[Greylist-users] greylisting and VERP

Brian Ross bsr+greylist at qualcomm.com
Fri Feb 3 10:24:51 PST 2006

I'm dredging up an ancient thread from October 2003.

Those of you who implemented patches to your greylisting code to pass 
VERP senders:
- How's it working?
- Have you seen a noticeable increase in spam as a result?

(Note: this thread was also run with subject "greylisting and 
per-message sender ids")

-Brian Ross

At 11:34 PM 10/11/2003, Scott Nelson wrote:
>At 06:43 PM 10/11/03 -0400, you wrote:
> >Scott Nelson wrote:
> >>> The issues is that a lot of fake addresses look like this:
> >>> "a-#########@example.com"  (replace the '#' with a random digit)
> >>>
> >>> If you convert that to "a at example.com" then a small but noticable
> >>> percentage of spam "retries" in the window, and gets through.
> >
> >After some consideration, I'm not sure a spammer using multiple
> >"a-########@example.com" addresses from the same IP address needs to
> >be considered all that different from Yahoo Groups, in terms of how
> >they operate.  I guess the question is, do you want to be restrictive
> >and use a whitelist, or permissive and use a blacklist?
> >
> >If Yahoo Groups starts sending from some new IP address not in your
> >whitelist, what happens?
> >
> >I've run across few enough cases so far -- namely, Yahoo Groups --
> >that I think I'll opt for the permissive path for now.
> >
> >
> >I wrote:
> >> Yep, that'd definitely be a problem.
> >>
> >> I just took a quick peek at my incoming mail, with a bit over a day's
> >> worth of email, and quite a few spam messages, and I didn't see any
> >> hyphenated forged names;
> >
> >I still haven't seen any spammer sender address in my database that is
> >hyphenated, much less one matching these patterns.  Granted, it's only
> >been a couple more days, and my home address is less widely advertised
> >than my work address.
> >
> >But looking at the corpus of spam I've been using to train a spam
> >filter at work, there are plenty of hyphenated senders, though a huge
> >portion of them are actually virus emails which probably shouldn't be
> >in my spam pool anyways.
> >
> >Excluding the virus emails, and the bug database I work with that
> >isn't smart enough to not forward spam, one or two appear to have
> >hexadecimal components, some have fixed numbers in certain positions,
> >some have numbers at the beginning or end that do change.  But the
> >only ones I spotted with a decimal number surrounded by dashes were
> >using "-4-u" ("for you") and not changing it.
> >
> >I still haven't found any cases where *changing* decimal numbers are
> >used in a field separated by dashes on both sides.  Looking for a
> >trailing field with a dash would've grouped four senders together, all
> >"<month>-<day>@ms28.hinet.net", except that the messages came through
> >four different source IP addresses.
> >
> >I'm still willing to believe that some spammers someplace will do as
> >Scott describes, and that eventually I'll have to make the pattern
> >matching more clever.  Maybe I'll just drop it, if it becomes a
> >problem; these particular lists aren't ones I catch up on immediately
> >anyways.  I guess I'm just not crazy about having lots of legitimate
> >email queueing up elsewhere.
> >
>When I checked, there was a small percentage of spam that was this way
>(I'd guess about 2-5% by message volume).  Enough so I'd like to block it,
>but not so much that I get worked up about it.
>And on closer examination, most of these are mainsleaze anyway.
>I.e. they use real mailers to send, so they current get
>past greylisting anyway.
>Here's an example envelope_from from offertribune.com;
><629-891555-unsubscribe at offertribune.com>
>There are many many more of the form
><###-######-unsubscribe at offertribune.com> in my logs.
>Note that "s/-[0-9]+/-#/" results in a slightly higher false positive
>rate (exactly how slight is not known).
>Not doing the substitute means more delays of legitimate email.
>Personally, I favor more false positives and fewer delays,
>(of course, with my setup it's trivial to block *@offertribune.com).
>Which is better I think is mostly a matter of taste.
>Scott Nelson <scott at spamwolf.com>
>Content-Type: text/plain; charset="iso-8859-1"
>MIME-Version: 1.0
>Content-Transfer-Encoding: quoted-printable
>Content-Disposition: inline
>Greylist-users mailing list
>Greylist-users at lists.puremagic.com

More information about the Greylist-users mailing list