Re: Is gray-listing a one-shot anti-spam measure?
On Friday 03 December 2004 19:10, Henrique de Moraes Holschuh <hmh@debian.org>
wrote:
> > A delay of transmission means more time for the spamming IP address to be
> > added to black-lists. So during the gray-list interval (currently 5
> > minutes
>
> True. But in that case, we also need the greylisting period to be long
> enough for the blacklisting to happen, *and* we might need special
> provision on the spamtraps too.
>
> Assuming greylisting gets realy widespread (otherwise spammers would not be
> doing retries in the first place, I suppose), spamtraps might also have to
> do greylisting (or spammers could just stop delivering for non-greylisting
> sites, which is something quite weird to think about but...). So we would
> need various levels of greylisting.
Running gray-listing (or pseudo-gray-listing as it might never actually accept
mail) on a spam-trap will be fine. The Postfix implementation of
gray-listing postgrey does not send it's 450 code until after the rcpt to:,
this means that it knows what address the mail was being sent to, what
address it was coming from, and of course the IP address. In spite of having
gray-listing permanently on it could still operate fully as a spam-trap.
Sure it's convenient for a spam-trap to actually collect the spam, but it's
not strictly required.
If the spammer can send to a gray-listing site then it can send to a
gray-listing spam-trap too.
> > Currently gray-listing can be used on it's own with no other anti-spam
> > measures and still do some good. This situation will change. But I
> > believe that in combination with other anti-spam measures it will still
> > offer considerable benefits even after spammers wake up to it's presence.
>
> You're probably right. So please let me revise my point: greylisting by
> itself is a one-shot deal, let's use it while we can. greylisting as a
> delay measure for blacklists to catch up before you deliver the email will
> continue working well (i.e. not an one-shot deal), IF the blacklists DO
> manage to catch up during the greylisting time AND we can keep them doing
> just that when greylisting gets very widely deployed (greylisting could
> interfere with the listing delays, after all).
The black-lists often beat the spam.
> Russell, how fast are the blacklists reacting to ongoing spam runs on the
> systems you pay attention to? I don't have that data for mine :(
I'm not sure that it's possible for anyone other than a spammer to really know
this. Spamcop reacts quite fast and I suspect that often entries are added
to the spamcop DNSBL during a spam run before it gets to me even without
gray-listing. Adding gray-listing (or other delays) increases the chance
that someone else will report the spammer before the spam gets to me.
Of course this relies on some people not using gray-listing (so that they get
the spam fast) and being active in reporting it. Given the previous
discussions it seems quite obvious that not everyone will implement it so we
can probably rely on that.
> > Henrique, please don't take this as a flame. I am writing to you because
> > you
>
> I didn't...
I'm glad to hear it. I was also concerned that other readers might get the
wrong idea.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
Reply to: