[Greylist-users] What timeouts should be used with greylisting

Wed Jun 25 10:14:40 PDT 2003

> I think the 4-hour max is much too aggressive.  I would use 8 hours (or
> as you suggest, 8.1 hours) at least.

Spammers could get a message through greylisting using their existing broken 
spam software that does't retry by mailing the same list twice within the 
extended hour window. I think thats why an aggessive time is somewhat 
good. Like you I agree it may be too aggressive.

So how can we open the window up longer yet stop spammers from taking 
advantage of it? And my goal is to make them pay the maximum bandwith 
possible as well. While these ideas are not part of greylisting as described, 
I can think of a few things.

Most mail servers try more than twice. Some try many times even withing the 
first hour. So you could change the greylisting logic so getting through also 
requires a minimum number of attempts. So to get through, it must be more 
than one hour from the first try, less than N hours and at least Y attempts 
before its accepted.

If the minimum number of attempts is set to three or four, that won't even 
affect the majority of sites (since they retry that many times anyway) but 
you might be able to open up the window beyond 4 hours without problems since 
a spammer would have to remail the list many times to get through (paying 
bandwidth on each attempt).

Another thing is that spammers who email the same list more than once are 
likely to use different pitches on each attempt. One real example: the first 
attempt had a subject of "Gorgeous Asian Dolls", the next one was about 
another ethnic group.  So rather than the triplet we are currently using 
"relay_ip", "mail_from" and "rcpt_to" we could make it a quintuplet by adding 
"subject" and "message size". Subject is easy since its in the headers. Since 
I do my rejection after the data phase, I know the message size too. 

The goal is to make spammers life difficult, but never bounce normal email. 
With a normal email server that makes retries to get the message through the 
subject and message size don't change. Message size is also interesting since 
it will stop the spammers from adapting to greylisting by sending a small 
message that uses minimum bandwidth to "start the clock" that they expect 
will be blocked, then sending the real larger message later. By requiring 
each retried message to be the same size and have the same subject (or even 
checksum), it requires spammers to use extra bandwidth to get the message 
through and stops them from using different messages in case people get them 
all.

If you make spammers use enough bandwidth to get messages through, rather 
than adapting to greylisting they may just avoid greylisting servers. If you 
give a spammer the choice of emailing N users per hour to normal email 
servers or N/3 users on greylisting servers  - rather than adjusting their 
spamming software to get through, they may just go for volume. At least thats 
the hope.

BTW this is just a thought exercise. My exim code doesn't do any of this and 
I have no plans to enhance it. Implemented exactly as Evan described its 
working so well I don't see the need at this point. Although I may tune the 
times to 55min and longer than four hours after I get some more experience.