Date: Fri, 27 Apr 2007 08:03:23 -0700 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Christopher Sean Hilton" <chris@vindaloo.com>, "User Questions" <freebsd-questions@freebsd.org> Subject: RE: Greylisting -- Was: Anti Spam Message-ID: <BMEDLGAENEKCJFGODFOCCEAECAAA.tedm@toybox.placo.com> In-Reply-To: <4630CDA4.30201@vindaloo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: Christopher Sean Hilton [mailto:chris@vindaloo.com] > Sent: Thursday, April 26, 2007 9:05 AM > To: Ted Mittelstaedt; User Questions > Subject: Re: Greylisting -- Was: Anti Spam > > > Ted Mittelstaedt wrote: > > [snip...] > > >> Greylisting works because many, and I'd like to say most, spam programs > >> never retry message delivery. > > > > Actually, no. Greylisting works because it delays the spam injector > > long enough that the injector will get blacklisted by the time that the > > greylist opens the door for the mail to come in. Greylisting alone > > by itself is getting less and less effective every day. > Spammers are now > > starting to setup spam injectors to retry. If you think about it, it is > > very easy to program. Simply create a list of victims, iterate through > > the list once, deleting all the victims that accept, then wait several > > hours and iterate through the list again. It didn't take a > rocket scientist > > to figure that one out. > > > > Since SA has a lot of the major blacklist servers as score-feeders, the > > spam that gets past the greylist just gets tagged by SA. > > > > When I scan my maillogs I find that 22% of the hosts that generate a > greylisting entry retry the mail delivery and thus get whitelisted. The > other 78% don't attempt redelivery within the greylisting window. That's probably par. However, the reason your putting so much faith in the delaying, is simply that you aren't getting a lot of spam. I have published e-mail addresses. Without greylisting I got about 1500-2000 mail messages a day to each of them. With greylisting alone that drops down to about 400-500. The thing is, that spam is a numbers game. Someone who is only getting for example 50-100 spams a day to their mailbox is going to think greylisting is virtually 100% effective, simply because when they institute it, their spam goes from 50-100 down to 1-5 spams. So they are going to probably conclude that someone getting ten times the amount of spam as them will have their spam drop down to the same 1-5 after greylisting. But, spammers are perfectly willing to send 1000 spams to a single mailbox if they think that doing so will get 1 spam past the filters on that box. I do have customers with -unpublished- e-mail addresses that are perfectly satisfied with greylisting alone - simply because they don't get a lot of spam in the first place. But, that's like saying that injecting a can of stop-leak into a leaking tire is a fix for it. Stop-leak will reduce the rate that air leaks out down to an undetectable amount if the initial leak was small, but the tire still is leaking. Ted
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BMEDLGAENEKCJFGODFOCCEAECAAA.tedm>