Yahoo Groups archive

Milter-greylist

Index last updated: 2026-04-28 23:32 UTC

Message

Re: [milter-greylist] [RFC] implementing taRgrey

2009-07-06 by Adam Katz

I've actually been eying tarpits for a while now, specifically leaders
like MailChannels (which some high-volume colleagues of mine use, plus
an award from the MIT Spam Conference).  Their product is actually
very similar to what could be added to milter-greylist with the
implementation of a tarpit command.

I wouldn't actually be surprised if tarpitting was in almost every way
better than greylisting; I'd strongly consider reconfiguring my
servers use tarpitting over greylisting in every case (perhaps with a
10s grey-time on Windows desktop OS "servers" before the tarpit).

The sendmail configuration option "greet_pause" is a basic form of
tarpitting with astounding affect.  See the testimonial at
http://www.acme.com/mail_filtering/sendmail_config.html#greet_pause
and data at http://mailchannels.com/images/drop-off.png

One important implementation note:  if the connecting server drops the
connection but then comes back later, the tarpit clock should have
been counting from that first connection.  (Otherwise, some
noncompliant servers might never deliver mail.)

One more note on tarpitting:  the full-on implementation is actually
that of a connection throttle; traffic is let through very very
slowly.  The idea of pausing often accomplishes the same thing, but
it's easily interpreted as a lost connection.  A good tarpit
implementation would actually have variable dynamic throttle rates (or
at least several bandwidth thresholds), and no tarpit mechanism should
throttle longer than 300-500 seconds (see above linked image).


As to taRgrey, it appears to bring two concepts to the table:  the
aforementioned tarpit ability, which is awesome, and S25C, which is
some kind of botnet detector.

After reading a bit on S25C, I'm quite dubious.  No concrete data on
false-positives is presented and the whitelist is MASSIVE.  I've
implemented S25C in SpamAssassin with near-zero scores to see what
kind of impact it would have on my servers, but I doubt it will prove
useful (since SA fires after greylisting).

I suspect the "botnet" plugin for SpamAssassin is far more
comprehensive, and I've already decided not to use it thanks to the
fact that greylisting's main function is combating botnets.  The same
will probably go for S25R.

Implementing S25R within milter-greylist once the tarpitting
functionality is present should prove trivial, so I see no need to
implement a "targrey" clause.

Attachments

  • No local attachments were found for this message.

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.