On Mon, 9 Sep 2002, Iljitsch van Beijnum wrote: Looking for automatic off-the-shelf solution. Not something that requires a NOC to constantly update a Cisco ACL. -Hank
On Mon, 9 Sep 2002, Hank Nussbacher wrote:
The spamming is usually done (but not only) from an Internet cafe where the spammer inserts a "spammer CD" and blasts away at open mail relays.When SMTP is blocked for that IP, they switch to HTTP and send the spam via MSN, Yahoo, Hotmail, Kukamail, Outblaze, Safe-mail, etc. to name just a few.Blocking port 80 is harder since it requires maintaining an ever larger list of free public web based mail systems or just block port 80 entirely.
You could traffic shape or rate limit the traffic towards port 80 to a few kbps for each IP address that might be used for spamming. If you allow small bursts (10 - 50k) this should be just fine for regular web access, since for that outgoing traffic is minimal: just the HTTP requests and ACKs. However, it will slow down spamming to at most a couple dozen spams per minute after the first few that fill up the configured burst size. I imagine this will make the spammers move on to greener pastures.
Hank Nussbacher