[Greylist-users] default timeout values - what do people suggest
franck at nenie.org
Tue Feb 24 12:20:43 PST 2004
> >Have you thought about using random ranges rather than fixed
> >values? So say pass time is given as a range, say "30 to 120 minutes",
> Hmm. that's really easy for me to do, but the question is do
> you think it will actually be effective?
In theory, if (a) the entire world is using greylist-60
(b) retries are not free for spammer (c) spammer uses
state for retries and wants to minimise the total
state they hold; then the randomised version is more
costly to them than the constant one.
In practice I suppose it won't make a difference. But
generally it may be good security practice to minimise
how predictably you behave when possible. After all
5 minutes stops virtually everybody now, and the
greylisting paper does suggest a longer delay for
the same sort of reason (make it harder, just in case).
The negative side of being less predictable, is that
real problems may be harder to debug.
> Don't forget that if they actually queue and retry at all,
> they can simply use the same parameters as a traditional MTA,
Indeed, brute force stateless retries will also work.
More information about the Greylist-users