not constitute a DoS. neither does a few dozen.
I had about 800 waiting around in just a few minutes on the one server
I began testing it on, but this is a large installation. And this
isn't peak time...It's holding at around 1000 blocked hosts, most of
them for blacklist infractions.
i certainly wouldn't recommend running it on a large installation. i'm
surprised you even tried.
Well, we're very anti-spam, and willing ot try anything to help...I had to
disable it after we got around ~8K rules in the tables on that box, that
ended up causing the system CPU time to go through the roof. Though it was
very effective. :)
i run it on my home system at the moment. i wouldn't run it at work.
I've made a few modifications already, including making everything
persistent and making it purge SEEN entries after not seeing a host for
24hrs (this also effectively caps any block time to being 24hrs). I might
just set it so that it only watches our MailScanner and blocks the IPs it
reports as sending virii. That would probably help to shrink the number of
reports a lot, and help with my virus load. That'd be a good site-wide
table to share (we use central mysql maps a lot).
i experiment with lots of things on my home system that i wouldn't even
think of doing at work. some of them, very few, actually turn out to be
worthwhile and safe enough to use at work.
Same here.
try dropping only SYN smtp packets if you still want to experiment with
it, adding "--syn" to the end of the iptables args in the scripts. that
should stop the hanging processes.
Yeah. Last night when I wrote back my brain was a bit mushy, couldn't
think of the right option so I just said it should probably be changed :)
unfortunately, my domain seems to attract a lot of junk. i've had my
domain for over 10 years, and kept the same email address all along.
and i've been joe-jobbed many times over the last decade by spammers
who don't like me (or my anti-spam methods, or the fact that i share
them openly), and i've had thousands of bogus, non-existant addresses in
my domain added to spam lists also by spammers who don't like me. the
current crop of spammers probably don't even notice or care, but in the
early days of spam it was different. spammers got very offended and took
it personally...which, of course, was excellent incentive to keep on
blocking them :)
I'm glad you share them. Spammers are criminals, pure and simple, they're
stealing our time, resources, and our users time and resources and money.
They have no place in the world. Heck, I'm all for capitol(or is it al? I
can't remember) punishment for spammers. (see short disclaimer.h at the
bottom of this message)
i pissed off quite a few in the very early days, when spammers didn't
hide their identities and hadn't yet learned not to use their own
address. one of the things i wrote was a script which i could bounce
spam to. it would then parse the sender addresses and add it to a
database of spammers....and sent copies of each spam to a random subset
of the database. that infuriated them and amused me no end. my intention
was to annoy them at least as much as their MMF or green card or
whatever spam had annoyed me. unfortunately that stopped being a viable
tactic fairly quickly, and it certainly wouldn't scale to anything like
the spam load of today (back then 1 or 2 spams every few days was a lot.
now i wouldn't even notice it).
Now that's a heck of a tactic LOL :) too bad I didn't' think of it back
then...although I had a firewall setup for the longest time at home that
automatically did counter-recon of offenders, and if it determined common
open holes would get in and attempt shut the system off. It was always
satisfying to watch a zombie get halfway through a portscan, then just
disappear.
Reply to: