[Greylist-users] What timeouts should be used with greylisting
David F. Skoll
dfs at roaringpenguin.com
Wed Jun 25 13:36:33 PDT 2003
On Wed, 25 Jun 2003, martin dempsey wrote:
> Spammers could get a message through greylisting using their existing broken
> spam software that does't retry by mailing the same list twice within the
> extended hour window.
Circumventing grey-listing is already dead-simple; I don't think anyone
believes spammers won't catch on eventually. Luckily, most spamware
doesn't retry at all, so we're OK.
> Most mail servers try more than twice. Some try many times even
> withing the first hour. So you could change the greylisting logic so
> getting through also requires a minimum number of attempts. So to
> get through, it must be more than one hour from the first try, less
> than N hours and at least Y attempts before its accepted.
That could work. But suppose I'm an evil spammer who wants to send a
20K spam. I simply send a 10-byte test message until it gets
accepted, and then quickly send my 20K spam, knowing I've opened up
the system. Unless you're proposing adding a hash of the actual
message to the "relationship" tuple (which is simply infeasible),
smart spammers won't waste all that much bandwidth.
Adding subject and/or message size to the tuple would punish legitimate
senders too much. Anyone I haven't explicitly whitelisted would have
to go through the retry routine for every message they send me! I think
you'd find the big ISP's grumbling at you.
> The goal is to make spammers life difficult, but never bounce normal
> email. With a normal email server that makes retries to get the
> message through the subject and message size don't change.
That's what I assumed also, but it's an incorrect assumption! Some
mail systems (eg Lotus Notes, I believe) store the mail in an internal
structured format. At *each* retry, they generate a *new* MIME
message, that could have different MIME boundaries, and conceivably a
different size. This caused endless trouble with CanIt at first, until
we figured out which portions of the message were mutable and told CanIt
to ignore them.
> Message size is also interesting since
> it will stop the spammers from adapting to greylisting by sending a small
> message that uses minimum bandwidth to "start the clock"
Ah. :-) You answered my objection, but I think your solution is more
objectionable. It hurts legitimate senders too much.
> If you make spammers use enough bandwidth to get messages through, rather
> than adapting to greylisting they may just avoid greylisting servers.
I used to think you could hurt spammers by making them waste
bandwidth, but I no longer believe that. Spammers can take advantage
of proxies, open-relays, and in the future, probably even rooted and
0wned machines to send spam on their behalf.
In my opinion, most technological anti-spam systems help the
recipient; they don't really hurt the spammer. To hurt spammers, we
need tough legislation and tough enforcement (and a means of
enforcement), none of which I see happening soon.
More information about the Greylist-users