[Greylist-users] default timeout values - what do people suggest

[Franck Arnaud]

Bob Beck:

> >Have you thought about using random ranges rather than fixed 
> >values? So say pass time is given as a range, say "30 to 120 minutes",

> Hmm. that's really easy for me to do, but the question is do
> you think it will actually be effective?

In theory, if (a) the entire world is using greylist-60 
(b) retries are not free for spammer (c) spammer uses 
state for retries and wants to minimise the total 
state they hold; then the randomised version is more 
costly to them than the constant one.

In practice I suppose it won't make a difference. But
generally it may be good security practice to minimise 
how predictably you behave when possible. After all 
5 minutes stops virtually everybody now, and the 
greylisting paper does suggest a longer delay for 
the same sort of reason (make it harder, just in case).

The negative side of being less predictable, is that 
real problems may be harder to debug.

> Don't forget that if they actually queue and retry at all, 
> they can simply use the same parameters as a traditional MTA,

Indeed, brute force stateless retries will also work.