[Greylist-users] what happens with servers that change IP addresses

[Franck Arnaud]

I wrote:

> > First, I note that none of those legit servers distinguishes
> > (at the end of encoded data) between a tempfail and a 552 or
> > 554. They all retry even for permanent fail. Do legit
> > servers ever distinguish between a tempfail and a permanent
> > fail (if in reply to FROM or TO maybe?).

I think I was wrong, sorry for the incorrect report. It seems 
the virus does send itself twice (or more), on a sample the 
messages are very nearly identical, same byte size, same 
Received: line (presumably was sent during the same batch 
so received during the same second), same Message-Id:, 
same body, only the Date: header varies, and obviously 
intentionally as the message ID also contains a different, 
earlier, date, presumably the real one as it's close to 
the server's one in Received (but was not added by the 
server, as it's obviously bogus). I'm not sure I see the 
point of the virus writer doing this.

That also may explain away a lot of my "retries from 
other machine in the pool" instances which were 
really those dupes.

> See the $do_relay_lookup_by_subnet setting in the example implementation.
> This takes care of almost all of these "pooled server" setups acceptably.

Sounds like an acceptable solution, thanks. It's also on the 
webpage I see, somehow I missed it.

[discriminate positively on plain text]
> And if it became commonplace, it would be easy for the 
> spammers to take advantage of.

But that would not necessarily be a bad thing, because they use 
HTML email to fool content filters (putting invisible comments 
or tags every 2 or 3 letters for instance), so our filtering 
colleagues would have an easier time with plain text, spam would 
be smaller, and tracking tricks (e.g. images in HTML messages 
that call back home) would not work. So spammers have something 
to lose if they go back to plain text.