[Greylist-users] Re: greylisting and VERP

Ken Raeburn raeburn at raeburn.org
Wed Oct 8 23:27:10 PDT 2003 

Scott Nelson wrote:
> The issues is that a lot of fake addresses look like this:
> "a-#########@example.com"  (replace the '#' with a random digit)
>
> If you convert that to "a at example.com" then a small but noticable
> percentage of spam "retries" in the window, and gets through.

Yep, that'd definitely be a problem.

I just took a quick peek at my incoming mail, with a bit over a day's
worth of email, and quite a few spam messages, and I didn't see any
hyphenated forged names; in fact, all the hyphenated addresses were
actual list management addresses.  Same with a list I pulled out of my
relaydelay database yesterday, representing about 2 days worth of
data.

I suppose it's only a matter of time until the spammers start doing
this more often, although we could probably counter by various means:

* Have maintenance scripts detect when a number of entries differing
  only in a string of digits and all or mostly representing successful
  deliveries have been put in the database with the same IP address,
  and add an appropriate pattern to a table of substitutions (keyed on
  IP address?) that are performed, doing none in the default case.

  Busy lists would get noticed and listed; for lists with little
  traffic the delay for most or all messages probably wouldn't be so
  big a deal.  The pattern entries could expire after a while if
  they're not used.

* Specialize it a bit more for typical VERP patterns.  In some of my
  cases (the gcc.gnu.org and sources.redhat.com list software,
  specifically), the number is followed by a trivial encoding of the
  recipient's name.  Looking for blocks of digits immediately before
  such an encoding would reduce the matches a lot.

* Blacklist host X altogether, or at least "a-######@example.com" from
  host X.  Not a perfect automated scheme, obviously.  But I seem to
  recall the argument being made somewhere already that even if the
  spammers start retrying their delivery, the delay leads to a greater
  likelihood that they'll have wound up on a blacklist and thus will
  get blocked for non-greylist reasons.

Ken

More information about the Greylist-users mailing list