Wednesday, September 27, 2006


Stats since: 21st September @ 21:09

Emails blocked: 11438
Hours in Tar Pit: 3439.29
Unique SMTP Hosts: 9246

Monday, September 25, 2006

Statistics Update

The Tar Pit has now been running since 21:09 on 21st September and the current stats are as at (13:15 on 25th September):

Emails blocked: 7449
Hours in Tar Pit: 1995.28
Unique SMTP Hosts: 5961

...that's a lot of SPAM, considering we're only talking about a few domains.

A quote from someone who's using the SMTP Tar Pit at

"I've noticed my spam has dropped right off in the last few days
I reckon you are sucking them all in"

So, it's working... just tell everyone you know about it... we can only beat the spammers is people use tools like this to do so.

Small Bug?

We're seeing a few JVM crashes when the Tar Pit is running... the error itself seems to be completely random, from SIGSEV's to problems setting socket parameters. So, if anyone is running the Tar Pit code, we recommend wrapping it in an "auto restart" script... such as:


while [ 1 -eq 1 ]
java -cp SMTPTarPit.jar com.slowspam.smtptarpit.Main 25 >> tarpit.log
sleep 60

These problems have happened on JVM build 1.5.0-b64, running on Solaris 9 on X86. This script is for Unix-like systems, I'm sure someone will come up with a Windows flavour and post it here.

Friday, September 22, 2006

Day One

We made it through the first day. The SMTP Tar Pit has now been running for 24 hours against a few domains, and has blocked 1276 (suspected) spams, and delayed the spamming machines a total of 17690.34 minutes (294.84 hours).

First 12 Hours

In the first 12 hours of running the SMTP TarPit with just a few domains, it's received attempts to send 408 items of (suspected) spam, and the Tar Pit has kept them waiting for a total of 4900.13 minutes. Looking through the logs, it looks like most of the connections have been from machines on the end of Cable or DNS lines.

So, not bad for a start... let's get a few more domains actively using the Tar Pit and slow down the spam and spammers!

When I get time, I'll put some log file analysis stuff together and get it posting stats here automatically.

Slow Spam

Most people have big problems with the amount of spam that arrives in their Inbox daily. Some have anti-spam software loaded on their PC, others have spam filtering on their own mail servers. While spam filtering software is getting better, there is not a single solution that filters 100% of spam.

This site hopes to provide another tool in the fight against the problem of spam, and the spammers that send it.

OK, so let's get a little technical... most internet domains have DNS entries known as MX records. These records let mail servers know where to send email for that domain. A domain typically has a couple of MX records, a primary one where email is normally delivered to, and a backup that is used in the event of the primary being unreachable. Each MX record has a priority associated with it... this is a number, and the server with the lowest number is considered to be the primary. Servers with higher numbers are only normally used if the primary is not working.

Most mail servers have the ability to provide some level of filtering for spam. But in a multi-server environment it's quite common for the primary to have spam filtering but the backups to have none. This is typically the scenario if you run your own mail server complete with filtering, but rely on your ISP as a backup.

Knowing this, spammers have been able to exploit the fact that low priority mail servers have no filtering, by sending mail directly to them. Spammers use custom software that ignores the normal rules of picking the highest priority servers, instead preferring the lowest priority one. This software can range from modified copies of common MTA agents to custom written "spambots" that infect compromised machines on the internet.

So, what can you do about this? Well, we can start playing them at their own game. The website is dedicated to finding ways to slow down, and block spam on the internet. Today we're launching our first tool, an SMTP Tar Pit.

The ideal behind the SMTP Tar Pit is to trap rogue mail servers and prevent them from delivering spam, and to keep them busy for as long as possible, delaying them sending the next message.

To deploy the SMTP Tar Pit you need to be able to modify your domain's DNS record... if you don't know how to do this, find someone to help you. Add in an MX record with a low priority (high number) and point it to This address is a publicly available instance of the SMTP Tar Pit.

So, for example, your DNS MX records may look like:

MX 10
MX 20
MX 90

In the event that a genuine email is tried to be delivered to the TarPit, the sending MTA will timeout, and retry against one of the other mail servers.

If you wish to run your own SMTP Tar Pit, you can download our software from The software is written in Java, so should run on most platforms... and the source is included if you want to examine what it's doing, or customize it for your own needs. It's released under the GPL, so please give back any changes you make to the community.

Worried about your email being disclosed to the TarPit? Well, it's certainly possible to write a TarPit that stores any email sent to it... but, this one stores nothing, and never actually sees the email. The most we see from the remote MTA (the sender) is the "HELO" message... we then keep the server busy so it never sends the email. This design allows the TarPit to use minimal network bandwidth, and avoids any privacy concerns as we never receive any details about the emails.

The only thing we log is the IP of the remote MTA, when it connected and when it disconnected. That's it.

We need help in the effort to defeat spammers, and encourage others to run public SMTP Tar Pits - drop us an email, we'll build up a list and post it here.

Thursday, September 21, 2006

Slow Spam Coming Soon...

Launching soon... a new tool in the fight against Spam and Spammers.

Watch This Space!