-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi John,
On 5 Dec 2007 at 13:08, John C Klensin <[EMAIL PROTECTED]> said: > --On Wednesday, 05 December, 2007 17:30 +0000 Sabahattin > Gucukoglu <[EMAIL PROTECTED]> wrote: > > > Does this notion bother anyone, in particular? > > > > The argument for greylisting is apparently no longer - and if > > it is, it can't be for *much* longer - that, "So what if we > > can't detect non-MTSs anymore? We can still trap the bad > > ones by letting our favourite non- greylisting BL spamtraps > > capture them!" > > > > So all Mr. Bad Guy needs to do now is realise the significant > > uptake of greylisting for this one purpose, and never spam > > any host that seems to accept all initial transactions. They > > can do this simply by not entering the DATA state. And if > > that's used as metric, by sharing data amongst themselves as > > to the exact purpose of non-greylisting hosts. > > > > Any thoughts? > > > > Cheers, > > Sabahattin > > First, your subject line appears to be wrong to me: "everyone" > other than honeypots do not greylist. Not now. The subject line is the idea some spammer has when Greylisting is implemented across the board and it's clear they have to target greylisted hosts. This is what greylisters say will happen, of course, as it most certainly will eventually. And when it does, the only lasting counterattack is RBLs and similar, which spammers have a vested interest in not getting listed on because if they did then every single time a spam run gets caught a whole bunch of hosts don't accept their mail after a delay just long enough for the spammers to incriminate themselves. (Sorry for assuming, as I sometimes do, that you can read my mind.) > Second, if I correctly understand what you are proposing above > (and it is possible that I do not), why do you believe that the > spammers will cooperate in behaving the way you want/ expect? This isn't a proposal, I'm just thinking like a spammer for a moment (urgh). I don't think you've understood what I'm saying up until now, though. This is just a terrible thought - that the lasting argument for greylisting's continued existence is kind of dead if it becomes so absolutely prevalent that spammers go back to square one, that of stepping very carefully so as to avoid trapping themselves. Knowing who the spamtraps are won't require any special skill or cooperation if legitimate receivers rely on BLs actually catching spamtrap mail, because (of course) the MTS can now be easily tricked into revealing the purpose of the spamtrap address - that is, since it now accepts every kind of mail from anywhere, it *must* be intended as bate. I suppose the continued practice of hiding spamtraps in obscure places and relying on their being found by robots alone can still work even with greylisting in effect, but the results are probably much less useable because there's no mail evidence to coroborate the spamminess of the trap's input without waiting for the usual greylisting delay (assuming the spammer really does come back, as will be the case later). Still, no doubt it would be the next defense - just auto-blacklist any attempted use of bogus addresses and then share. I know though that I wouldn't trust my traps' inputs alone all to be spam, and have on a couple of occasions had to moderate input from misinformed humans trying to send mail into the feed on a couple of the more exposed addresses. > They have about zero incentive to go to extra effort to not send > mail to particular addresses unless doing so will net them a > _huge_ (think severals orders of magnitude) increase in the > number of messages that get delivered. So we'll imagine that's happened. Even now, quite a few greylistings are aborted on a friend's machine of mine for spams that get through because of the class C exception rule; zombies on the same ISP as initial sender just happen to redo the transaction as part of their campaign, often within minutes of the initial time (5 mins) running out. I'm sure the spammers are keeping their eyes open on this. Also, spamtraps look and feel just like regular email addresses until mail is sent to them, so spammers have no more or less reason to try them over regular accounts. Cheers, Sabahattin - -- Sabahattin Gucukoglu <mail<at>sabahattin<dash>gucukoglu<dot>com> Address harvesters, snag this: [EMAIL PROTECTED] Phone: +44 20 88008915 Mobile: +44 7986 053399 http://sabahattin-gucukoglu.com/ -----BEGIN PGP SIGNATURE----- Version: PGP 8 Comment: QDPGP - http://community.wow.net/grt/qdpgp.html iQA/AwUBR1b5SiNEOmEWtR2TEQLf4gCfQACDPq1V+3fKdGmyW9b22nEsLTIAoJbd QXWxl7sxxET11zn0K0XvPtEH =ayLf -----END PGP SIGNATURE-----
