[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Asrg] 7. Best Practices - DNSBLs - Article
Chris Lewis writes:
>The simple fact of the matter is that open proxy/socks code will _not_
>queue - so they won't try a second time[2]. I would strongly suspect
>that if you made your greylisting timeout _zero_, and simply 400'd the
>first appearance of a given sender/IP/recipient tuple and accept the
>next appearance, no matter how quickly, you'd still be getting 90% of
>what greylisting with a very long timeout would give you.
>
>Of course, spamming tools will evolve, so then you consider increasing
>the timeouts. Too far, tho, and it's worse than where you started. And
>I don't think you'd ever get to where you'll be able to take into
>account DNSBL latency.
My opinion is that, if greylisting becomes common, spammers will
simply start saving enough data to perform retries.
After all, a spam message contains
a) 1 piece of message body text (as a template with $RANDOMIZE
references etc.), into which these are inserted:
b) obfuscated email addresses
c) "random" text
(a) never changes for a given spam run. (b) never changes for a given
recipient address. (c) just needs the srand seed to be saved.
That's not a lot of data required to be saved for retries to be
supported...
> [2] That's not _entirely_ true, I've seen some spammers that retry 550's
> after DATA several times very quickly (within minutes). Not sure
> whether that's proxy or relay behaviour.
Actually, probably broken spamware that's been interrupted/crashed/moved
to another host, without checkpointing which addrs have already been
mailed. I regularly get duplicated spams to the same address multiple
times in 1 4-hour interval.
--j.
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg