Greylisting -- Was: Anti Spam

Bart Silverstrim bsilver at chrononomicon.com
Mon Apr 30 16:27:55 UTC 2007 

Ted Mittelstaedt wrote:

>> Ted, usually I find your posts intelligent and food for thought, but  
>> I almost think you're doing this on purpose now.
>>
> 
> No, the problem is you haven't understood the point I was making.

Here's the summary as I understand it.
You're against greylisting because:
a) it's easy to circumvent
b) you use it, but the effectiveness has been wearing off
c) greylisting could mean that you would not be notified if your servers 
went down and cell companies started using greylisting, or you would be 
notified with a huge delay

Is this accurate?

>> When you're setting it up, you would set up manually to have your own  
>> system whitelisted.
> 
> The system that would cause problems if it ran
> greylisting is not MY system.  It's the mailserver owned by the cellular
> company that I am sending to.   If they went and installed greylisting
> it is highly unlikely I could get them to whitelist me.  (have you
> ever, for example, tried to get a system off AOL's internal blacklist?)

It is a huge pain, and while the administrative BS is a pain in the butt 
to cut through, the difference between blacklisting and greylisting is 
that greylisting isn't a block.  It's a pause. And automatic pause. 
Blacklisting can impede you with little recourse for an indefinite 
period of time, but greylisting just tells your server to try again 
later.  This is exactly what would happen if you were having actual mail 
server problems.

I was mistaken previously in thinking you were referring to your own 
server running the greylist.  But I still stand by the assertion that 
it's not so big a problem when someone else is running it...send a 
couple messages periodically and it should allow your domain into their 
mail servers without delay.

> Well for starters I have to know that the cell carrier is in fact
> greylisting.  You can't put a workaround in for something you don't know.

Doesn't this help kind of prove my point, if it's a measure you don't 
even know is there?

If you send a test message periodically and it becomes "delayed" in your 
queue, then suddenly goes through, I would speculate that they're 
greylisting.  Some systems may even issue a message to that effect when 
you connect.

If you keep sending periodic "keepalives", you should see them go 
through without getting stuck in the mail queue.

> As far as I know they aren't greylisting right now - but if they start
> up doing it in the future I doubt I'll be told in advance.  For all
> I know they have a cluster of SMTP receivers and sending a page a
> week might not get all of them updated.  And they might expire before
> a week, or they might be expiring at a week then without warning change
> it to 3 days.

If they're not all getting updated, there's a problem with their 
implementation.  That would be part of the point of using greylisting. 
Otherwise a message would hit system A, get greylisted, then risk coming 
in to system B the next time as a fresh connect and then delayed again 
until the sender either gives up or hits a system that did have the 
sender listed on the waiting list and allow the message to get through.

> For another thing I get charged every time I receive a text message
> on my phone.  But mainly, why should I have to do this?  I have a life,
> and cellular pages and calls are intrusive and I have to drop what I'm
> doing and pay attention to them.  

And yet you want the servers to page you when you have a problem. 
There's nothing I can really suggest here because it's an argument in 
what you can live with.  You are going to insist you want it done your 
way no matter what, to the point where you refuse to carry a second 
cellphone paid by the employer and you won't test the connection because 
apparently you have a sucky cell plan that doesn't give you X number of 
free text messages.  You even start saying you have a life and don't 
want to put up with the messages once a week because it's such a hassle 
but don't seem to mind putting up with one or two spam messages having 
to be manually deleted out of the inbox.   It's also ironic that you are 
on call 24/7 and can't get away from the electronic tether but say you 
have a life that can't be bothered.

>If I send a page at night then I am
> going to get woken up at night, if I send a page during the day it might
> come in when I'm in the middle of a conversation with a customer, if I
> send it in the evening then who knows I might be in the middle of boffing
> my S.O.

If you scheduled it, you can schedule it for whenever it would probably 
be most convenient.  I can't believe you're so busy you can't spare your 
phone making a buzz or ding once or twice a week on a regular basis yet 
you have no problem with the randomness of phone calls and messages from 
other people or even your servers going down.  If this is such a 
stressor in your life, why are you carrying a cellphone in the first place?

> Sure, there's Rube Goldberg ways around anything.  But the point of this
> was to illustrate that there are situations where even an hours delay on
> a greylist can be a problem.  Like I said, you have to know they are
> greylisting in advance before you know there's a problem.

And I replied that once you are established as legit, greylisting should 
not be a problem for you.  And if it's implemented properly, you won't 
know they're using it in the first place, and you can test their network 
by periodically mailing yourself, and unless you use the cellphone 
constantly most people should have plans that can allow for the 
occasional one sentence message to be delivered letting them know 
everything is still humming along, given that everything at work is so 
critical that you can't cut your virtual tether.

> You don't have any choice in the matter, none at all, unless you have
> so many customers clawing to buy your product that you can sit back and
> cherry pick the best ones to sell to and tell the rest to screw off.

Technically you do have a choice.  However the most profitable choice is 
to encourage your users to continue to be ignorant.

My comment you were replying to was a side observation with little to do 
at all with the thread.

>> I'm not saying you're doing  
>> this, this is just a general observation.
>>
> 
> Usually if what the customer wants is so awful and such an incredibly
> bad habit, it is possible for all of the sellers in the market to
> agree not to provide such, and enforce this by getting the government
> to make the product illegal so that no one seller can go behind the
> back of the rest of them and sell it anyway.  Such as for example,
> providing bandwidth to customers that want to spam.
> 
> Unfortunately there is a grey area between a good product and an 
> illegal product, that is where all of the bad products and bad habits
> and bad business practices are.

That's rediculous.  There are plenty of things that, if you worried 
about health or whether it's bad, should be regulated or outlawed. 
Smoking, for example?  Alcohol, seeing how much it's abused?  Yet we 
tolerate those and things that in moderation aren't "fatal."  What about 
advertising fast food to kids?

> I don't know the answer to how to keep these products out of the market.
> I wish I did.  Typically the poor products are cheaper, and the
> customers that buy them may even know they are cheaper - but they make
> a tradeoff to buying them, figuring that they can get by with the
> poorer product and save money.  And the problem is that sometimes they
> can get by and save money, so the poor products manage to sell enough to
> stay in the market

That's not the problem...it's encouraging people to continue doing it 
that is a major part of the problem.

More information about the freebsd-questions mailing list