[Greylist-users] Greylist improvement: the canary
mjd at digitaleveryware.com
Fri Feb 27 10:46:42 PST 2004
> So I figured, what if I had a script that went through, looked
> for hosts attempting to deliver to that malformed localpart AND
> have never passed a mail throguh the greylist... and I set the
> block_expires and record_expires on all blocks for that IP to
> 5 days from now...
This canary thing seems really promising. Greylisting by itself is just an
annoyance spammers can get around with spam sending software that retries
correctly but when you add a blacklist that is updated in less time than the
initial greylisting delay then the combination is really good.
So, how can you create a blacklist that is updated so quickly? Your answer:
Let the spammers add themselves to the blacklist by sending mail to a
spamtrap email (canary) address. Brilliant.
I was originally worried that wildcard blocking by IP would block legitimate
emails from users that, say, setup an alias or .forward from another email
account. But thats obviously not a problem unless the users .forwards to a
canary address. Can anyone think of other problems with this approach?
So, spammers sends email to all the addresses they scraped off your websites,
canary addresses included. All email is delayed by greylisting until the
spammer sends to a canary address. Then all the email is (hopefully) bounced
with a 5xx error: "you are a spammer in our blacklist, try again in a week"
or some such. I like it since it will block spammers even with an MTA that
would retry to get around just greylisting.
So, as long as no legitimate user somehow sends email is sent to a canary
address or as long as no legitimate smtp server is used to send email to a
canary address, it seems like no email will be blocked that should get
through. And I don't think there is a good way for spammers to come up with
Any body have thoughts or suggestions?
More information about the Greylist-users