John C Klensin wrote: > Unfortunately, graylisting is one of those techniques that works > well as long as sufficiently few people use it that the spammers > and bot architects don't feel motivated to go to the extra work > to overcome it.
No, I don't agree. Greylisting is useful to allow RBLs time to catch up. Forcing a sender to send from the same IP address for 20-30 minutes or so can be useful. > My guess is that we have passed at least the > first version of that point: I'm seeing a rapidy increasing > number of spam messages arriving in a one-two sequence from the > same putative source. First one message is sent, then a second > is sent a few minutes later. That doesn't even require that the > bot maintain state, although graylisting that actually keeps > track of message headers or signatures will. We keep a hash of some message content and we find it to be quite effective against ratware that mutates the message with each retry. Unfortunately, this means we can't greylist until post-DATA, but that's a tradeoff we're willing to make. > This brings us back to the point I tried to make to Hector: > making these folks smarter may be unwise, especially when doing > so consumes more resources on our and and, with botnets, they > have essentially unlimited resources for which the costs to them > are trivial. Except that pinning them to the same IP address for a while lets RBLs catch up so you can reject connection attempts very cheaply. > And don't ask that we change the standards to make them more > friendly to anti-spam techniques that can reasonably expected to > have a relatively short lifespan. I agree with that. I don't think greylisting deserves official recognition in an RFC. As much as I like it, it is at the end of the day a hack. :-) Regards, David.
