[Greylist-users] Some more data points

Evan Harris eharris at puremagic.com
Wed Jul 9 01:59:02 PDT 2003


On Wed, 2 Jul 2003, Scott Nelson wrote:

> >One more very interesting number that I haven't (yet) been able to gauge is
> >the number of spams that would not have been blocked by rbl/razor/whatever
> >lists if they were accepted when first seen, but since they were delayed,
> >but are in the rbl lists by the time the greylist block expires.
> >Unfortunately, it requires a lot of lookup work at every delivery attempt.
>
> Well, for a /given/ set of DNSBLs it would be simple for me to look
> up the IP and save the results in the log at RCPT time.
> Then I could (presumably correctly ;) parse the data out of the logs later.
>
> Is there a particular DNSBL(s) you (or anyone else) are interested in
> seeing the data for?  Easy to add them to the list now...

Well the ones I think are still around are MAPS, SPEWS, NJABL, Spamhaus/SBL
and Osirusoft.  There may be others though.

> >Can you do an analysis on the triplets and try to establish spammer
> >associatins by seeing how many came from the same IP/range of IP's, or how
> >many were from/to similar addresses?
>
> I can, and I will, but first I'm going to
> debug my "number of connects/passed" scripts.

Any luck on the analysis yet?

> It would be nice to be able to identify 0wn3d boxen.
> Even if we can only identify a few percent of them, it's huge win IMO.
>
> I was actually rather surprised by the IP hopping.
> I've always assumed that most spammers weren't listening to bounces,
> but clearly some of them are paying very close attention indeed.
> Makes me wonder if any are tailoring content as well.

I wouldn't be surprised if they did.  Or at least, generated other
randomness to add to their mail in order to get around content filters.  But
they're already getting pretty smart about confusing bayes-type filters.

I'm really hoping someone will design a blacklist that works off of traffic
analysis, and possibly also possibly doing something more fancy like
combining razor scoring with IP blacklisting.  There has to be a way to
increase the accuracy and response time better than current blacklists.  And
blocking the greylisting way with a tempfail instead of permanent blocks
leaves alot more room for correcting possible mistakes in the list.

If I had someplace that would host the server, I might even try to work
something up myself.

Evan



More information about the Greylist-users mailing list