[Greylist-users] greylisting and VERP

[Scott Nelson]

At 10:13 PM 10/5/03 -0400, you wrote:
>--===============1251120045==
>
>Hi.  I've only just installed relaydelay on my mail server, though
>I've been following the list (via the archive) for a little while.
>Aside from annoying little things like supposedly legitimate mailers
>that never retry, and the delays on VERP with per-message envelope
>senders, it seems like a great scheme.  (At least until the spammers
>all start resending after several hours' delay.)
>
>I'm on more than one list that uses a per-message envelope sender for
>tracking bounces.  And I can't quite agree with the comments in the
>greylisting web page that suggest it's a broken idea.  The
>recommendation in the greylist docs seems to be just to live with the
>delay for every message.
>
>For all the cases I've seen, there's a numeric field present, in one
>of a small number of fairly simple forms:
>liststuff-###-###-###-encodingofmyaddress at host (yahoo groups),
>liststuff-###-addr at host, and occasionally liststuff+M###@host.
>
>Is there some reason not to stick regular expressions for these forms
>someplace and boil them down to a common form?  A "from whom do I have
>mail" script I wrote some time back does this substitution on names
>before doing a unique sort, and it works fairly well:
>
>  | sed -e 's/-[0-9][0-9\-]*-raeburn/-#-raeburn/g' \
>        -e 's/-[0-9][0-9\-]*-kr/-#-kr/g' \
>        -e 's/+M[0-9][0-9]*@/+M#@/g' \
>        -e 's/+M[0-9][0-9]*=/+M#=/g' \
>
>Now, maybe in the Yahoo Groups case, it would make sense to keep the
>group number, except of course that Yahoo Groups is lame enough that
>it needs to be whitelisted.  Still, perhaps replacing a block of
>digits surrounded by dashes, or preceded by "+M" and followed by "@"
>or "=", would let the list messages come through without delay, and
>without opening up the recipient to too much spam?
>

Currently I chop everything after the first '-' or '+' after
the first two letters.
In regexian;

 s/(..)[-+].*\@/$1\@/


So far I haven't seen a noticable increase in spam because of it.

Another approach is to whitelist the server.


>I guess a spammer could try forging "spammer-1-foo at aol" on one pass
>and "spammer-2-foo at aol" on another pass, to avoid having the same
>identity (which could have gotten marked as a spammer) show up too
>often, and that would get him past the greylist filter with this
>change.  Is that likely to be a big problem?  
>

No.  The spammer could use spammer-1-foo at aol on 
both passes more easily, so why bother?

The issue is that a lot of fake addresses look like this:
"a-########@example.com"  (replace the '#' with a random digit)

If you convert that to "a at example.com" then a small but noticable
percentage of spam "retries" in the window, and gets through.


Scott Nelson <scott at spamwolf.com>