[Greylist-users] What timeouts should be used with greylisting
mjd at digitaleveryware.com
Wed Jun 25 10:14:40 PDT 2003
> I think the 4-hour max is much too aggressive. I would use 8 hours (or
> as you suggest, 8.1 hours) at least.
Spammers could get a message through greylisting using their existing broken
spam software that does't retry by mailing the same list twice within the
extended hour window. I think thats why an aggessive time is somewhat
good. Like you I agree it may be too aggressive.
So how can we open the window up longer yet stop spammers from taking
advantage of it? And my goal is to make them pay the maximum bandwith
possible as well. While these ideas are not part of greylisting as described,
I can think of a few things.
Most mail servers try more than twice. Some try many times even withing the
first hour. So you could change the greylisting logic so getting through also
requires a minimum number of attempts. So to get through, it must be more
than one hour from the first try, less than N hours and at least Y attempts
before its accepted.
If the minimum number of attempts is set to three or four, that won't even
affect the majority of sites (since they retry that many times anyway) but
you might be able to open up the window beyond 4 hours without problems since
a spammer would have to remail the list many times to get through (paying
bandwidth on each attempt).
Another thing is that spammers who email the same list more than once are
likely to use different pitches on each attempt. One real example: the first
attempt had a subject of "Gorgeous Asian Dolls", the next one was about
another ethnic group. So rather than the triplet we are currently using
"relay_ip", "mail_from" and "rcpt_to" we could make it a quintuplet by adding
"subject" and "message size". Subject is easy since its in the headers. Since
I do my rejection after the data phase, I know the message size too.
The goal is to make spammers life difficult, but never bounce normal email.
With a normal email server that makes retries to get the message through the
subject and message size don't change. Message size is also interesting since
it will stop the spammers from adapting to greylisting by sending a small
message that uses minimum bandwidth to "start the clock" that they expect
will be blocked, then sending the real larger message later. By requiring
each retried message to be the same size and have the same subject (or even
checksum), it requires spammers to use extra bandwidth to get the message
through and stops them from using different messages in case people get them
If you make spammers use enough bandwidth to get messages through, rather
than adapting to greylisting they may just avoid greylisting servers. If you
give a spammer the choice of emailing N users per hour to normal email
servers or N/3 users on greylisting servers - rather than adjusting their
spamming software to get through, they may just go for volume. At least thats
BTW this is just a thought exercise. My exim code doesn't do any of this and
I have no plans to enhance it. Implemented exactly as Evan described its
working so well I don't see the need at this point. Although I may tune the
times to 55min and longer than four hours after I get some more experience.
More information about the Greylist-users