A common strategy for increasing the cost of would-be mail abuse uses a technique called tarpitting. Mail servers that tarpit wait a specified period of time before issuing SMTP responses to the cl...
Updated Jul 01, 2019
Version 2.0
Blog Post
Thanks for the feedback, all!
Peter: You are right in that tarpitting is not an end-all technique for stopping attacks. But raising the cost of an attack helps deter some of them and draws out the others such that a diligant administrator may have measures to detect the traffic and block the IP. So to answer your question, I'd argue that a e-mail organization whose accounts are being harvested would indeed care if it took longer to extract useful information, partially because it increases the chance that it can be detected and corrective measures to be taken.
Tarpitting isn't a replacement for, just something to be used in conjunction with other techniques such as limiting the number of connections per IP/Domain, RBL, address filtering, and traffic monitoring. As some of you might have guessed, there are scenarios where harvesting or mail abuse attacks can span multiple connections, sometimes from a distributed source. These scenarios should be considered as well.
Bernd, this is a very good question. A common number is about 5 seconds. However, if you are a gateway and you are confident that a large number of SMTP protocol errors your servers issue are due to one form of other of abuse, this value can certainly be increased. Keep in mind that a lot of mail servers and clients have a time limit associated with a SMTP session after which it may time out, so this should not be a very, very large value.
Peter: You are right in that tarpitting is not an end-all technique for stopping attacks. But raising the cost of an attack helps deter some of them and draws out the others such that a diligant administrator may have measures to detect the traffic and block the IP. So to answer your question, I'd argue that a e-mail organization whose accounts are being harvested would indeed care if it took longer to extract useful information, partially because it increases the chance that it can be detected and corrective measures to be taken.
Tarpitting isn't a replacement for, just something to be used in conjunction with other techniques such as limiting the number of connections per IP/Domain, RBL, address filtering, and traffic monitoring. As some of you might have guessed, there are scenarios where harvesting or mail abuse attacks can span multiple connections, sometimes from a distributed source. These scenarios should be considered as well.
Bernd, this is a very good question. A common number is about 5 seconds. However, if you are a gateway and you are confident that a large number of SMTP protocol errors your servers issue are due to one form of other of abuse, this value can certainly be increased. Keep in mind that a lot of mail servers and clients have a time limit associated with a SMTP session after which it may time out, so this should not be a very, very large value.