Greylisting -- Was: Anti Spam
bsilver at chrononomicon.com
Mon Apr 30 15:37:41 UTC 2007
Ted Mittelstaedt wrote:
>> -----Original Message-----
>> From: Bart Silverstrim [mailto:bsilver at chrononomicon.com]
>> Sent: Saturday, April 28, 2007 5:05 PM
>> To: Ted Mittelstaedt
>> Cc: Christopher Hilton; User Questions
>> Subject: Re: Greylisting -- Was: Anti Spam
>>> Both of those are assumptions your making that are just not true
>>> Spammers are adapting to greylisting. I've been running it for at
>>> least 2 years now and every month more and more spam is making it
>>> past the greylist and getting caught by spamassassin. As I mentioned
>>> previously, it does not take a lot of programming effort to do it.
>> Sure they're adapting. They're also adapting to Spamassassin.
> That's a bit different. It is trivial to adapt to greylisting. It is
> not trivial to adapt to spamassassin, particularly if they have the
> learner turned on.
Yes, it takes more. I would also say that when it's a game of them
blasting out as much as possible to hammer 1 or 2 through for every 1000
that doesn't, greylisting isn't something they all think about,
especially if greylisting is contributing to a backup in their sending
queue (or it is bouncing mail to nonexistent mail servers to retry
later, and since they don't exist or didn't send it in the first place,
the message *won't come back*).
My point is/was that no matter what you're trying, until there's solid
authentication of senders in place any statistical or gee-whiz method of
combating SPAM will be met by adaptation, so dismissing a method just
because it's "simple" to bypass doesn't mean it isn't going to stop a
few more of the messages.
>> fact that it doesn't take a lot of programming effort isn't the
> Yes, it is actually. Because for the simple reason that the small
> amount of programming effort required makes it possible to countermand
> greylisting AT ALL.
And also make the spammer advertise who is sending the mail and thus
allow it to be tracked.
> It isn't possible, I think, for a spammer to programmically get through
> a SA setup with the learner turned on, that has a dictionary that
> has been built up through both ham and spam submissions. The main
> reason spammers do get past that has more to do with the difficult of
> getting normal users to properly feed the learner. But the problem from
> the spammers point of view is that in the Internet, 10 different SA sites
> could have 10 different rules. But 10 different greylist sites will all
> act the same, so if your going to put effort into countering the filters,
> you would be smarter to counter greylisting first.
It's still one more hurdle. Tarpitting, greylisting, SPF, reversing MX
records...all simple things to get around, yet add one more layer of
headache for the spammer. Why make it easier for them?
More information about the freebsd-questions