Re: [anti-spam-wg@localhost] Interesting.
- Date: Wed, 29 Jan 2003 18:17:17 -0500 (EST)
> Occasionally I notice an address that tries to connect very
> frequently (say, once per second for days on end). [teergrube]
I did something similar. Under certain conditions, my mailer will
decide it's under attack, as it were, from a given host; connections
from that host will then get a 5xx "greeting".
If a host gets 5xx greetings at too high a rate (eg, one of those
retry-within-seconds horrors), it goes to a severer status, wherein I
accept the connection and then throw away all local state without
sending anything to the peer (without even logging anything). The peer
then has a half-open connection that it doesn't realize is half-open;
eventually it times out waiting for the banner and retries, but it does
so relatively slowly, and with zero ongoing resource consumption on my
end. (I had to hack on my TCP stack a little; my mailhost runs an
open-source OS, and this sort of thing is a perfect example of why I
would never consider having it any other way.)
This has proven very effective. In a previous job, hosts that
misbehaved that way twice blew out our log partition with just the log
entries from the rejections. Now, they're just a blip that I don't
even notice unless I'm reading the logs for some other reason.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse@localhost
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B