Teergrubing FAQ
What does a UBE sender really need? What does he sell?
A certain amount of sent E-Mails per minute. This product is called Unsolicited Bulk E-Mail.

How can anyone hit an UBE sender?
By destroying his working tools.

E-Mail is sent using SMTP. For this purpose a TCP/IP connection to the MX host of the recipient is established. Usually a computer is able to hold about 65500 TCP/IP connections from/to a certain port. But in most cases it's a lot less due to limited resources.

If it is possible to hold a mail connection open (i.e. several hours), the productivity of the UBE sending equipment is dramatically reduced. SMTP offers continuation lines to hold a connection open without running into timeouts.

A teergrube is a modified MTA (mail transport agent) able to do this to specified senders.

What are continuation lines?
Any SMTP host answers to the client command lines with specially formatted answer lines. Those lines consist of a return code and a human readable comment. If there is a single space between the return code and the comment, the server has finished its answer. If there is a minus between those parts, the client has to wait for further answer lines from the server. Here is an example:
214-This is Sendmail version 8.8.5
214-    HELO    EHLO    MAIL    RCPT    DATA
214-    RSET    NOOP    QUIT    HELP    VRFY
214-    EXPN    VERB    ETRN    DSN
214-For more info use "HELP <topic>".
214-To report bugs in the implementation send email to
214-    sendmail-bugs@sendmail.org.
214-For local information send email to Postmaster at your site.
214 End of HELP info

If such continuation lines are sent very slowly, almost no bandwidth is needed and the UBE sending MTA is slowed down effectively.

Who developed this idea?
In <54csin$m6g@white.koehntopp.de> Kristian Köhntopp attributed the idea to Axel Zinser. The same article mentions a secondary effect: Most MTAs log the whole SMTP dialog, so they have to deal with several GB of logs.

What happens if the UBE sender misused other hosts for relaying?
In this case, the relay host will run into trouble. The responsible admin has to stop relaying. So he is urged to configure his system correctly...

What happens if the UBE sender recognizes teergrubing hosts in order to not spam them any longer?
Think about it. Mail is still possible, UBE not.

How does a teergrube recognize a spammer?
Currently, the IP address of the remote host is matched against a fixed, configurable table. A standard entry for AGIS (All you Get Is Spam = Apex Global Information Systems/Service) is derived from the Internic ressources containing 204.137.128/18, 204.137.192/19, 205.137.48/18, 205.164.64/17, 205.254.160/22, 205.254.176/21, 207.142/16, 209.14/16.

The IP address of the remote host is immediately available after the connection has been established.

How do I determine such IP areas?
Example for AGIS: 'whois NETBLK-AGIS...'

Will normal MTAs run into trouble, too?
If a normal MTA is matched by accident nothing special happens. The mail transport will take several hours instead of a few seconds. On both systems one connection is used. As long as the sending host does not spam, it doesn't matter.

How many connections will be tied up by a teergrube on my host?
A regular teergrube will hold up to ten connections open at a time. On the spammer's side there will be up to ten connections open for every teergrube he runs into. So decentral resources fight against centralised spammer ressources. The more teergrubes are installed, the better.

Why can't the spammer buy hundreds of machines to spam? Why can't he change to special software without such limitations?
In this case the spammer has to pay for this development. The only question is: Who gives up first: Spammers ordering new machines or Admins installing software?

It's very possible that buying new machines results in higher spamming costs for the customer.

Teergrubing effectively prevents UBE from one time dial in accounts. You can simply call the ISP to tell him: "Your customer currently connecting to port ... is currently sending UBE. Please cancel his account and sue him."

What happens if the UBE sender targets my MTA to stop me from accepting other e-mail?
All he can do is connect to port 25 until you run out of resources. With a non-forking MTA (teergrube) at your site he has to invent something new to do this. On the other hand it's very unlikely that he will spend time and money in fighting against only you.

BTW: If this happens, you are able to sue him for this Denial of Service attack.

Isn't it a paradox to slow down internet connections in order to use them?
Yep, but it helps.

This sounds very difficult. I can simply block the spammer, can't I?
Several hundred teergrubes are able to block spamming worldwide without blocking any e-mail. It might be possible that even AGIS has customers who send e-mail to your customers for normal business. Blocking e-mail is blocking communication. This is undesirable.

So blocking helps to protect your users but not other people on the net. So blocking does not prevent UBE at all.

How do I start teergrubing?
If you are the admin of a MX host, install a teergrube. If you are only a customer, urge your admin to do this.

Are there any ready to use teergrubes available?
http://www.de.spam.abuse.net/webland/spam/ especially Axel Zinser's patch at ftp://ftp.hiss.han.de/pub/sendmail/. Systems unable to receive e-mail can supplied with a special perl script from Boston Business Computing.

I developed a general purpose wrapper to use in front of your MTA.

How many teergrubes are currently working?
I don't know. If you do, please feel free to drop me an e-mail.

Does anyone have any experience with teergrubing?
Axel was able to hold a spammer online for more than two days. I have similar records.

In thur.net.admin there is a daily statistics posting from a real teergrube.

Does this idea work for Usenet Netnews (NNTP), too?
No. Usenet News is distributed by flood filling a network of neighbours. You would only harm your best friend, not the spammer.

How do I express what I do?
To teergrube. i.e., My host is teergrubing UBE from or via AGIS.
zur ckzurück © 1996-2016 Lutz Donnerhacke @ IKS GmbH Jena Monday | 24.Oct.2016