tarpitting spammers

[dnadog]

Hi,

I have just installed spamcannibal on my server and it is the mutts nutts!

It has two things that are great.

1.. it checks the mail before any data is send therefore reducing traffic
2..if its a spam ip that is connecting to the server it holds onto it by making it send small packets so making the spam server keep retrying the packet. if enough people did this the spam servers would soon die. - it also works the same for anyone trying s dos attack.

Download it and try it out. http://www.spamcannibal.org

it can be a bit of a pain to install as it needs quite a few perl bits and bobs but it is worth is.

I have also written a script to trawl the rejectlog every five minutes and add any spam ipaddress's to the spamcannibal database so that they will never connect again.

oh yeah you can also block by country code adding CN and RU really reduces spam attempts.

email me at [email protected] if you need any help.

 

[fusionictnl]

Well on my server I get a lot off spam messages a day/hour, so if SpamCaniball let these servers resend packages all the time, my load will go up and my bandwidth too.

Better is just to discard the message and give the ability to block the host in iptables instead of letting him resend packages

 

[dnadog]

two statements from the web site, there was one about the amount of traffic but i can tfind it, it was something like half a byte per connection per hour or something but dont quote me on that


SpamCannibal's TCP/IP tarpit stops spam by telling the spam server to send very small packets. SpamCannibal then causes the spam server to retry sending over and over - ideally bringing the spam server to a virtual halt for a long time or perhaps indefinitely. SpamCannibal blocks spam at the source by preventing the spam server from delivering the messages from its currently running MTA process. This effectively eliminates the network traffic to your site because the spam never leaves the origination server.

It sets the packet data and packet window size parameters to very low values which slows the transmission rate to a trickle. Then it never acknowledges packets, so transmission will be retried over and over, ideally bringing the transmitting program (the spam server, scanning tool or worm) to a virtual halt for several hours or perhaps indefinitely.

 

[dnadog]

also if you use iptables you will soon have a deny_hosts file that is too big to manage, i currently have about 36000 hosts in the database.

 

[fusionictnl]

I don't know about it for sure. you can decrease the packet window, but you still have enough handshaking traffic. Tot bring one spam server down, you'll need some more than 1 in hour.

 

[fusionictnl]

also if you use iptables you will soon have a deny_hosts file that is too big to manage, i currently have about 36000 hosts in the database.

I rader have them in my deny host ,than that my server keeps sending/receiving packages from it.

 

[fusionictnl]

also if you use iptables you will soon have a deny_hosts file that is too big to manage, i currently have about 36000 hosts in the database.

I rather have them in my deny host ,than that my server keeps sending/receiving packages from it.

 

[dnadog]

after the initial handshake it does not acknowledge any more

but its a matter of choice i suppose.

I used to use deny_hosts but its no good for very large amounts.

at the moment my spamcannibal is using 260 bytes of traffic, alot less than when exim was handling it.

 

[fusionictnl]

Ok and the switch port ??

 

[dnadog]

as with all things its a matter of choice.

i dont really care if anyone uses it, I like it.

 

[fusionictnl]

I just wanted to know how this software influences the bandwidth. I like every new opening to the anti-spam market

 

[nobaloney]

The best way to eliminate data transit to your server from spammers is to refuse to accept email from them.

And one way to do it is to use SpamBlocker.

SpamBlocker is built into DA and I wonder if everyone who keeps looking for other solutions has ever tried it.

It's not turned on by default but you can easily turn it on; instructions are in the comments at the top of the /etc/exim.conf file.

Yes, it refuses email. Which is really a good idea because (a) it eliminates an awful lot of traffic, and (b) because anyone who gets caught by a false positive gets an email from their server telling them how to unblock themselves.

Jeff