[Greylist-users] greylisting and VERP
scott at spamwolf.com
Mon Oct 6 11:29:19 PDT 2003
At 10:13 PM 10/5/03 -0400, you wrote:
>Hi. I've only just installed relaydelay on my mail server, though
>I've been following the list (via the archive) for a little while.
>Aside from annoying little things like supposedly legitimate mailers
>that never retry, and the delays on VERP with per-message envelope
>senders, it seems like a great scheme. (At least until the spammers
>all start resending after several hours' delay.)
>I'm on more than one list that uses a per-message envelope sender for
>tracking bounces. And I can't quite agree with the comments in the
>greylisting web page that suggest it's a broken idea. The
>recommendation in the greylist docs seems to be just to live with the
>delay for every message.
>For all the cases I've seen, there's a numeric field present, in one
>of a small number of fairly simple forms:
>liststuff-###-###-###-encodingofmyaddress at host (yahoo groups),
>liststuff-###-addr at host, and occasionally liststuff+M###@host.
>Is there some reason not to stick regular expressions for these forms
>someplace and boil them down to a common form? A "from whom do I have
>mail" script I wrote some time back does this substitution on names
>before doing a unique sort, and it works fairly well:
> | sed -e 's/-[0-9][0-9\-]*-raeburn/-#-raeburn/g' \
> -e 's/-[0-9][0-9\-]*-kr/-#-kr/g' \
> -e 's/+M[0-9][0-9]*@/+M#@/g' \
> -e 's/+M[0-9][0-9]*=/+M#=/g' \
>Now, maybe in the Yahoo Groups case, it would make sense to keep the
>group number, except of course that Yahoo Groups is lame enough that
>it needs to be whitelisted. Still, perhaps replacing a block of
>digits surrounded by dashes, or preceded by "+M" and followed by "@"
>or "=", would let the list messages come through without delay, and
>without opening up the recipient to too much spam?
Currently I chop everything after the first '-' or '+' after
the first two letters.
So far I haven't seen a noticable increase in spam because of it.
Another approach is to whitelist the server.
>I guess a spammer could try forging "spammer-1-foo at aol" on one pass
>and "spammer-2-foo at aol" on another pass, to avoid having the same
>identity (which could have gotten marked as a spammer) show up too
>often, and that would get him past the greylist filter with this
>change. Is that likely to be a big problem?
No. The spammer could use spammer-1-foo at aol on
both passes more easily, so why bother?
The issue is that a lot of fake addresses look like this:
"email@example.com" (replace the '#' with a random digit)
If you convert that to "a at example.com" then a small but noticable
percentage of spam "retries" in the window, and gets through.
Scott Nelson <scott at spamwolf.com>
More information about the Greylist-users