[Greylist-users] Greylist improvement: the canary

[martin dempsey]

> It's rare to have something without countermeasures! Just
> a random one:

Point taken. Obviously, all addresses, good or canary/spamtrap should 
tempfail for the 1st hour (or whatever greylist delay) before spitting back a 
failure.  Spammers trying to get through would have to limit themselves to 
one email per hour per sending ip address. At that point, I think we've won.

And I can see bouncing with a reasonable error message to give information to 
legitimate users (which I think is important) is in conflict with keeping 
information from spammers.

I suppose one better (less obvious to spammers) solution is to tempfail every 
address for the initial delay, then accept and trash (or feed to your spam 
filter) messages to spamtrap addresses preventing spammers from realizing 
they are not good addresses. And then you could even bounce (assumed spam) 
messages to good addresses from the same IP with a confusing error like 
"email address not found" confident that if it were truely a real email 
someone would call tech support to straighten out the problem. That sort of 
error message might even convince spammers to purge their list of the good 
addresses assuming they were no longer good.

But remember, in this case in general, so far our "enemy" is one that can't 
even be bothered to queue messages and retry after more than one hour. I'm 
not certain the sophisticated attack you mentioned is an issue in the real 
world.

> Anyway diversity makes it harder, so the more antispam
> measures there are, the merrier.

I've already started to add hidden (invisible) spamtrap/canary email 
addresses to pages on websites I control.