-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <[email protected]>, Alain Williams <[email protected]> writes
>On Thu, Jan 28, 2010 at 04:55:38PM +0000, Richard Clayton wrote: > >> I've seen combining the IP address with sending (or receiving) domain >> work very badly indeed with ISP smarthosts (ie the machines that >> millions of customers use...) > >Hmmm. An ISP might want to use the triplet: destination domain, sender domain >& relaying IP. A spammer will send to many addresses, if 2 of them are hosted >by the ISP then only the first tried will be protected by greylisting. Indeed ... however, this can make the scenario I described even worse >> What happens is that the sending machine tries one email, which is then >> greylisted. The sending machine then marks the destination as >> unresponsive -- but eventually gets around to trying again. However, a >> different email is at the front of the queue, with a different customer >> domain and so that is also greylisted. The sending machine then marks >> the destination as unresponsive -- but eventually gets around to trying >> again. However, a different email is at the front of the queue... >> >> ... rinse and repeat until 4xx has been seen far too often, and all >> queued email is then marked undeliverable and returned to the senders. >> >> I don't understand why you feel that the property "will try again after >> a 4xx response" would not be associated solely with the IP address ?? > >So: are you suggesting that the only thing that should be stored in the >database >is the relaying IP address ? That would seem to address your concern above, >however what happens if a group of machines behind one IP address (a small >business with a NATting firewall) become part of a spamming botnet ? >The first attempt will be blocked and the next ones be allowed through. You'll find that a lot of bots send two emails, <n> minutes apart. If you are using greylisting the second one is delivered, if you are not then two copies of the email are delivered -- what's not to like! viz: greylisting isn't perfect; merely a heuristic that (remarkably in my opinion) still has some impact on incoming spam levels (or to be more precise -- reduces the load on the next layer of spam filtering) >The pair (relay_ip & sender_domain) tends to be more robust since spammers >tend to set the sender_domain ''at random'', No general statements about spammers are ever true... I daily see large amounts of logging of spam (I look after a log processing system that picks out the patterns of wickedness and draws the abuse@ team's attention to it) and I would say that randomly chosen domains are in the minority at present... however, there are still some senders doing this - -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBS2LRbJoAxkTY1oPiEQJa2wCgpvhEfJE934hC1ukaNYS+E9tH5LoAn0Rb eCTQLmhMUrHb8i/uEEI2wcWx =VpUN -----END PGP SIGNATURE----- -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
