[Greylist-users] Re: greylisting and VERP
raeburn at raeburn.org
Wed Oct 8 23:27:10 PDT 2003
Scott Nelson wrote:
> The issues is that a lot of fake addresses look like this:
> "email@example.com" (replace the '#' with a random digit)
> If you convert that to "a at example.com" then a small but noticable
> percentage of spam "retries" in the window, and gets through.
Yep, that'd definitely be a problem.
I just took a quick peek at my incoming mail, with a bit over a day's
worth of email, and quite a few spam messages, and I didn't see any
hyphenated forged names; in fact, all the hyphenated addresses were
actual list management addresses. Same with a list I pulled out of my
relaydelay database yesterday, representing about 2 days worth of
I suppose it's only a matter of time until the spammers start doing
this more often, although we could probably counter by various means:
* Have maintenance scripts detect when a number of entries differing
only in a string of digits and all or mostly representing successful
deliveries have been put in the database with the same IP address,
and add an appropriate pattern to a table of substitutions (keyed on
IP address?) that are performed, doing none in the default case.
Busy lists would get noticed and listed; for lists with little
traffic the delay for most or all messages probably wouldn't be so
big a deal. The pattern entries could expire after a while if
they're not used.
* Specialize it a bit more for typical VERP patterns. In some of my
cases (the gcc.gnu.org and sources.redhat.com list software,
specifically), the number is followed by a trivial encoding of the
recipient's name. Looking for blocks of digits immediately before
such an encoding would reduce the matches a lot.
* Blacklist host X altogether, or at least "firstname.lastname@example.org" from
host X. Not a perfect automated scheme, obviously. But I seem to
recall the argument being made somewhere already that even if the
spammers start retrying their delivery, the delay leads to a greater
likelihood that they'll have wound up on a blacklist and thus will
get blocked for non-greylist reasons.
More information about the Greylist-users