[Greylist-users] Re: greylisting and VERP

Ken Raeburn raeburn at raeburn.org
Sat Oct 11 19:43:51 PDT 2003

Scott Nelson wrote:
>> The issues is that a lot of fake addresses look like this:
>> "a-#########@example.com"  (replace the '#' with a random digit)
>> If you convert that to "a at example.com" then a small but noticable
>> percentage of spam "retries" in the window, and gets through.

After some consideration, I'm not sure a spammer using multiple
"a-########@example.com" addresses from the same IP address needs to
be considered all that different from Yahoo Groups, in terms of how
they operate.  I guess the question is, do you want to be restrictive
and use a whitelist, or permissive and use a blacklist?

If Yahoo Groups starts sending from some new IP address not in your
whitelist, what happens?

I've run across few enough cases so far -- namely, Yahoo Groups --
that I think I'll opt for the permissive path for now.

I wrote:
> Yep, that'd definitely be a problem.
> I just took a quick peek at my incoming mail, with a bit over a day's
> worth of email, and quite a few spam messages, and I didn't see any
> hyphenated forged names;

I still haven't seen any spammer sender address in my database that is
hyphenated, much less one matching these patterns.  Granted, it's only
been a couple more days, and my home address is less widely advertised
than my work address.

But looking at the corpus of spam I've been using to train a spam
filter at work, there are plenty of hyphenated senders, though a huge
portion of them are actually virus emails which probably shouldn't be
in my spam pool anyways.

Excluding the virus emails, and the bug database I work with that
isn't smart enough to not forward spam, one or two appear to have
hexadecimal components, some have fixed numbers in certain positions,
some have numbers at the beginning or end that do change.  But the
only ones I spotted with a decimal number surrounded by dashes were
using "-4-u" ("for you") and not changing it.

I still haven't found any cases where *changing* decimal numbers are
used in a field separated by dashes on both sides.  Looking for a
trailing field with a dash would've grouped four senders together, all
"<month>-<day>@ms28.hinet.net", except that the messages came through
four different source IP addresses.

I'm still willing to believe that some spammers someplace will do as
Scott describes, and that eventually I'll have to make the pattern
matching more clever.  Maybe I'll just drop it, if it becomes a
problem; these particular lists aren't ones I catch up on immediately
anyways.  I guess I'm just not crazy about having lots of legitimate
email queueing up elsewhere.


More information about the Greylist-users mailing list