[Greylist-users] What timeouts should be used with greylisting

Wed Jun 25 13:36:33 PDT 2003

On Wed, 25 Jun 2003, martin dempsey wrote:

> Spammers could get a message through greylisting using their existing broken
> spam software that does't retry by mailing the same list twice within the
> extended hour window.

Circumventing grey-listing is already dead-simple; I don't think anyone
believes spammers won't catch on eventually.  Luckily, most spamware
doesn't retry at all, so we're OK.

> Most mail servers try more than twice. Some try many times even
> withing the first hour. So you could change the greylisting logic so
> getting through also requires a minimum number of attempts. So to
> get through, it must be more than one hour from the first try, less
> than N hours and at least Y attempts before its accepted.

That could work.  But suppose I'm an evil spammer who wants to send a
20K spam.  I simply send a 10-byte test message until it gets
accepted, and then quickly send my 20K spam, knowing I've opened up
the system.  Unless you're proposing adding a hash of the actual
message to the "relationship" tuple (which is simply infeasible),
smart spammers won't waste all that much bandwidth.

Adding subject and/or message size to the tuple would punish legitimate
senders too much.  Anyone I haven't explicitly whitelisted would have
to go through the retry routine for every message they send me!  I think
you'd find the big ISP's grumbling at you.

> The goal is to make spammers life difficult, but never bounce normal
> email.  With a normal email server that makes retries to get the
> message through the subject and message size don't change.

That's what I assumed also, but it's an incorrect assumption!  Some
mail systems (eg Lotus Notes, I believe) store the mail in an internal
structured format.  At *each* retry, they generate a *new* MIME
message, that could have different MIME boundaries, and conceivably a
different size.  This caused endless trouble with CanIt at first, until
we figured out which portions of the message were mutable and told CanIt
to ignore them.

> Message size is also interesting since
> it will stop the spammers from adapting to greylisting by sending a small
> message that uses minimum bandwidth to "start the clock"

Ah. :-) You answered my objection, but I think your solution is more
objectionable.  It hurts legitimate senders too much.

> If you make spammers use enough bandwidth to get messages through, rather
> than adapting to greylisting they may just avoid greylisting servers.

I used to think you could hurt spammers by making them waste
bandwidth, but I no longer believe that.  Spammers can take advantage
of proxies, open-relays, and in the future, probably even rooted and
0wned machines to send spam on their behalf.

In my opinion, most technological anti-spam systems help the
recipient; they don't really hurt the spammer.  To hurt spammers, we
need tough legislation and tough enforcement (and a means of
enforcement), none of which I see happening soon.

Regards,

David.