[Greylist-users] Greylist improvement: the canary
sjc at carpanet.net
Fri Feb 27 08:30:05 PST 2004
The spammers gave me a great idea, and I have to thank
some incompetent spammer out there for this one. The Canary.
So I implimented greylisting based on:
(however I had nasty problems with the embeded perl interpreter in exim
so I turned it into a script thats executed, my mail volume is low
enough that it works out fine)
Anyway... I noticed when I first implimented it (back when the
embedd perl interpreter worked heh) that some incompetent filth
spewer had incorrectly scraped one of my addresses off a website,
and mangled it so it wont deliver!
So I figured, what if I had a script that went through, looked
for hosts attempting to deliver to that malformed localpart AND
have never passed a mail throguh the greylist... and I set the
block_expires and record_expires on all blocks for that IP to
5 days from now...
Thus if a spoammer sends his spam through a real mail server,
and sends to one of my canary localparts (I shoved them into
a seprate table so I could add as many as I like as I identify
them or trick spammers into accepting the) then they get no
mail through at all!
I have attached the script, it may require modification (hint:
db names username password have been sanitized)
In the 12 hours that the code has been running every 30 mins, it
has blocked 85 records - none of which (so far) have a blocked_count
higher than 1... showing that it is no more effective than the
However, the localparts that I am using for canaries don't get much
spam at all... I figure that if I can get them into more spammer's
address lists they will be more effective. (I am working on that now)
"If you shake it more than 3 times you are playing with it."
-- Mike Laramie
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1387 bytes
Desc: not available
Url : http://lists.puremagic.com/pipermail/greylist-users/attachments/20040227/c778dba8/greylist_canary.pl
More information about the Greylist-users