4.40.5: IPBlock 451 versus 550

David Lee t.d.lee at DURHAM.AC.UK
Wed Mar 16 17:41:25 GMT 2005 

On Wed, 16 Mar 2005, Julian Field wrote:

> Jeff A. Earickson wrote:
>
>> Just curious as to why you changed IPBlock from fatal rejections
>> to tmpfail.  I've had a couple of spammers pounding on my system
>> with crap that would have ordinarily been booted by IPBlock for
>> good.  Now they just keep trying.  I've modified my copy of
>> CustomConfig.pm in 4.40.5 to do the 550 rejections again.
>
> Someone asked me to, on the basis that most spammers don't run real
> MTA's and therefore won't try again if they get a tmpfail anyway.
>
> I will change it back to 550 again, but I might put it in a variable
> somewhere so it's easier to change.

I note that Mirapoint (www.mirapoint.com) has a feature called MailHurdle
which deliberately uses 4xx-like temporary failures to try to stall
spammers.

The idea seems to be to return a 4xx-like failure to connections from
hitherto new/unknown places, and notes that the connection attempt has
been made ("if I haven't met you before, then 4xx.").  A large proportion
of spam engines simply won't bother to retry.

By contrast, legitimate email (yes, and some residual spam) would always
try again a few minutes later, and so when it does, this time the call is
accepted ("I've just met you, so I accept you 200-like").

That "new/unknown places" might be a variety of things (a brief Google
didn't reveal too much detail) such as one or a combination of IP-address,
envelope-From, envelope-To.

(Obviously, some spam engines might be a bit more determined, and might
actually obey the 4xx retry, but this "hurdle" idea would at least mean
that simple-minded spammers that don't do 4xx subtleties wouldn't bother
us again for the time being.)

I wonder whether something along the lines of "CustomConfig.pm &IPBlock"
might be able to accomplish this?


--

:  David Lee                                I.T. Service          :
:  Senior Systems Programmer                Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/t.d.lee/            South Road            :
:                                           Durham                :
:  Phone: +44 191 334 2752                  U.K.                  :

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list