- What does a UBE sender really need? What does he sell?
- A certain amount of sent E-Mails per minute.
This product is called Unsolicited Bulk E-Mail.
- How can anyone hit an UBE sender?
- By destroying his working tools.
- E-Mail is sent using SMTP. For this purpose a TCP/IP connection to the
MX host of the recipient is established. Usually a computer is able to
hold about 65500 TCP/IP connections from/to a certain port. But in most
cases it's a lot less due to limited resources.
If it is possible to hold a mail connection open (i.e. several hours),
the productivity of the UBE sending equipment is dramatically reduced.
SMTP offers continuation lines to hold a connection open without running
A teergrube is a modified MTA (mail transport agent) able to do this
to specified senders.
- What are continuation lines?
- Any SMTP host answers to the client command lines with specially formatted
answer lines. Those lines consist of a return code and a human readable
comment. If there is a single space between the return code and the
comment, the server has finished its answer. If there is a minus between
those parts, the client has to wait for further answer lines from the
server. Here is an example:
214-This is Sendmail version 8.8.5
214- HELO EHLO MAIL RCPT DATA
214- RSET NOOP QUIT HELP VRFY
214- EXPN VERB ETRN DSN
214-For more info use "HELP <topic>".
214-To report bugs in the implementation send email to
214-For local information send email to Postmaster at your site.
214 End of HELP info
If such continuation lines are sent very slowly, almost no bandwidth
is needed and the UBE sending MTA is slowed down effectively.
- Who developed this idea?
Köhntopp attributed the idea to Axel Zinser. The same article mentions a
secondary effect: Most MTAs log the whole SMTP dialog, so they have to deal
with several GB of logs.
- What happens if the UBE sender misused other hosts for relaying?
- In this case, the relay host will run into trouble. The responsible admin
has to stop relaying. So he is urged to configure his system correctly...
- What happens if the UBE sender recognizes teergrubing hosts in
order to not spam them any longer?
- Think about it. Mail is still possible, UBE not.
- How does a teergrube recognize a spammer?
- Currently, the IP address of the remote host is matched against
a fixed, configurable table. A standard entry for AGIS (All you Get Is
Spam = Apex Global Information Systems/Service) is derived from the
Internic ressources containing 204.137.128/18, 204.137.192/19,
205.137.48/18, 205.164.64/17, 205.254.160/22, 205.254.176/21, 207.142/16,
The IP address of the remote host is immediately available after
the connection has been established.
- How do I determine such IP areas?
- Example for AGIS: 'whois NETBLK-AGIS...'
- Will normal MTAs run into trouble, too?
- If a normal MTA is matched by accident nothing special happens.
The mail transport will take several hours instead of a few seconds.
On both systems one connection is used. As long as the sending host
does not spam, it doesn't matter.
- How many connections will be tied up by a teergrube on my host?
- A regular teergrube will hold up to ten connections open at a time.
On the spammer's side there will be up to ten connections open for every
teergrube he runs into. So decentral resources fight against centralised
spammer ressources. The more teergrubes are installed, the better.
- Why can't the spammer buy hundreds of machines to spam?
Why can't he change to special software without such limitations?
- In this case the spammer has to pay for this development. The only
question is: Who gives up first: Spammers ordering new machines or Admins
It's very possible that buying new machines results in higher spamming
costs for the customer.
Teergrubing effectively prevents UBE from one time dial in accounts. You can
simply call the ISP to tell him: "Your customer currently connecting to
port ... is currently sending UBE. Please cancel his account and sue him."
- What happens if the UBE sender targets my MTA to stop
me from accepting other e-mail?
- All he can do is connect to port 25 until you run out of resources.
With a non-forking MTA (teergrube) at your site he has to invent something
new to do this. On the other hand it's very unlikely that he will spend
time and money in fighting against only you.
BTW: If this happens, you are able to sue him for this Denial of Service
- Isn't it a paradox to slow down internet connections in order
to use them?
- Yep, but it helps.
- This sounds very difficult. I can simply block the spammer,
- Several hundred teergrubes are able to block spamming worldwide without
blocking any e-mail. It might be possible that even AGIS has customers
who send e-mail to your customers for normal business. Blocking e-mail is
blocking communication. This is undesirable.
So blocking helps to protect your users but not other people on the net.
So blocking does not prevent UBE at all.
- How do I start teergrubing?
- If you are the admin of a MX host, install a teergrube.
If you are only a customer, urge your admin to do this.
- Are there any ready to use teergrubes available?
especially Axel Zinser's patch at
Systems unable to receive e-mail can supplied with a special
from Boston Business Computing.
I developed a general purpose
wrapper to use in front of your MTA.
- How many teergrubes are currently working?
- I don't know. If you do, please feel free to drop
me an e-mail.
- Does anyone have any experience with teergrubing?
- Axel was able to hold a spammer online for more than two days.
I have similar records.
In thur.net.admin there is
a daily statistics posting from a real teergrube.
- Does this idea work for Usenet Netnews (NNTP), too?
- No. Usenet News is distributed by flood filling a network of neighbours.
You would only harm your best friend, not the spammer.
- How do I express what I do?
- To teergrube. i.e., My host is teergrubing UBE from or via AGIS.