Greylisting -- Was: Anti Spam

Bart Silverstrim bsilver at chrononomicon.com
Mon Apr 30 15:37:41 UTC 2007 

Ted Mittelstaedt wrote:
> 
>> -----Original Message-----
>> From: Bart Silverstrim [mailto:bsilver at chrononomicon.com]
>> Sent: Saturday, April 28, 2007 5:05 PM
>> To: Ted Mittelstaedt
>> Cc: Christopher Hilton; User Questions
>> Subject: Re: Greylisting -- Was: Anti Spam
>>
>>
>>> Both of those are assumptions your making that are just not true  
>>> anymore.
>>> Spammers are adapting to greylisting.  I've been running it for at
>>> least 2 years now and every month more and more spam is making it
>>> past the greylist and getting caught by spamassassin.  As I mentioned
>>> previously, it does not take a lot of programming effort to do it.
>> Sure they're adapting. They're also adapting to Spamassassin.
> 
> That's a bit different.  It is trivial to adapt to greylisting.  It is
> not trivial to adapt to spamassassin, particularly if they have the
> learner turned on.

Yes, it takes more.  I would also say that when it's a game of them 
blasting out as much as possible to hammer 1 or 2 through for every 1000 
that doesn't, greylisting isn't something they all think about, 
especially if greylisting is contributing to a backup in their sending 
queue (or it is bouncing mail to nonexistent mail servers to retry 
later, and since they don't exist or didn't send it in the first place, 
the message *won't come back*).

My point is/was that no matter what you're trying, until there's solid 
authentication of senders in place any statistical or gee-whiz method of 
combating SPAM will be met by adaptation, so dismissing a method just 
because it's "simple" to bypass doesn't mean it isn't going to stop a 
few more of the messages.

>> The  
>> fact that it doesn't take a lot of programming effort isn't the  
>> reason,
> 
> Yes, it is actually.  Because for the simple reason that the small
> amount of programming effort required makes it possible to countermand
> greylisting AT ALL.

And also make the spammer advertise who is sending the mail and thus 
allow it to be tracked.

> It isn't possible, I think, for a spammer to programmically get through
> a SA setup with the learner turned on, that has a dictionary that
> has been built up through both ham and spam submissions.  The main
> reason spammers do get past that has more to do with the difficult of
> getting normal users to properly feed the learner.  But the problem from
> the spammers point of view is that in the Internet, 10 different SA sites
> could have 10 different rules.  But 10 different greylist sites will all
> act the same, so if your going to put effort into countering the filters,
> you would be smarter to counter greylisting first.

It's still one more hurdle.  Tarpitting, greylisting, SPF, reversing MX 
records...all simple things to get around, yet add one more layer of 
headache for the spammer.  Why make it easier for them?

More information about the freebsd-questions mailing list