[Greylist-users] what happens with servers that change IP
franck at nenie.org
Thu Dec 11 17:33:08 PST 2003
> > First, I note that none of those legit servers distinguishes
> > (at the end of encoded data) between a tempfail and a 552 or
> > 554. They all retry even for permanent fail. Do legit
> > servers ever distinguish between a tempfail and a permanent
> > fail (if in reply to FROM or TO maybe?).
I think I was wrong, sorry for the incorrect report. It seems
the virus does send itself twice (or more), on a sample the
messages are very nearly identical, same byte size, same
Received: line (presumably was sent during the same batch
so received during the same second), same Message-Id:,
same body, only the Date: header varies, and obviously
intentionally as the message ID also contains a different,
earlier, date, presumably the real one as it's close to
the server's one in Received (but was not added by the
server, as it's obviously bogus). I'm not sure I see the
point of the virus writer doing this.
That also may explain away a lot of my "retries from
other machine in the pool" instances which were
really those dupes.
> See the $do_relay_lookup_by_subnet setting in the example implementation.
> This takes care of almost all of these "pooled server" setups acceptably.
Sounds like an acceptable solution, thanks. It's also on the
webpage I see, somehow I missed it.
[discriminate positively on plain text]
> And if it became commonplace, it would be easy for the
> spammers to take advantage of.
But that would not necessarily be a bad thing, because they use
HTML email to fool content filters (putting invisible comments
or tags every 2 or 3 letters for instance), so our filtering
colleagues would have an easier time with plain text, spam would
be smaller, and tracking tricks (e.g. images in HTML messages
that call back home) would not work. So spammers have something
to lose if they go back to plain text.
More information about the Greylist-users