[Greylist-users] Re: greylisting and VERP

Scott Nelson scott at spamwolf.com
Sun Oct 12 01:34:17 PDT 2003 

At 06:43 PM 10/11/03 -0400, you wrote:
>Scott Nelson wrote:
>>> The issues is that a lot of fake addresses look like this:
>>> "a-#########@example.com"  (replace the '#' with a random digit)
>>>
>>> If you convert that to "a at example.com" then a small but noticable
>>> percentage of spam "retries" in the window, and gets through.
>
>After some consideration, I'm not sure a spammer using multiple
>"a-########@example.com" addresses from the same IP address needs to
>be considered all that different from Yahoo Groups, in terms of how
>they operate.  I guess the question is, do you want to be restrictive
>and use a whitelist, or permissive and use a blacklist?
>
>If Yahoo Groups starts sending from some new IP address not in your
>whitelist, what happens?
>
>I've run across few enough cases so far -- namely, Yahoo Groups --
>that I think I'll opt for the permissive path for now.
>
>
>I wrote:
>> Yep, that'd definitely be a problem.
>>
>> I just took a quick peek at my incoming mail, with a bit over a day's
>> worth of email, and quite a few spam messages, and I didn't see any
>> hyphenated forged names;
>
>I still haven't seen any spammer sender address in my database that is
>hyphenated, much less one matching these patterns.  Granted, it's only
>been a couple more days, and my home address is less widely advertised
>than my work address.
>
>But looking at the corpus of spam I've been using to train a spam
>filter at work, there are plenty of hyphenated senders, though a huge
>portion of them are actually virus emails which probably shouldn't be
>in my spam pool anyways.
>
>Excluding the virus emails, and the bug database I work with that
>isn't smart enough to not forward spam, one or two appear to have
>hexadecimal components, some have fixed numbers in certain positions,
>some have numbers at the beginning or end that do change.  But the
>only ones I spotted with a decimal number surrounded by dashes were
>using "-4-u" ("for you") and not changing it.
>
>I still haven't found any cases where *changing* decimal numbers are
>used in a field separated by dashes on both sides.  Looking for a
>trailing field with a dash would've grouped four senders together, all
>"<month>-<day>@ms28.hinet.net", except that the messages came through
>four different source IP addresses.
>
>I'm still willing to believe that some spammers someplace will do as
>Scott describes, and that eventually I'll have to make the pattern
>matching more clever.  Maybe I'll just drop it, if it becomes a
>problem; these particular lists aren't ones I catch up on immediately
>anyways.  I guess I'm just not crazy about having lots of legitimate
>email queueing up elsewhere.
>


When I checked, there was a small percentage of spam that was this way
(I'd guess about 2-5% by message volume).  Enough so I'd like to block it, 
but not so much that I get worked up about it.  
And on closer examination, most of these are mainsleaze anyway.
I.e. they use real mailers to send, so they current get 
past greylisting anyway.

Here's an example envelope_from from offertribune.com;
<629-891555-unsubscribe at offertribune.com>
There are many many more of the form
<###-######-unsubscribe at offertribune.com> in my logs.


Note that "s/-[0-9]+/-#/" results in a slightly higher false positive 
rate (exactly how slight is not known).
Not doing the substitute means more delays of legitimate email.
Personally, I favor more false positives and fewer delays,
(of course, with my setup it's trivial to block *@offertribune.com).
Which is better I think is mostly a matter of taste.


Scott Nelson <scott at spamwolf.com>

More information about the Greylist-users mailing list