You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2008/05/19 18:07:14 UTC
MailChannels Traffic Control (fwd)
Hey all --
I'm on the technical advisory board for MailChannels, a company who make a
commercial traffic-shaping antispam product, Traffic Control. Basically,
you put it in front of your real MTA, and it applies "the easy stuff" --
greet-pause, early-talker disconnection, lookup against front-line DNSBLs,
etc. -- in a massively scalable fashion, handling thousands of SMTP
connections on a single box. By taking care of 80% of the bad stuff
upfront, it takes a massive load off of your backend -- and, key point,
off your SpamAssassin setup. ;)
Until recently, the product was for-pay and (relatively) hard to get your
hands on, but as of today, they're making it available as a download at
http://mailchannels.com/download/ . Apparently: "it's free for low-volume
use, but high volume users will need a license key."
Anyway, take a look, if you're interested. I think it's pretty cool.
(and I'm not just saying that because I'm on their tech advisory board. ;)
--j.
Re: MailChannels Traffic Control
Posted by Ralf Hildebrandt <Ra...@charite.de>.
* Michael Scheidell <sc...@secnap.net>:
> > To be fair (I'm testing it right now): It's easy to get running.
> > Right now the Tarpit and slowdown features cannot be had in Postfix,
> > so I'm giving it a spin.
>
> Tarpit in postfix for years, right?
Slowdown?
> smtpd_soft_error_limit = 10
> smtpd_hard_error_limit = 20
> smtpd_error_sleep_time = 4m
But this comes at the expense of one fat smtpd per tarpitted clients.
> And if this box can't keep a valid/updated list of recipients, then it can
> contribute to the backscanner problem by sending DHA to the final MTA for it
> to bounce, right?
No, it works as a proxy. They got that right.
--
Ralf Hildebrandt (i.A. des IT-Zentrums) Ralf.Hildebrandt@charite.de
Charite - Universitätsmedizin Berlin Tel. +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-Berlin Fax. +49 (0)30-450 570-962
IT-Zentrum Standort CBF send no mail to snickebo@charite.de
Re: MailChannels Traffic Control (fwd)
Posted by Jo Rhett <jr...@netconsonance.com>.
On May 21, 2008, at 11:37 AM, John Hardin wrote:
> Also consider that greylisting will allow URIBLs time to update even
> if all spambots implement retry and thus negate the _original_
> intent of greylisting...
The negative effects of greylisting outweight the positive. As a
provider who needs to receive timely problem reports from our
customers, greylisting was impossible for us to use.
Comparing spam catches for greylisting against my personal domains
where I could use greylisting (but all other rulesets being equal) I
found that less spam was caught by SA and the overall load was
somewhat reduced, but the amount of spam reaching the mailbox remained
the same. Over time the load difference reversed as the spambots
started doing retries (often 5-10 within 2 minutes) and the amount of
spam reaching the mailbox remained the same. Greylisting became a
penalty, so I disabled it. Again, without changing the amount of spam
reaching my mailbox.
MailChannel's implementation solves all of the problems we had with
greylisting, while also hitting the botnets where it hurts. It
appears to be a great idea. I need to figure out how to implement it
without breaking our internal auth schemes, but I will be doing so.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
Re: MailChannels Traffic Control (fwd)
Posted by John Hardin <jh...@impsec.org>.
On Wed, 21 May 2008, Jo Rhett wrote:
> greylist effectiveness is down to less than 10% effective at this point,
> because the botnets know to retry now.
Also consider that greylisting will allow URIBLs time to update even if
all spambots implement retry and thus negate the _original_ intent of
greylisting...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Liberals love sex ed because it teaches kids to be safe around their
sex organs. Conservatives love gun education because it teaches kids
to be safe around guns. However, both believe that the other's
education goals lead to dangers too terrible to contemplate.
-----------------------------------------------------------------------
Today: the 4th anniversary of SpaceshipOne winning the X-prize
RE: MailChannels Traffic Control (fwd)
Posted by "Koopmann, Jan-Peter" <ja...@koopmann.eu>.
> > 2: can be bypassed in greylist on that fact #1
>Both of these are addressed by Mailchannels. But what to do when an
>"unknown mail server" contacts you is different in the approach.
>greylist effectiveness is down to less than 10% effective at this
>point, because the botnets know to retry now.
FYI: Use intelligent greylisting with hashing functionality. I even know
of a product supporting this. Take a wild guess. :-) And it's
effectiveness with greylisting is far beyond 10% even with retrying
botnets.
Re: MailChannels Traffic Control (fwd)
Posted by Jo Rhett <jr...@netconsonance.com>.
>>> give longer greylist times will do without marketing :-)
>> It will slow down real user's mail a lot too.
> On May 20, 2008, at 3:58 PM, Benny Pedersen wrote:
> real mail servers is
>
> 1: known
> 2: can be bypassed in greylist on that fact #1
Both of these are addressed by Mailchannels. But what to do when an
"unknown mail server" contacts you is different in the approach.
greylist effectiveness is down to less than 10% effective at this
point, because the botnets know to retry now.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
Re: MailChannels Traffic Control (fwd)
Posted by Benny Pedersen <me...@junc.org>.
On Tue, May 20, 2008 19:23, Jo Rhett wrote:
>> give longer greylist times will do without marketing :-)
> It will slow down real user's mail a lot too.
real mail servers is
1: known
2: can be bypassed in greylist on that fact #1
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: MailChannels Traffic Control (fwd)
Posted by Jo Rhett <jr...@netconsonance.com>.
On May 19, 2008, at 2:05 PM, Benny Pedersen wrote:
> On Mon, May 19, 2008 20:18, Ralf Hildebrandt wrote:
>> To be fair (I'm testing it right now): It's easy to get running.
>> Right now the Tarpit and slowdown features cannot be had in Postfix,
>> so I'm giving it a spin.
>
> give longer greylist times will do without marketing :-)
It will slow down real user's mail a lot too.
Please take time to actually learn about what the product does before
you make statements like this. Or at least put a tag on your e-mail
that says "I haven't read the first thing about how this product
works, but it seems to me..."
NOTE: no affiliation with Mailchannels, just personally tired of
seeing people make authoritative statements about products they
haven't even read the basics about. It turns people off from doing
their own research because they don't realize the poster is taking out
of the wrong side.
Re: MailChannels Traffic Control (fwd)
Posted by Benny Pedersen <me...@junc.org>.
On Mon, May 19, 2008 20:18, Ralf Hildebrandt wrote:
> To be fair (I'm testing it right now): It's easy to get running.
> Right now the Tarpit and slowdown features cannot be had in Postfix,
> so I'm giving it a spin.
give longer greylist times will do without marketing :-)
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: MailChannels Traffic Control (fwd)
Posted by Jo Rhett <jr...@netconsonance.com>.
On May 21, 2008, at 1:19 PM, mouss wrote:
>> All I'm saying is that you're comparing what they are doing to
>> things which are not similar, then accusing them of doing no
>> research.
>
> you are confusing me with someone else. I never accused anyone of
> "doing no research".
http://www.gossamer-threads.com/lists/spamassassin/users/121113
5 message down is you.
>> Look at your posts and your wording and you'll see.
>
> I did. still nothing.
See above.
>>> You didn't use those when you made the accusations in question.
>
> do you actually read posts you reply to?
Read your own mail folder, I quoted you at the time. It's also all on
the thread above if you can't find it in your trash folder.
>>> I'm calm, and I don't much care about this topic at all. But I
>>> spend a lot of time helping people disambiguate statements like
>>> these from well-researched opinions, so I try to flag them when I
>>> see them so that someone else reading the thread will know that
>>> "this isn't the overall impression of the list"
>
> you'd better take time learning what research is.
now we're down to insults. *plonk*
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
Re: MailChannels Traffic Control (fwd)
Posted by mouss <mo...@netoyen.net>.
Jo Rhett wrote:
> On May 20, 2008, at 10:51 AM, mouss wrote:
>> Jo Rhett wrote:
>>> mouss, please do a little research
>>
>> I did. I may get things wrong, and would be pleased to get corrected.
>> so please share your knowledge.
>
> All I'm saying is that you're comparing what they are doing to things
> which are not similar, then accusing them of doing no research.
you are confusing me with someone else. I never accused anyone of "doing
no research".
>
>>> before you go online attacking people.
>>
>> if discussion is considered as an attack, ...
>
> Look at your posts and your wording and you'll see.
I did. still nothing.
>
>> There is no such statement in my post. or do you consider "I don't
>> see...", "it looks to me...", "I don't know for others", as
>> "statements"? I confess that english is not my native language, but I
>> try hard ;-p
>
> You didn't use those when you made the accusations in question.
do you actually read posts you reply to?
>
>> calm down. I apologize if I sounded like attacking your business or
>> friends. That was not my intent.
>
> I'm calm, and I don't much care about this topic at all. But I spend
> a lot of time helping people disambiguate statements like these from
> well-researched opinions, so I try to flag them when I see them so
> that someone else reading the thread will know that "this isn't the
> overall impression of the list"
>
you'd better take time learning what research is.
and yes, I'm calm too. I'm even laughing...
Re: MailChannels Traffic Control (fwd)
Posted by Jo Rhett <jr...@netconsonance.com>.
On May 20, 2008, at 10:51 AM, mouss wrote:
> Jo Rhett wrote:
>> mouss, please do a little research
>
> I did. I may get things wrong, and would be pleased to get
> corrected. so please share your knowledge.
All I'm saying is that you're comparing what they are doing to things
which are not similar, then accusing them of doing no research.
>> before you go online attacking people.
>
> if discussion is considered as an attack, ...
Look at your posts and your wording and you'll see.
> There is no such statement in my post. or do you consider "I don't
> see...", "it looks to me...", "I don't know for others", as
> "statements"? I confess that english is not my native language, but
> I try hard ;-p
You didn't use those when you made the accusations in question.
> calm down. I apologize if I sounded like attacking your business or
> friends. That was not my intent.
I'm calm, and I don't much care about this topic at all. But I spend
a lot of time helping people disambiguate statements like these from
well-researched opinions, so I try to flag them when I see them so
that someone else reading the thread will know that "this isn't the
overall impression of the list"
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
Re: MailChannels Traffic Control (fwd)
Posted by mouss <mo...@netoyen.net>.
Jo Rhett wrote:
> mouss, please do a little research
I did. I may get things wrong, and would be pleased to get corrected. so
please share your knowledge.
> before you go online attacking people.
if discussion is considered as an attack, ...
> Your statements about what work and don't have no backup,
There is no such statement in my post. or do you consider "I don't
see...", "it looks to me...", "I don't know for others", as
"statements"? I confess that english is not my native language, but I
try hard ;-p
> and go against all existing evidence today, and yet you're blasting
> them for lack of serious study. Try to do some yourself.
calm down. I apologize if I sounded like attacking your business or
friends. That was not my intent.
Re: MailChannels Traffic Control (fwd)
Posted by Jo Rhett <jr...@netconsonance.com>.
mouss, please do a little research before you go online attacking
people. Your statements about what work and don't have no backup, and
go against all existing evidence today, and yet you're blasting them
for lack of serious study. Try to do some yourself.
On May 19, 2008, at 11:46 AM, mouss wrote:
> but anyway. I don't see what mailchannel are bringing that deserves
> this debate. it looks to me like this:
>
> - they started trying to sell greeetpause. and it didn't work enough
> - they moved to "slowdown" and they're trying to talk about
>
> In both cases, they don't provide any serious study. they only show
> numbers that go with their claims. I don't know for others, but my
> logs don't seem to confirm theirs.
>
> and the slowdown thing is based on the theory that spammers have
> better things to do than wait. now that we know more about botnets,
> this theory doesn't stand.
>
> how long would it take to write an asynchronous smtp client?
>
>
Re: MailChannels Traffic Control (fwd)
Posted by Ralf Hildebrandt <Ra...@charite.de>.
* mouss <mo...@netoyen.net>:
> you can use sleep. sure, it stops the process, but if your system is not
> under heavy load, it may be acceptable...
Yep.
> but anyway. I don't see what mailchannel are bringing that deserves this
> debate. it looks to me like this:
>
> - they started trying to sell greeetpause. and it didn't work enough
> - they moved to "slowdown" and they're trying to talk about
>
> In both cases, they don't provide any serious study. they only show
> numbers that go with their claims. I don't know for others, but my logs
> don't seem to confirm theirs.
I haven't checked yet. I need more time.
--
Ralf Hildebrandt (i.A. des IT-Zentrums) Ralf.Hildebrandt@charite.de
Charite - Universitätsmedizin Berlin Tel. +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-Berlin Fax. +49 (0)30-450 570-962
IT-Zentrum Standort CBF send no mail to snickebo@charite.de
Re: MailChannels Traffic Control (fwd)
Posted by mouss <mo...@netoyen.net>.
Jo Rhett wrote:
>
> On May 19, 2008, at 11:43 PM, Koopmann, Jan-Peter wrote:
>> So yes: If their main "benefit" is tarpitting etc. then I agree it
>> probably is not worth the money or discussion.
>
> Why is everyone willing to skip doing 5 minutes of research?
>
> Mailchannels idea may not work for you.
what do you exactly mean by "Mailchannels idea"?
tarpits, slowdown, ... have existed since a very very very long time.
> But it's worth doing a bit of research.
>
> FYI: again, not affiliated and we're not using it either. But the
> product is very well designed and it's a lot more clever/useful than
> anything you're comparing it to.
Re: MailChannels Traffic Control (fwd)
Posted by Jo Rhett <jr...@netconsonance.com>.
May I suggest that you redo your research? BarricadeMX has no feature
at all that even attempts to address the issue MailChannels is
addressing, ie slowing down the TCP channel.
On May 20, 2008, at 10:32 AM, Koopmann, Jan-Peter wrote:
>> Why is everyone willing to skip doing 5 minutes of research?
>
> I did.
>
>> Mailchannels idea may not work for you. But it's worth doing a bit
>> of
>
>> research.
>
> Oh the idea is nice. But there are others out there that - from my
> personal perspective - are doing this stuff much better, at least from
> what I can tell. See BarricadeMX from Fort Systems Ltd.
>
>> FYI: again, not affiliated and we're not using it either. But the
>> product is very well designed and it's a lot more clever/useful than
>> anything you're comparing it to.
>
> I compare it to BarricadeMX and as I said, I think it is not so
> clever.
> Personal opinion.
>
> Regards,
> JP
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
RE: MailChannels Traffic Control (fwd)
Posted by "Koopmann, Jan-Peter" <ja...@koopmann.eu>.
> Why is everyone willing to skip doing 5 minutes of research?
I did.
> Mailchannels idea may not work for you. But it's worth doing a bit of
> research.
Oh the idea is nice. But there are others out there that - from my
personal perspective - are doing this stuff much better, at least from
what I can tell. See BarricadeMX from Fort Systems Ltd.
> FYI: again, not affiliated and we're not using it either. But the
> product is very well designed and it's a lot more clever/useful than
> anything you're comparing it to.
I compare it to BarricadeMX and as I said, I think it is not so clever.
Personal opinion.
Regards,
JP
Re: MailChannels Traffic Control (fwd)
Posted by Jo Rhett <jr...@netconsonance.com>.
On May 19, 2008, at 11:43 PM, Koopmann, Jan-Peter wrote:
> So yes: If their main "benefit" is tarpitting etc. then I agree it
> probably is not worth the money or discussion.
Why is everyone willing to skip doing 5 minutes of research?
Mailchannels idea may not work for you. But it's worth doing a bit of
research.
FYI: again, not affiliated and we're not using it either. But the
product is very well designed and it's a lot more clever/useful than
anything you're comparing it to.
RE: MailChannels Traffic Control (fwd)
Posted by "Koopmann, Jan-Peter" <ja...@koopmann.eu>.
Hi
> In both cases, they don't provide any serious study. they only show
> numbers that go with their claims. I don't know for others, but my logs
> don't seem to confirm theirs.
Where do they show numbers? Could not find any.
> and the slowdown thing is based on the theory that spammers have better
> things to do than wait. now that we know more about botnets, this theory
> doesn't stand.
I mostly agree with that. My BarricadeMX still catches around 1-2 percent of spam due to greet-pause and command-delays (at least on my secondaryMX and most customer systems). However this is after 90% of all connection attempts are killed due to blacklists anyhow. Without using blacklists this percentage would be a lot higher.
Grey listing with content hashing catches around 10% and seems more effective.
So yes: If their main "benefit" is tarpitting etc. then I agree it probably is not worth the money or discussion.
Regards,
JP
Re: MailChannels Traffic Control (fwd)
Posted by mouss <mo...@netoyen.net>.
Ralf Hildebrandt wrote:
> * mouss <mo...@netoyen.net>:
>
>
>> I respect you, but I feel sorry here. Tarpit and slowdown are know since
>> a long time, so mailchannel bring nothing here (except marketing). In
>> particular,"greet pause" has been implemented by some people. the fact
>> that this is not common is not due to an implementation difficulty, but
>> to the fact that the cost/benefit ratio is not very interesting.
>>
>
> To be fair (I'm testing it right now): It's easy to get running.
> Right now the Tarpit and slowdown features cannot be had in Postfix,
> so I'm giving it a spin.
>
>
you can use sleep. sure, it stops the process, but if your system is not
under heavy load, it may be acceptable...
but anyway. I don't see what mailchannel are bringing that deserves this
debate. it looks to me like this:
- they started trying to sell greeetpause. and it didn't work enough
- they moved to "slowdown" and they're trying to talk about
In both cases, they don't provide any serious study. they only show
numbers that go with their claims. I don't know for others, but my logs
don't seem to confirm theirs.
and the slowdown thing is based on the theory that spammers have better
things to do than wait. now that we know more about botnets, this theory
doesn't stand.
how long would it take to write an asynchronous smtp client?
Re: MailChannels Traffic Control
Posted by Michael Scheidell <sc...@secnap.net>.
> From: Ralf Hildebrandt <Ra...@charite.de>
> Date: Mon, 19 May 2008 20:18:26 +0200
> To: <us...@spamassassin.apache.org>
> Subject: Re: MailChannels Traffic Control (fwd)
>
> * mouss <mo...@netoyen.net>:
>
>> I respect you, but I feel sorry here. Tarpit and slowdown are know since
>> a long time, so mailchannel bring nothing here (except marketing). In
>> particular,"greet pause" has been implemented by some people. the fact
>> that this is not common is not due to an implementation difficulty, but
>> to the fact that the cost/benefit ratio is not very interesting.
>
> To be fair (I'm testing it right now): It's easy to get running.
> Right now the Tarpit and slowdown features cannot be had in Postfix,
> so I'm giving it a spin.
Tarpit in postfix for years, right?
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
smtpd_error_sleep_time = 4m
And if this box can't keep a valid/updated list of recipients, then it can
contribute to the backscanner problem by sending DHA to the final MTA for it
to bounce, right?
--
Michael Scheidell, CTO
>|SECNAP Network Security
Winner 2008 Network Products Guide Hot Companies
FreeBSD SpamAssassin Ports maintainer
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com
_________________________________________________________________________
Re: MailChannels Traffic Control (fwd)
Posted by Ralf Hildebrandt <Ra...@charite.de>.
* mouss <mo...@netoyen.net>:
> I respect you, but I feel sorry here. Tarpit and slowdown are know since
> a long time, so mailchannel bring nothing here (except marketing). In
> particular,"greet pause" has been implemented by some people. the fact
> that this is not common is not due to an implementation difficulty, but
> to the fact that the cost/benefit ratio is not very interesting.
To be fair (I'm testing it right now): It's easy to get running.
Right now the Tarpit and slowdown features cannot be had in Postfix,
so I'm giving it a spin.
--
Ralf Hildebrandt (i.A. des IT-Zentrums) Ralf.Hildebrandt@charite.de
Charite - Universitätsmedizin Berlin Tel. +49 (0)30-450 570-155
Gemeinsame Einrichtung von FU- und HU-Berlin Fax. +49 (0)30-450 570-962
IT-Zentrum Standort CBF send no mail to snickebo@charite.de
Re: MailChannels Traffic Control (fwd)
Posted by mouss <mo...@netoyen.net>.
Justin Mason wrote:
> Hey all --
>
> I'm on the technical advisory board for MailChannels, a company who make a
> commercial traffic-shaping antispam product, Traffic Control. Basically,
> you put it in front of your real MTA, and it applies "the easy stuff" --
> greet-pause, early-talker disconnection, lookup against front-line DNSBLs,
> etc. -- in a massively scalable fashion, handling thousands of SMTP
> connections on a single box. By taking care of 80% of the bad stuff
> upfront, it takes a massive load off of your backend -- and, key point,
> off your SpamAssassin setup. ;)
>
> Until recently, the product was for-pay and (relatively) hard to get your
> hands on, but as of today, they're making it available as a download at
> http://mailchannels.com/download/ . Apparently: "it's free for low-volume
> use, but high volume users will need a license key."
>
> Anyway, take a look, if you're interested. I think it's pretty cool.
> (and I'm not just saying that because I'm on their tech advisory board. ;)
>
Justin,
I respect you, but I feel sorry here. Tarpit and slowdown are know since
a long time, so mailchannel bring nothing here (except marketing). In
particular,"greet pause" has been implemented by some people. the fact
that this is not common is not due to an implementation difficulty, but
to the fact that the cost/benefit ratio is not very interesting.