[Greylist-users] relay identification

[Franck Arnaud]

>Shorter delays still seem to be mostly effective.  I'm just waiting until
>the spammers catch on and this becomes not the case.  I'm a little surprised
>that they haven't already.

I would find their reacting surprising. Spammers probably react 
only to things that seriously dent their response rate, and it 
takes something applied by a large proportion of users to do 
this. So until AOL and the like adopt greylisting, it should 
remain effective.

>There are a few spammers that do seem to do a few retries before giving up.
>The time before retry varies a bit, but most I have seen still seem to be in
>the under 10 minute timeframe (so far).

But are they really retries, or just attempts at delivering multiple
spams (which would be delivered even with an OK)? It is common for 
spammers to send bundles.

The behaviour that looks like retries I've seen are using several 
zombies, presumably to find one source that's not blacklisted, but 
that does not distinguish between temp or permanent fail or deal 
with delays.

...

> Eventually you'll want a minimum number of tries as well as a minimum
> amount of time.

Would that be helpful? If spammers want to beat greylisting and 
they are not stupid, they will simply use the same retry strategy 
as popular mailers, or indeed use popular mailers. Once spammers 
seriously try to beat greylisting, it will fail to stop those 
who try, unless the delay is used to do something else as suggested 
in the paper. Tweaking delays or retry counts should not buy 
much extra effectiveness.