North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: karl and paul, expostulating

  • From: Paul A Vixie
  • Date: Wed Feb 19 23:30:30 1997

Warning: there is actual technical content contained herein.  If you joined
NANOG just to hear endless nontechnical drivel, do not read this message.
> Again, wrong Paul.  Sending back 421s to the spammers force them to waste
> not only the connection time, but the scan time on their disks.  If lots of
> people do it they back up thousands of email messages, and THAT breaks their
> mail servers.  This is a very good thing.  Its even uglier than the 75
> seconds, in that its cumulative and probably keeps that nice message on
> their disks (where it eats resolver resources, storage, and useless attempts
> at delivery) for up to five days.
> Much more elegant, in my opinion.

I don't think so.  I remember the 421 discussion but the problem is that it's
too easy for a spammer to reprogram their sending agent to treat it as a 500.
With a lack of SYN-ACK all they can do is turn down their TCP connect timers,
and if they turn them down low enough to avoid being hurt by my blackhole list
then they will also give up on a large number of valid recipients -- we all
win either way.

> No argument -- as long as a public root server isn't there.  If it wasn't
> I'd be SUPPORTING your black-hole list.  But it is, and as such I'm not.

I had no idea this would be anyone's position.  So be it.  I'll put up an
internal firewall to segregate F onto a blackhole-free subnet.  This will
take a week or so due to other time commitments.

> Nonsense.  Why not distribute the "block the SMTP port" list instead?

Because every Sendmail relay or end host would have to upgrade, and some
sites run NT without Sendmail and they depend on vendors to do the updates.
BGP relies on an existing infrastructure and it just works today, right now.

> The point is, you can do that, hurt the spammers even more, and still find
> ways to distribute the file (it IS only a flat file Paul) on an automated
> basis, rapidly, if you want.

	if (strncmp(response, "421", 3) == 0)
		strncpy(response, "501", 3);

> AND, you don't cut off a non-related resource (a root nameserver) in the
> process.

That's a separable issue as you well know.  I will separate it shortly.  Can
I expect a request from MCS for the blackhole feed in the next few weeks?
- - - - - - - - - - - - - - - - -