[Greylist-users] Greylist improvement: the canary

Stephen Carpenter sjc at carpanet.net
Sat Feb 28 10:28:09 PST 2004 

On Fri, Feb 27, 2004 at 09:15:45PM +0000, Franck Arnaud wrote:
> Stephen Carpenter:
> 
> > as long as no legitimate smtp server is used to send email 
> > to a canary address
> 
> Some spammers or viruses do use legitimate servers before 
> they're kicked out. If you build a list of known good 
> relays from previous mail, it's probably quite safe (if the 
> added complexity does not introduce a bug), but there's still 
> a possibility that the first ever mail you get from somewhere 
> is to a spamtrap, and the second one is from a real user.

This is exactly why I chose to impliment it the way I did... see
I set the block and record to expire at the same time 5 days from
now... so around the time all that mail is finnaly bouncing on a 
normally setup server (assuming it hasn't been shut down, had its
queues cleared etc, which seems to be a rare occurance), the
records all expire, and the block is lifted.

So worst case is some spammer abuses a relay we havn't seen recently,
and so for the next few days, it can't be used to send mail... 

 
> > And I don't think there is a good way for spammers to come 
> > up with countermeasures.
> 
> It's rare to have something without countermeasures! Just 
> a random one:
> 
> - given two harvested email addresses a,b at same site.
> - from IP #1, mail a then b
> - from IP #2, mail b then a
> - if the result is #1: OK FAIL and #2: FAIL FAIL,
>   you have proven that:
>      a is a good address
>      b is a spamtrap

Ahhh but how many spamtraps do I have? Whats the ratio between
spamtraps and good addresses? Remember this address is doing greylisting
to, so you need something like an hour just to test 1 address...
this can of course be gotten around by testing lots of addresses in
different domains at once. (and lots of ips)
 
> Now, the countercountermeasure is to convince spammers that 
> your real address is a spamtrap :-).

hmmm well one thing I do now is I whitelisted my spamtrap and I am
systematically visiting every URL listed in a spam to it that
looks like it might contain a unique identifier or otherwise tells
them its good.
 
> Anyway diversity makes it harder, so the more antispam 
> measures there are, the merrier.

Thats my feeling... the higher the bar can be raised the better.
The less spam that has to be filtered by my spam filters (I keep 2)
the better. 

Defense in depth is always the key.

-Steve
-- 
"No other offense has ever been visited with such harsh penalties as
 seeking to help the oppressed"
                 -- Clarence Darrow

More information about the Greylist-users mailing list