From owner-freebsd-questions@FreeBSD.ORG Mon Apr 30 15:37:41 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B1FD016A480 for ; Mon, 30 Apr 2007 15:37:41 +0000 (UTC) (envelope-from bsilver@chrononomicon.com) Received: from trans-warp.net (hyperion.trans-warp.net [216.37.208.37]) by mx1.freebsd.org (Postfix) with ESMTP id 3B2C013C45D for ; Mon, 30 Apr 2007 15:37:40 +0000 (UTC) (envelope-from bsilver@chrononomicon.com) Received: from [127.0.0.1] (unverified [65.193.73.208]) by trans-warp.net (SurgeMail 3.8f2) with ESMTP id 114923530-1860479 for multiple; Mon, 30 Apr 2007 11:38:12 -0400 Message-ID: <46360D42.80300@chrononomicon.com> Date: Mon, 30 Apr 2007 11:37:38 -0400 From: Bart Silverstrim User-Agent: Thunderbird 1.5.0.10 (X11/20070403) MIME-Version: 1.0 To: Ted Mittelstaedt References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Authenticated-User: bsilver@chrononomicon.com Cc: Christopher Hilton , User Questions Subject: Re: Greylisting -- Was: Anti Spam X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Apr 2007 15:37:41 -0000 Ted Mittelstaedt wrote: > >> -----Original Message----- >> From: Bart Silverstrim [mailto:bsilver@chrononomicon.com] >> Sent: Saturday, April 28, 2007 5:05 PM >> To: Ted Mittelstaedt >> Cc: Christopher Hilton; User Questions >> Subject: Re: Greylisting -- Was: Anti Spam >> >> >>> Both of those are assumptions your making that are just not true >>> anymore. >>> Spammers are adapting to greylisting. I've been running it for at >>> least 2 years now and every month more and more spam is making it >>> past the greylist and getting caught by spamassassin. As I mentioned >>> previously, it does not take a lot of programming effort to do it. >> Sure they're adapting. They're also adapting to Spamassassin. > > That's a bit different. It is trivial to adapt to greylisting. It is > not trivial to adapt to spamassassin, particularly if they have the > learner turned on. Yes, it takes more. I would also say that when it's a game of them blasting out as much as possible to hammer 1 or 2 through for every 1000 that doesn't, greylisting isn't something they all think about, especially if greylisting is contributing to a backup in their sending queue (or it is bouncing mail to nonexistent mail servers to retry later, and since they don't exist or didn't send it in the first place, the message *won't come back*). My point is/was that no matter what you're trying, until there's solid authentication of senders in place any statistical or gee-whiz method of combating SPAM will be met by adaptation, so dismissing a method just because it's "simple" to bypass doesn't mean it isn't going to stop a few more of the messages. >> The >> fact that it doesn't take a lot of programming effort isn't the >> reason, > > Yes, it is actually. Because for the simple reason that the small > amount of programming effort required makes it possible to countermand > greylisting AT ALL. And also make the spammer advertise who is sending the mail and thus allow it to be tracked. > It isn't possible, I think, for a spammer to programmically get through > a SA setup with the learner turned on, that has a dictionary that > has been built up through both ham and spam submissions. The main > reason spammers do get past that has more to do with the difficult of > getting normal users to properly feed the learner. But the problem from > the spammers point of view is that in the Internet, 10 different SA sites > could have 10 different rules. But 10 different greylist sites will all > act the same, so if your going to put effort into countering the filters, > you would be smarter to counter greylisting first. It's still one more hurdle. Tarpitting, greylisting, SPF, reversing MX records...all simple things to get around, yet add one more layer of headache for the spammer. Why make it easier for them?