Tarpitting Spam Traffic using PF...
Jim C. Nasby
decibel at decibel.org
Tue Feb 22 15:50:44 GMT 2005
On Sun, Feb 20, 2005 at 12:36:07AM -0500, Forrest Aldrich wrote:
> I read about the spamd redirect in pf.conf. However, I wonder if it
> might be useful to set up a redirect to something like this:
> I suppose it doesn't make a difference, but I do want to make it
> extremely painful for any spammers. What are other people doing on
> this part?
I doubt this is of much use for a few reasons:
1) Many spammers don't bother with any result codes. They open a
connection and start spewing data.
2) Those who do look at result codes will quickly stop if this technique
3) There is no way to distinguish between legitimate email and spam.
Anyone setting this up would have to be very careful about how they
present the email addresses for the tarpit to the net to make sure they
didn't got to legitimate email senders.
4) Many spammers use zombied machines on cable modems and the like to do
their dirty work. Gumming up those machines doesn't really mean much to
them; they'll just go find more.
If you want to setup a tarpit/honeypot, I think it would be much more
productive to run http://projecthoneypot.org.
Jim C. Nasby, Database Consultant decibel at decibel.org
Give your computer some brain candy! www.distributed.net Team #1828
Windows: "Where do you want to go today?"
Linux: "Where do you want to go tomorrow?"
FreeBSD: "Are you guys coming, or what?"
More information about the freebsd-stable