Greylisting -- Was: Anti Spam

Ted Mittelstaedt tedm at toybox.placo.com
Thu May 3 05:51:32 UTC 2007



> -----Original Message-----
> From: Bart Silverstrim [mailto:bsilver at chrononomicon.com]
> Sent: Wednesday, May 02, 2007 6:01 AM
> To: Ted Mittelstaedt
> Cc: John Levine; freebsd-questions at freebsd.org
> Subject: Re: Greylisting -- Was: Anti Spam
>
>
> I would disagree on the blacklisting part.  I think that a lot of the
> bulk software *doesn't* retry, a lot of it is spoofing headers so mail
> isn't going back to where it would if the sender were legitimate, etc.
>

The spoofing has nothing to do with anything.  Greylisting works at the
initial connection phase before the sender has completed the transaction,
the sender knows that the mail hasn't gone through, the headers aren't
used to send a response to the sender.  I assume you know that, but the
way your wording this, someone unfamiliar with it may not understand this
point.

Sure, a lot of -old- bulk mail software doesen't retry - when they started
putting cars on the road, the majority of people still had horses.  But,
once they started putting cars on the road, the horses's days were
numbered.

If the majority of spammers spamming you are using old software, your
lucky.  The majority certainly isn't using old software when they spam me.

> Having to send mail to a location more than once means expending 2
> connects instead of 1.  It's a very small tax, but it's one I'm willing
> to impose if it makes their lives one tenth of one percent more
> of a hassle.
>

How does it do that?  Spammmers all send from compromised systems,
and all of this is done under script control.

> > I then added to this later on the intention to show that depending on
> > greylisting alone will not work in the long haul, because it is easy
> > to program around it.  Which the spammers will do once a
> majority of sites
> > use greylisting, and indeed, many spammers are already starting to do
> > right now.
>
> Like I said...if it taxes their resources even one tenth of one percent,
> I'm for it.
>

It's not their resources, it's the resources they have stolen from other
people by breaking into their systems.  Greylisting really, and truly, isn't
a problem for spammers, unless it's coupled with use of blacklists.

>
> > yah yah yah whatever.  As I said before, you are so lost and hung up on
> > the monitoring example that you have completely misinterpreted
> everything
> > that I've said.
>
> Then why did you keep harping on it after I and others pointed out why
> your complaint wasn't such a show stopper?
>

Well, because clearly you didn't even understand the example.  You kept
talking
about me reconfiguring the greylisting on -my- server, as if that would
have anything to do with it.  It appears you have got it now, though.

>
> I'm interested in knowing where in my discussions I said it was the only
> thing to use, the only one I DO use, and that it was a cureall that I
> loved so much.  I was personally looking at trying to combine SA,
> greylisting, and tarpitting, along with filtering by headers and
> stripping or sanitizing attachments/HTML if possible.  You never even
> TRIED to bring up any other solution nor did you discuss the
> effectiveness of other methods when combined.  If you did, point it out.

In a message dated 4/25/2007 to Christopher Hilton:

"...Actually, no.  Greylisting works because it delays the spam injector
long enough that the injector will get blacklisted by the time that the
greylist opens the door for the mail to come in.  Greylisting alone
by itself is getting less and less effective every day...."

>   At most, as I recall, you mentioned SA was more effective than
> greylisting

No, what I said on 4/25 was:

"...Since SA has a lot of the major blacklist servers as score-feeders, the
spam that gets past the greylist just gets tagged by SA..."

> (so?  Combine them.  Greylisting helps lower the system load
> when a message does get to SA).  You pointed out you use greylisting and
> it was dying out in effectiveness, and you gave an example that hinted
> if certain businesses use it your world would fall apart because you
> wouldn't be notified in time and your customers would leave you in droves.
>

I said:

"...There are legitimate technical reasons that someone may want their mail
to not be greylisted.  For example..."

And, there are.  I'm not talking about JUST me.  I'm talking about any
customer
that is dependent on using e-mail as a kind of instant-message system.  Say
what you want about how e-mail isn't intended for that, the fact remains
that
a lot of people use it like that.  There's a lot of stuff that people use
in ways it wasn't intended, you can grumble about it all you want, but you
aren't going to be able to change it.  Legitimacy is in the eye of the
beholder.
E-mail works for some people as an instant message system - and to be
perfectly honest I would much rather have customers running e-mail as an
instant message system than MSN or AOL's instant message clients.

> > In summary, I run several busy mailservers, all that use greylisting.  I
> > have used greylisting for quite a while.  You can believe that or not.
>
> As I recall, I asked you how you have it set up on your system(s) since
> you previously said you ran it and saw the effect diminishing.  It seems
> to me that you're almost making things up as to what I've said or not
> said, since I never implied you were lying or that I didn't believe you.
>   You never did reply regarding the questions I asked.

I said how I had it setup in the first post - I said I had it setup
with SA behind it.  Maybe you missed that, here it is:

"Greylisting alone
by itself is getting less and less effective every day."

"Since SA has a lot of the major blacklist servers as score-feeders, the
spam that gets past the greylist just gets tagged by SA."

"That is why the greylist milter (that you use for sendmail) has an
exception
list"

"The current greylist milter port allows
you to define clients email addresses like this as an exception that won't
get the benefits of the greylist, while allowing everyone else"

How would I know all of this if I wasn't running it?  How would I know
the statement that simple delaying by itself didn't work if I wasn't running
it and seeing what was happening?  Certainly seems obvious I was
running it to make those statements.

>
> > I am stating that categorically, greylisting at the current time is
> > a quick hack, that in the majority of cases works, but it's
> effectiveness
> > has already started down the road to rapid decline, and every month I
> > am seeing more and more spam go right past it and get tagged by
> spamassassin
> > as being from a blacklisted spam emitter.
>
> You could have saved time by stating this

I did.  In the message on 4/25.

>  As it stands it sounds a lot like you're
> trying to blame me for missing what you didn't have in the discussion to
> begin with.
>

Blaming you?  I am merely attempting to correct your misunderstanding of
what I was posting.


> >That DOES NOT MEAN that you
> > should NOT use it - no more than it means you should not use things like
> > SPF records as counters in a point-based spamfiltering system -
> it merely
> > means that it's getting less effective every day.
>
> This is the first time in this thread that I recall you making a
> statement to this effect.
>

Reread my 4/25 message:

"...Greylisting alone by itself is getting less and less effective every
day..."

Ted



More information about the freebsd-questions mailing list