On Tue, Nov 15, 2005 at 03:07:36PM -0500, Mark Bucciarelli wrote:

Here's a link to the original BSDCan presentation [1].

The more I read about this, the better it looks. :)

Summary:

- tar pit (1 byte/sec, TCP Windows size=1 response to blacklisted host)

- greylisting

- greytrapping (spamtrap addresses greylisted hosts cannot mail to)

- initial ten second stutter (to greylisted connections) then full speed

- efficient:

- author's site services 1 million smtp connections/day,

- spamd creates 50,000 to 70,000 greylist tuples every four hours,

- there are 120,000 entries in whitelist

- spamd + pf run on a 1U Dell Power Edge 1650 (stock: PIII 1.3 GHz, 512 MB RAM)

- previous approach (sendmail milter w/ mysql) brought a "beefy box to it's knees."

- approx 60% reduction in smtp sessions

- secure (author is part of openbsd project. Also, the postfix greylisting logic had a remote exploit at some point.)

- simple cluster (pf can use "round robin" redirect to send whitelisted connections to a cluster of mail procesors)

The thought of sending 1 byte per second to spammers makes me very happy. Unfortunately, spammers are smart and now disconnect more quickly--the stuttering was implemented to try and still give them some pain.

m

[1] http://www.openbsd.org/papers/bsdcan05-spamd/