[Greylist-users] What timeouts should be used with
greylisting
Scott Nelson
scott at spamwolf.com
Wed Jun 25 11:08:42 PDT 2003
At 09:14 AM 6/25/03 -0700, you wrote:
>> I think the 4-hour max is much too aggressive. I would use 8 hours (or
>> as you suggest, 8.1 hours) at least.
>
>Spammers could get a message through greylisting using their existing broken
>spam software that does't retry by mailing the same list twice within the
>extended hour window. I think thats why an aggessive time is somewhat
>good. Like you I agree it may be too aggressive.
>
I thought so too at first, but actually that doesn't work
without different tools on the spammers part.
For example, a lot of spam I see comes with an apparently
random "sender" and uses a random open proxie.
Resending would pick new random values, so it wouldn't get through.
Fixing this is harder than it seems at first,
but I could write a tool that would do it.
And I'm sure there are lots of others who could as well,
some of whom are working for the spammers.
Eventually, it will happen, but first they have to fix the tools,
and then the tools have to be distributed.
(Think "sold" if the word distributed bothers you.)
That will take time and effort (money).
As I see it there are basically two groups;
1.) Spammers who account for greylisting specifically.
2.) Spammers who do not.
There is /no/ window that works for the first group.
The second group includes viruses, which /can't/ adapt,
(greylisting might actually kill Klez - hurrah!)
software which can't or doesn't listen to the reply,
and spammers who refuse to buy upgraded tools.
There are currently a few spammers who send out messages daily,
so it should be less than 24 hours.
There's a lot of legitimate mail servers that retry on the 4 hour mark,
so it should be more than 4 hours.
Ignoring the space in the database, I think a 9 hour window would be best.
That's long enough so even a 4 hour retry schedule with a
dropped message gets through, but short enough to stop spammers
who don't change their ways.
The ones that do change can't be stopped (with greylisting) anyway.
Scott Nelson <scott at spamwolf.com>
More information about the Greylist-users
mailing list