[Greylist-users] Greylist improvement: the canary

[martin dempsey]

> So I figured, what if I had a script that went through, looked
> for hosts attempting to deliver to that malformed localpart AND
> have never passed a mail throguh the greylist... and I set the
> block_expires and record_expires on all blocks for that IP to
> 5 days from now...

This canary thing seems really promising. Greylisting by itself is just an 
annoyance spammers can get around with spam sending software that retries 
correctly but when you add a blacklist that is updated in less time than the 
initial greylisting delay then the combination is really good. 

So, how can you create a blacklist that is updated so quickly? Your answer: 
Let the spammers add themselves to the blacklist by sending mail to a 
spamtrap email (canary) address. Brilliant.

I was originally worried that wildcard blocking by IP would block legitimate 
emails from users that, say, setup an alias or .forward from another email 
account. But thats obviously not a problem unless the users .forwards to a 
canary address.  Can anyone think of other problems with this approach?

So, spammers sends email to all the addresses they scraped off your websites, 
canary addresses included. All email is delayed by greylisting until the 
spammer sends to a canary address. Then all the email is (hopefully) bounced 
with a 5xx error: "you are a spammer in our blacklist, try again in a week" 
or some such. I like it since it will block spammers even with an MTA that 
would retry to get around just greylisting. 

So, as long as no legitimate user somehow sends email is sent to a canary 
address or as long as no legitimate smtp server is used to send email to a 
canary address, it seems like no email will be blocked that should get 
through. And I don't think there is a good way for spammers to come up with 
countermeasures.

Any body have thoughts or suggestions?