[Greylist-users] Greylist improvement: the canary

Stephen Carpenter sjc at carpanet.net
Fri Feb 27 08:30:05 PST 2004


The spammers gave me a great idea, and I have to thank
some incompetent spammer out there for this one. The Canary.

So I implimented greylisting based on:
http://noc.polesye.net/greylist/

(however I had nasty problems with the embeded perl interpreter in exim
so I turned it into a script thats executed, my mail volume is low
enough that it works out fine)

Anyway... I noticed when I first implimented it (back when the
embedd perl interpreter worked heh) that some incompetent filth
spewer had incorrectly scraped one of my addresses off a website,
and mangled it so it wont deliver!

So I figured, what if I had a script that went through, looked
for hosts attempting to deliver to that malformed localpart AND
have never passed a mail throguh the greylist... and I set the
block_expires and record_expires on all blocks for that IP to
5 days from now...

Thus if a spoammer sends his spam through a real mail server,
and sends to one of my canary localparts (I shoved them into
a seprate table so I could add as many as I like as I identify
them or trick spammers into accepting the) then they get no
mail through at all! 

I have attached the script, it may require modification (hint:
db names username password have been sanitized)

Thoughts?

In the 12 hours that the code has been running every 30 mins, it
has blocked 85 records - none of which (so far) have a blocked_count
higher than 1... showing that it is no more effective than the
greylist itself...

However, the localparts that I am using for canaries don't get much
spam at all... I figure that if I can get them into more spammer's
address lists they will be more effective. (I am working on that now)

-Steve
-- 
"If you shake it more than 3 times you are playing with it."
                -- Mike Laramie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: greylist_canary.pl
Type: application/x-perl
Size: 1387 bytes
Desc: not available
Url : http://lists.puremagic.com/pipermail/greylist-users/attachments/20040227/c778dba8/greylist_canary.pl


More information about the Greylist-users mailing list