Re: Greylisting -- Was: Anti Spam
Ted Mittelstaedt wrote: -Original Message- From: Bart Silverstrim [mailto:[EMAIL PROTECTED] [snip] Like I said...if it taxes their resources even one tenth of one percent, I'm for it. It's not their resources, it's the resources they have stolen from other people by breaking into their systems. Greylisting really, and truly, isn't a problem for spammers, unless it's coupled with use of blacklists. Just because the spammers have stolen their distribution network doesn't mean that it has no value to them. The distribution network has a very low cost but that's not the same thing as having a very low value. Most spam is delivered overnight and on the weekend. I think that there are two reasons for this. The older reason is to keep the bots off of the RBLs. But I think that the bigger reason to deliver spam off hours is to protect the botnet from detection. I think that this makes the spammers very sensitive to the duration of a spam run. I don't think that many people are grey listing right now but I think that it's increasing rapidly. On an internet where most people grey list I think that the spammers must see grey listing as a major problem because of what it does the duration of a spam run. -- Chris -- __o All I was doing was trying to get home from work. _`\,_ -Rosa Parks ___(*)/_(*)___ Christopher Sean Hiltonchris | at | vindaloo.com pgp key: D0957A2D/f5 30 0a e1 55 76 9b 1f 47 0b 07 e9 75 0e 14 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Greylisting -- Was: Anti Spam
-Original Message- From: Bart Silverstrim [mailto:[EMAIL PROTECTED] Sent: Monday, April 30, 2007 12:08 PM To: Ted Mittelstaedt Cc: John Levine; freebsd-questions@freebsd.org Subject: Re: Greylisting -- Was: Anti Spam You're making it sound as if greylisting is a terrible idea NO. I'm making it sound like greylisting is NOT the world's answer to stopping spam. It's NOT a miracle cure, it is NOT the last, best hope for peace. I'm making it sound like greylisting is just one more tool in the box to stop spam - not espically better than many other tools, it has it's good points and it's bad points, as do all the other tools. Obviously you have a severe problem with this. All I can say to that is if you put all your spamfighting eggs in one basket, your foolish. because once your failure system won't notify you for some unspecified period of time. Give it a rest. That is one wart on greylisting. There are others. Just as there are warts on all other spamfighting tools. I, and others most likely, are saying that it wouldn't take much for you to get it working just fine whether the cell carrier used it or not. And even then, you haven't made a case that ISPs or businesses still couldn't use it Right, because it was never my intention to make a case for NOT using it. It was my original intention to show that greylisting worked because it allows the blacklists time to get the submitter in their lists, not because all spammers cannot tolerate greylisting delays because they are sending spam so fast. Which is what one of the OP's claimed was how greylisting worked. I then added to this later on the intention to show that depending on greylisting alone will not work in the long haul, because it is easy to program around it. Which the spammers will do once a majority of sites use greylisting, and indeed, many spammers are already starting to do right now. ...the inconvenience you point out still could be worked around simply by doing what I suggested before, registering legit by periodically sending a quick message, and if you get charged for a short short message like that, then you probably need a new cell plan if that is pushing you over your free time, or start having your employer compensate you for using your personal equipment for business use. yah yah yah whatever. As I said before, you are so lost and hung up on the monitoring example that you have completely misinterpreted everything that I've said. The point was not to get sidetracked into this stupid monitoring example discussion. The point was to discuss the merits and problems of greylisting. I frankly think that you are so in love with greylisting that you are deliberately trying to AVOID a discussion of it's merits - because you cannot bear to hear anything bad about it. In summary, I run several busy mailservers, all that use greylisting. I have used greylisting for quite a while. You can believe that or not. I am stating that categorically, greylisting at the current time is a quick hack, that in the majority of cases works, but it's effectiveness has already started down the road to rapid decline, and every month I am seeing more and more spam go right past it and get tagged by spamassassin as being from a blacklisted spam emitter. That DOES NOT MEAN that you should NOT use it - no more than it means you should not use things like SPF records as counters in a point-based spamfiltering system - it merely means that it's getting less effective every day. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Greylisting -- Was: Anti Spam
Ted Mittelstaedt wrote: -Original Message- From: Bart Silverstrim [mailto:[EMAIL PROTECTED] Sent: Monday, April 30, 2007 12:08 PM To: Ted Mittelstaedt Cc: John Levine; freebsd-questions@freebsd.org Subject: Re: Greylisting -- Was: Anti Spam You're making it sound as if greylisting is a terrible idea NO. I'm making it sound like greylisting is NOT the world's answer to stopping spam. It's NOT a miracle cure, it is NOT the last, best hope for peace. If that is the case, you didn't understand me either...I believe that at this point it takes layers to try stopping spam and viruses, and there are tradeoffs to be made. It isn't a cure and I don't think I professed it was. Obviously you have a severe problem with this. All I can say to that is if you put all your spamfighting eggs in one basket, your foolish. Curious...where did I say that was all I was using? Give it a rest. That is one wart on greylisting. There are others. Just as there are warts on all other spamfighting tools. Um...you were bringing it up and focusing on it. Every time you claimed what a terrible thing this was for your monitoring system, I would say it's not as big a problem as you were making it out to be. I, and others most likely, are saying that it wouldn't take much for you to get it working just fine whether the cell carrier used it or not. And even then, you haven't made a case that ISPs or businesses still couldn't use it Right, because it was never my intention to make a case for NOT using it. That wasn't how it appeared. You disparaged it every time as to why it wouldn't work for you if XYZ happened, so it very much appeared that you didn't want it. It was my original intention to show that greylisting worked because it allows the blacklists time to get the submitter in their lists, not because all spammers cannot tolerate greylisting delays because they are sending spam so fast. Which is what one of the OP's claimed was how greylisting worked. I would disagree on the blacklisting part. I think that a lot of the bulk software *doesn't* retry, a lot of it is spoofing headers so mail isn't going back to where it would if the sender were legitimate, etc. Having to send mail to a location more than once means expending 2 connects instead of 1. It's a very small tax, but it's one I'm willing to impose if it makes their lives one tenth of one percent more of a hassle. I then added to this later on the intention to show that depending on greylisting alone will not work in the long haul, because it is easy to program around it. Which the spammers will do once a majority of sites use greylisting, and indeed, many spammers are already starting to do right now. Like I said...if it taxes their resources even one tenth of one percent, I'm for it. yah yah yah whatever. As I said before, you are so lost and hung up on the monitoring example that you have completely misinterpreted everything that I've said. Then why did you keep harping on it after I and others pointed out why your complaint wasn't such a show stopper? The point was not to get sidetracked into this stupid monitoring example discussion. The point was to discuss the merits and problems of greylisting. Then start doing that. You said it wouldn't work in all cases, because XYZ. We said, hey, that's not a big deal because ABC. You continued to harp on XYZ. Try bringing up DEF next time. I frankly think that you are so in love with greylisting that you are deliberately trying to AVOID a discussion of it's merits - because you cannot bear to hear anything bad about it. I'm interested in knowing where in my discussions I said it was the only thing to use, the only one I DO use, and that it was a cureall that I loved so much. I was personally looking at trying to combine SA, greylisting, and tarpitting, along with filtering by headers and stripping or sanitizing attachments/HTML if possible. You never even TRIED to bring up any other solution nor did you discuss the effectiveness of other methods when combined. If you did, point it out. At most, as I recall, you mentioned SA was more effective than greylisting (so? Combine them. Greylisting helps lower the system load when a message does get to SA). You pointed out you use greylisting and it was dying out in effectiveness, and you gave an example that hinted if certain businesses use it your world would fall apart because you wouldn't be notified in time and your customers would leave you in droves. In summary, I run several busy mailservers, all that use greylisting. I have used greylisting for quite a while. You can believe that or not. As I recall, I asked you how you have it set up on your system(s) since you previously said you ran it and saw the effect diminishing. It seems to me that you're almost making things up as to what I've said or not said, since I never implied you were lying or that I didn't
RE: Greylisting -- Was: Anti Spam
NO. I'm making it sound like greylisting is NOT the world's answer to stopping spam. It's NOT a miracle cure, it is NOT the last, best hope for peace. Sigh. You might want to read the paper Experiences with Greylisting from the 2005 CEAS conference. It was my original intention to show that greylisting worked because it allows the blacklists time to get the submitter in their lists, not because all spammers cannot tolerate greylisting delays because they are sending spam so fast. This claim has often been made by people who do not have much experience with greylisting. It's not true, and repeating it won't make it true. See the paper above for some actual data which shows that the overwhelming majority of spammers don't retry, unrelated to blacklists. I then added to this later on the intention to show that depending on greylisting alone will not work in the long haul, Nobody but you is making this absurd claim. Please stop. R's, John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Greylisting -- Was: Anti Spam
-Original Message- From: Bart Silverstrim [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 02, 2007 6:01 AM To: Ted Mittelstaedt Cc: John Levine; freebsd-questions@freebsd.org Subject: Re: Greylisting -- Was: Anti Spam I would disagree on the blacklisting part. I think that a lot of the bulk software *doesn't* retry, a lot of it is spoofing headers so mail isn't going back to where it would if the sender were legitimate, etc. The spoofing has nothing to do with anything. Greylisting works at the initial connection phase before the sender has completed the transaction, the sender knows that the mail hasn't gone through, the headers aren't used to send a response to the sender. I assume you know that, but the way your wording this, someone unfamiliar with it may not understand this point. Sure, a lot of -old- bulk mail software doesen't retry - when they started putting cars on the road, the majority of people still had horses. But, once they started putting cars on the road, the horses's days were numbered. If the majority of spammers spamming you are using old software, your lucky. The majority certainly isn't using old software when they spam me. Having to send mail to a location more than once means expending 2 connects instead of 1. It's a very small tax, but it's one I'm willing to impose if it makes their lives one tenth of one percent more of a hassle. How does it do that? Spammmers all send from compromised systems, and all of this is done under script control. I then added to this later on the intention to show that depending on greylisting alone will not work in the long haul, because it is easy to program around it. Which the spammers will do once a majority of sites use greylisting, and indeed, many spammers are already starting to do right now. Like I said...if it taxes their resources even one tenth of one percent, I'm for it. It's not their resources, it's the resources they have stolen from other people by breaking into their systems. Greylisting really, and truly, isn't a problem for spammers, unless it's coupled with use of blacklists. yah yah yah whatever. As I said before, you are so lost and hung up on the monitoring example that you have completely misinterpreted everything that I've said. Then why did you keep harping on it after I and others pointed out why your complaint wasn't such a show stopper? Well, because clearly you didn't even understand the example. You kept talking about me reconfiguring the greylisting on -my- server, as if that would have anything to do with it. It appears you have got it now, though. I'm interested in knowing where in my discussions I said it was the only thing to use, the only one I DO use, and that it was a cureall that I loved so much. I was personally looking at trying to combine SA, greylisting, and tarpitting, along with filtering by headers and stripping or sanitizing attachments/HTML if possible. You never even TRIED to bring up any other solution nor did you discuss the effectiveness of other methods when combined. If you did, point it out. In a message dated 4/25/2007 to Christopher Hilton: ...Actually, no. Greylisting works because it delays the spam injector long enough that the injector will get blacklisted by the time that the greylist opens the door for the mail to come in. Greylisting alone by itself is getting less and less effective every day At most, as I recall, you mentioned SA was more effective than greylisting No, what I said on 4/25 was: ...Since SA has a lot of the major blacklist servers as score-feeders, the spam that gets past the greylist just gets tagged by SA... (so? Combine them. Greylisting helps lower the system load when a message does get to SA). You pointed out you use greylisting and it was dying out in effectiveness, and you gave an example that hinted if certain businesses use it your world would fall apart because you wouldn't be notified in time and your customers would leave you in droves. I said: ...There are legitimate technical reasons that someone may want their mail to not be greylisted. For example... And, there are. I'm not talking about JUST me. I'm talking about any customer that is dependent on using e-mail as a kind of instant-message system. Say what you want about how e-mail isn't intended for that, the fact remains that a lot of people use it like that. There's a lot of stuff that people use in ways it wasn't intended, you can grumble about it all you want, but you aren't going to be able to change it. Legitimacy is in the eye of the beholder. E-mail works for some people as an instant message system - and to be perfectly honest I would much rather have customers running e-mail as an instant message system than MSN or AOL's instant message clients. In summary, I run several busy mailservers, all that use greylisting. I have used greylisting for quite a while. You can
RE: Greylisting -- Was: Anti Spam
-Original Message- From: Bart Silverstrim [mailto:[EMAIL PROTECTED] Sent: Sunday, April 29, 2007 3:40 AM To: Ted Mittelstaedt Cc: Eric Crist; Grant Peel; Christopher Hilton; freebsd-questions@freebsd.org Subject: Re: Greylisting -- Was: Anti Spam On Apr 29, 2007, at 5:00 AM, Ted Mittelstaedt wrote: -Original Message- From: Bart Silverstrim [mailto:[EMAIL PROTECTED] Sent: Saturday, April 28, 2007 5:01 PM To: Ted Mittelstaedt Cc: Eric Crist; Grant Peel; Christopher Hilton; freebsd-questions@freebsd.org Subject: Re: Greylisting -- Was: Anti Spam On Apr 28, 2007, at 5:25 AM, Ted Mittelstaedt wrote: -Original Message- From: Bart Silverstrim [mailto:[EMAIL PROTECTED] Sent: Friday, April 27, 2007 1:58 PM To: Ted Mittelstaedt Cc: Christopher Hilton; Grant Peel; Eric Crist; freebsd-questions@freebsd.org Subject: Re: Greylisting -- Was: Anti Spam On Apr 26, 2007, at 12:15 AM, Ted Mittelstaedt wrote: There are legitimate technical reasons that someone may want their mail to not be greylisted. For example, my cell phone's e-mail address is in our monitoring scripts to page me in the event of a server failure. I would be pretty pissed off if Sprint suddenly started greylisting. It isn't just dumb-ass users making stupid political decisions to reject it, although in your case it probably was. If it is a legitimate mail server, it would be promoted to the auto- whitelist. Not all mail is constantly greylisted by most intelligent greylist systems. Only the first few messages would be delayed, until it is established as legitimate. That won't work in my case since I generally only have a failure that causes a problem which results in paging about once every 3 months or so. By the time the pages got through the greylist it would be at least an hour later after the system had gone down. That isn't acceptable for a notification system. What? What do you mean, a failure that causes a problem which results in paging once every 3 months? If your mail server tries to contact another mail server and it can't reach it, you're saying your mail server doesn't retry for an hour? If the monitoring system notices something down, I have to know about it within a few minutes. I cannot wait for the mailserver that sends the page out to retry sending the page to the cell carrier's mailserver in an hour. Ted, usually I find your posts intelligent and food for thought, but I almost think you're doing this on purpose now. No, the problem is you haven't understood the point I was making. When you're setting it up, you would set up manually to have your own system whitelisted. The system that would cause problems if it ran greylisting is not MY system. It's the mailserver owned by the cellular company that I am sending to. If they went and installed greylisting it is highly unlikely I could get them to whitelist me. (have you ever, for example, tried to get a system off AOL's internal blacklist?) I would assume that if you really don't own your own domain/mail system, you still would have a provider that would whitelist *themselves* so you could send the email from your provider to yourself. If you're using SMS, I would personally either tell my phone provider about it or send a few messages myself to have it whitelist the entry and then periodically test the system, since really you should be testing such systems periodically anyway (and make sure the listing is still working). You said yourself you use greylisting, I thought. Don't you already have a system like this in place? Things go down rarely. The moonitoring system is not continually sending out pages to my cell phone every day. Many times many months will pass in between the monitoring system sending my cell phone a page. If the cell phone company was running greylisting, any whitelist entry for my monitoring system would be gone by then. We rarely lose power to the buildings, but our generator system still kicks over once a week to test. Why can't you send a page once or twice a week to make sure it's working properly? Well for starters I have to know that the cell carrier is in fact greylisting. You can't put a workaround in for something you don't know. As far as I know they aren't greylisting right now - but if they start up doing it in the future I doubt I'll be told in advance. For all I know they have a cluster of SMTP receivers and sending a page a week might not get all of them updated. And they might expire before a week, or they might be expiring at a week then without warning change it to 3 days. For another thing I get charged every time I receive a text message on my phone. But mainly, why should I have to do this? I have a life, and cellular pages and calls are intrusive and I have to drop
RE: Greylisting -- Was: Anti Spam
-Original Message- From: John Levine [mailto:[EMAIL PROTECTED] Sent: Sunday, April 29, 2007 6:31 AM To: freebsd-questions@freebsd.org Cc: [EMAIL PROTECTED] Subject: Re: Greylisting -- Was: Anti Spam Email is not an instant messaging system, no matter how much you want it to be one. Cell phone companies won't take pages any other way no matter how much you want them to. This might be a good time to learn about outfits like clickatell.com that provide SMS gateway service. They charge about 10 cents a message. Your still not getting the point. The monitoring system speaks e-mail. If it speaks e-mail to the cell carrier and the cell carrier starts greylisting it is screwed. If it speaks e-mail to the SMS gateway service and the gateway service starts greylisting it is still screwed. Instead of monitoring system substitute one of many, many, many other embedded devices that use e-mail to send notifications. For example, print servers, UPSes, ethernet-to-ethernet hardware routers, etc. I don't understand why people are focusing on trying to redesign the monitoring system I'm using. Don't you have any imagination at all? The point was that there are legitimate situations where the delays introduced by greylisting are a problem. I used the monitoring system as an example to make it easy to grasp the point. If it would help, I'll stop talking about it and use another example. Sure, it's possible to modify the greylist to whitelist. That implies that the sender knows greylisting is happening, knows how to get the recipient to whitelist, it implies the recipient is even willing to whitelist, etc. Imagine a cell company that puts in greylisting being deluged by 30% of their million-plus userbase requesting to be whitelisted for just the reason I cited. Do you think it would be realistic for the cell company to do this? Sure it's also possible to do something like reconfigure the monitoring system to just call a page-only number that goes to a pager and use touch tones to put in a message, then to wear a pager instead of the cell phone. There are workarounds to the monitoring scenario I cited. That does not prove there are workarounds to every one of these kinds of scenarios. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Greylisting -- Was: Anti Spam
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kenny Dail Sent: Sunday, April 29, 2007 8:18 PM To: freebsd-questions@freebsd.org Subject: Re: Greylisting -- Was: Anti Spam I'm monitoring systems at the ISP I work at. No, it is not life or death if a feed goes down for 3 hours and a bunch of people cannot download their daily freebsd-questions mailing list fix. At least, I don't think so. But they do. And as their money that buys the ISP's product puts the bread on my table, I have to do what they want. And they want instant response if there is a problem in the ISP's systems. That won't happen if the monitoring system's e-mails that get sent out when there is a problem lie around in a mail queue for an hour waiting for a greylist at the cell company to let the messages through. I understand where you are coming from on this, of course email is not the right medium to use for notifying of email failures. Obviously. We built an SMS gateway. That is one way to do it, there are others. In our case, since we have a number of mailservers, we simply pair them up to monitor each other specifically for mail failures. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Greylisting -- Was: Anti Spam
On Mon, Apr 30, 2007 at 01:16:23AM -0700, Ted Mittelstaedt wrote: The system that would cause problems if it ran greylisting is not MY system. It's the mailserver owned by the cellular company that I am sending to. If they went and installed greylisting it is highly unlikely I could get them to whitelist me. (have you ever, for example, tried to get a system off AOL's internal blacklist?) Yes, that's indeed a problem; but how likely would that be? Cellular operators know that their clients expect speedy delivery of SMS, including those sent via SMTP. They know better than to introduce greylisting latency at the gateway when there's already normal latency at the SMSC. Have you confirmed with your cellular operator that they don't offer additional gateways; e.g. based on ICQ, HTTP and whatnot? Most likely, they don't offer SMPP-over-TCP connections to end-users ( http://www.smsforum.net/ ), but probably to a couple of third-party providers that you could use instead? -cpghost. -- Cordula's Web. http://www.cordula.ws/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Greylisting -- Was: Anti Spam
Ted Mittelstaedt wrote: -Original Message- From: Bart Silverstrim [mailto:[EMAIL PROTECTED] Sent: Saturday, April 28, 2007 5:05 PM To: Ted Mittelstaedt Cc: Christopher Hilton; User Questions Subject: Re: Greylisting -- Was: Anti Spam Both of those are assumptions your making that are just not true anymore. Spammers are adapting to greylisting. I've been running it for at least 2 years now and every month more and more spam is making it past the greylist and getting caught by spamassassin. As I mentioned previously, it does not take a lot of programming effort to do it. Sure they're adapting. They're also adapting to Spamassassin. That's a bit different. It is trivial to adapt to greylisting. It is not trivial to adapt to spamassassin, particularly if they have the learner turned on. Yes, it takes more. I would also say that when it's a game of them blasting out as much as possible to hammer 1 or 2 through for every 1000 that doesn't, greylisting isn't something they all think about, especially if greylisting is contributing to a backup in their sending queue (or it is bouncing mail to nonexistent mail servers to retry later, and since they don't exist or didn't send it in the first place, the message *won't come back*). My point is/was that no matter what you're trying, until there's solid authentication of senders in place any statistical or gee-whiz method of combating SPAM will be met by adaptation, so dismissing a method just because it's simple to bypass doesn't mean it isn't going to stop a few more of the messages. The fact that it doesn't take a lot of programming effort isn't the reason, Yes, it is actually. Because for the simple reason that the small amount of programming effort required makes it possible to countermand greylisting AT ALL. And also make the spammer advertise who is sending the mail and thus allow it to be tracked. It isn't possible, I think, for a spammer to programmically get through a SA setup with the learner turned on, that has a dictionary that has been built up through both ham and spam submissions. The main reason spammers do get past that has more to do with the difficult of getting normal users to properly feed the learner. But the problem from the spammers point of view is that in the Internet, 10 different SA sites could have 10 different rules. But 10 different greylist sites will all act the same, so if your going to put effort into countering the filters, you would be smarter to counter greylisting first. It's still one more hurdle. Tarpitting, greylisting, SPF, reversing MX records...all simple things to get around, yet add one more layer of headache for the spammer. Why make it easier for them? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Greylisting -- Was: Anti Spam
Ted Mittelstaedt wrote: Ted, usually I find your posts intelligent and food for thought, but I almost think you're doing this on purpose now. No, the problem is you haven't understood the point I was making. Here's the summary as I understand it. You're against greylisting because: a) it's easy to circumvent b) you use it, but the effectiveness has been wearing off c) greylisting could mean that you would not be notified if your servers went down and cell companies started using greylisting, or you would be notified with a huge delay Is this accurate? When you're setting it up, you would set up manually to have your own system whitelisted. The system that would cause problems if it ran greylisting is not MY system. It's the mailserver owned by the cellular company that I am sending to. If they went and installed greylisting it is highly unlikely I could get them to whitelist me. (have you ever, for example, tried to get a system off AOL's internal blacklist?) It is a huge pain, and while the administrative BS is a pain in the butt to cut through, the difference between blacklisting and greylisting is that greylisting isn't a block. It's a pause. And automatic pause. Blacklisting can impede you with little recourse for an indefinite period of time, but greylisting just tells your server to try again later. This is exactly what would happen if you were having actual mail server problems. I was mistaken previously in thinking you were referring to your own server running the greylist. But I still stand by the assertion that it's not so big a problem when someone else is running it...send a couple messages periodically and it should allow your domain into their mail servers without delay. Well for starters I have to know that the cell carrier is in fact greylisting. You can't put a workaround in for something you don't know. Doesn't this help kind of prove my point, if it's a measure you don't even know is there? If you send a test message periodically and it becomes delayed in your queue, then suddenly goes through, I would speculate that they're greylisting. Some systems may even issue a message to that effect when you connect. If you keep sending periodic keepalives, you should see them go through without getting stuck in the mail queue. As far as I know they aren't greylisting right now - but if they start up doing it in the future I doubt I'll be told in advance. For all I know they have a cluster of SMTP receivers and sending a page a week might not get all of them updated. And they might expire before a week, or they might be expiring at a week then without warning change it to 3 days. If they're not all getting updated, there's a problem with their implementation. That would be part of the point of using greylisting. Otherwise a message would hit system A, get greylisted, then risk coming in to system B the next time as a fresh connect and then delayed again until the sender either gives up or hits a system that did have the sender listed on the waiting list and allow the message to get through. For another thing I get charged every time I receive a text message on my phone. But mainly, why should I have to do this? I have a life, and cellular pages and calls are intrusive and I have to drop what I'm doing and pay attention to them. And yet you want the servers to page you when you have a problem. There's nothing I can really suggest here because it's an argument in what you can live with. You are going to insist you want it done your way no matter what, to the point where you refuse to carry a second cellphone paid by the employer and you won't test the connection because apparently you have a sucky cell plan that doesn't give you X number of free text messages. You even start saying you have a life and don't want to put up with the messages once a week because it's such a hassle but don't seem to mind putting up with one or two spam messages having to be manually deleted out of the inbox. It's also ironic that you are on call 24/7 and can't get away from the electronic tether but say you have a life that can't be bothered. If I send a page at night then I am going to get woken up at night, if I send a page during the day it might come in when I'm in the middle of a conversation with a customer, if I send it in the evening then who knows I might be in the middle of boffing my S.O. If you scheduled it, you can schedule it for whenever it would probably be most convenient. I can't believe you're so busy you can't spare your phone making a buzz or ding once or twice a week on a regular basis yet you have no problem with the randomness of phone calls and messages from other people or even your servers going down. If this is such a stressor in your life, why are you carrying a cellphone in the first place? Sure, there's Rube Goldberg ways around anything. But the point of this was to illustrate
Re: Greylisting -- Was: Anti Spam
Cellular operators know that their clients expect speedy delivery of SMS, including those sent via SMTP. Actually, in my experience SMTP to SMS gateways can have significant delays unrelated to greylisting. Travel agencies like Orbitz send out notices about flight changes and delays via SMTP-SMS and as often as not I only get the notice when I turn my phone back on after the delayed flight has landed. Have you confirmed with your cellular operator that they don't offer additional gateways; e.g. based on ICQ, HTTP and whatnot? There are third party services that do this. For example, clickatell.com offers a HTTP POST to SMS gateway quite cheaply, about 10 cents a message at low volumes. Having been dealing with spam for over a decade, I cannot tell you how tired I am of people whining that the world better not implement some effective anti-abuse technique because it would cause them a minor inconvenience due to their particular uncommon setup. Spam sucks. Deal with it. R's, John ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Greylisting -- Was: Anti Spam
On Apr 30, 2007, at 4:36 AM, Ted Mittelstaedt wrote: I don't understand why people are focusing on trying to redesign the monitoring system I'm using. Don't you have any imagination at all? The point was that there are legitimate situations where the delays introduced by greylisting are a problem. I used the monitoring system as an example to make it easy to grasp the point. If it would help, I'll stop talking about it and use another example. Probably because if this is truly a mission-critical if it fails you're going to lose your business type system, there would be more redundancy than just relying on an email to your cell provider, because: A) greylisting by it's nature will not block you or delay you if you're legit and are registered legit B) what happens when your cell is out of range, off for some reason, fell in the toilet, broken, etc. C) what guarantee do you have your cell phone will be always working 100% of the time D) what if your monitoring system fails because something blocks or breaks email, period You're making it sound as if greylisting is a terrible idea because once your failure system won't notify you for some unspecified period of time. I, and others most likely, are saying that it wouldn't take much for you to get it working just fine whether the cell carrier used it or not. And even then, you haven't made a case that ISPs or businesses still couldn't use it...the inconvenience you point out still could be worked around simply by doing what I suggested before, registering legit by periodically sending a quick message, and if you get charged for a short short message like that, then you probably need a new cell plan if that is pushing you over your free time, or start having your employer compensate you for using your personal equipment for business use. Sure, it's possible to modify the greylist to whitelist. I thought most did. That was part of the way they work. That implies that the sender knows greylisting is happening, knows how to get the recipient to whitelist, it implies the recipient is even willing to whitelist, etc. What greylist program are you using? As I recall systems I've seen like Postgrey automatically track connections and after a certain number of connections will whitelist them, as they would be established as legitimate and, contrary to what your arguments make them out, greylisters aren't there just to slow down everyone's email. Once established, they let the email right through. You're making it sound like it's a huge undertaking to get this ability up and working. Imagine a cell company that puts in greylisting being deluged by 30% of their million-plus userbase requesting to be whitelisted for just the reason I cited. Do you think it would be realistic for the cell company to do this? Realistically the userbase wouldn't really even know. It's the SAME thing that would happen if your email server were screwed up. Your mail server should retry within a sane period of time. The vast majority of your imaginary userbase would probably become whitelisted before they were even aware anything happened. If the majority of those users are using a popular mail service, it's not like 30,000 users are making 30,000 requests to their server. The majority of those users are probably using addresses from hotmail, gmail, etc...so if 10,000 were on hotmail, 15,000 were on gmail, and 5,000 were on aol, what are the odds that there's not already a load of traffic between those sites to the greylisting site? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Greylisting -- Was: Anti Spam
On Apr 30, 2007, at 6:19 AM, cpghost wrote: On Mon, Apr 30, 2007 at 01:16:23AM -0700, Ted Mittelstaedt wrote: The system that would cause problems if it ran greylisting is not MY system. It's the mailserver owned by the cellular company that I am sending to. If they went and installed greylisting it is highly unlikely I could get them to whitelist me. (have you ever, for example, tried to get a system off AOL's internal blacklist?) Yes, that's indeed a problem; but how likely would that be? Cellular operators know that their clients expect speedy delivery of SMS, including those sent via SMTP. They know better than to introduce greylisting latency at the gateway when there's already normal latency at the SMSC. Have you confirmed with your cellular operator that they don't offer additional gateways; e.g. based on ICQ, HTTP and whatnot? Most likely, they don't offer SMPP-over-TCP connections to end-users ( http://www.smsforum.net/ ), but probably to a couple of third-party providers that you could use instead? This won't work because you're suggesting he change the system he likes. No matter what, greylisting to him is apparently impossible because users need their email as an instant messaging service. The possibility of establishing a domain into a whitelist or testing a connection and notification system periodically, which would put his domain into their imaginary whitelist, is simply too inconvenient, unlike the deletion of spam that a greylist could have prevented coming into my inbox. That apparently isn't inconvenient or annoying in the least. I apparently hold the wrong view. I think greylisting is still a pain in the butt for spammers. It causes mail servers to have to take the time to retry email, something spammers don't like wasting time doing. If they're doing something to spoof connections then the mail would not even retry because it's going to an illegitimate or nonexistent mail server. But none of this is possibly even a percentage of help for your mail server. Apparently the extra layers to try slowing or easing the load on your server is a waste because it's *possible* to bypass it without resorting to math magic like the stats poisoning used against SpamAssassin now. For me, I want to slow their servers and waste their resources, just like they waste my CPU and storage space. I don't use email as an IM service nor do I use it as a critical availability service without investing lots and lots of money on redundancy, so I don't see the problem with companies using greylisting. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Greylisting -- Was: Anti Spam
-Original Message- From: Sam Lawrance [mailto:[EMAIL PROTECTED] Sent: Saturday, April 28, 2007 2:59 AM To: Ted Mittelstaedt Cc: freebsd-questions@freebsd.org Subject: Re: Greylisting -- Was: Anti Spam Email is not an instant messaging system, no matter how much you want it to be one. Cell phone companies won't take pages any other way no matter how much you want them to. And as I already have to carry a cell phone, I am not going to carry a separate pager also. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Greylisting -- Was: Anti Spam
-Original Message- From: Bart Silverstrim [mailto:[EMAIL PROTECTED] Sent: Saturday, April 28, 2007 5:01 PM To: Ted Mittelstaedt Cc: Eric Crist; Grant Peel; Christopher Hilton; freebsd-questions@freebsd.org Subject: Re: Greylisting -- Was: Anti Spam On Apr 28, 2007, at 5:25 AM, Ted Mittelstaedt wrote: -Original Message- From: Bart Silverstrim [mailto:[EMAIL PROTECTED] Sent: Friday, April 27, 2007 1:58 PM To: Ted Mittelstaedt Cc: Christopher Hilton; Grant Peel; Eric Crist; freebsd-questions@freebsd.org Subject: Re: Greylisting -- Was: Anti Spam On Apr 26, 2007, at 12:15 AM, Ted Mittelstaedt wrote: There are legitimate technical reasons that someone may want their mail to not be greylisted. For example, my cell phone's e-mail address is in our monitoring scripts to page me in the event of a server failure. I would be pretty pissed off if Sprint suddenly started greylisting. It isn't just dumb-ass users making stupid political decisions to reject it, although in your case it probably was. If it is a legitimate mail server, it would be promoted to the auto- whitelist. Not all mail is constantly greylisted by most intelligent greylist systems. Only the first few messages would be delayed, until it is established as legitimate. That won't work in my case since I generally only have a failure that causes a problem which results in paging about once every 3 months or so. By the time the pages got through the greylist it would be at least an hour later after the system had gone down. That isn't acceptable for a notification system. What? What do you mean, a failure that causes a problem which results in paging once every 3 months? If your mail server tries to contact another mail server and it can't reach it, you're saying your mail server doesn't retry for an hour? If the monitoring system notices something down, I have to know about it within a few minutes. I cannot wait for the mailserver that sends the page out to retry sending the page to the cell carrier's mailserver in an hour. Things go down rarely. The moonitoring system is not continually sending out pages to my cell phone every day. Many times many months will pass in between the monitoring system sending my cell phone a page. If the cell phone company was running greylisting, any whitelist entry for my monitoring system would be gone by then. Even if it does take an hour, the fact that it retried the server on the other side doing the greylisting means it would be whitelisted after a couple mails. But the whitelist would have expired by the next time there was a problem. If you're doing something SO critical that three or four mails delayed an hour, until you're establishes as a legit user, means life or death, you definitely should be doing something that backs up how you communicate with other sites, I'm monitoring systems at the ISP I work at. No, it is not life or death if a feed goes down for 3 hours and a bunch of people cannot download their daily freebsd-questions mailing list fix. At least, I don't think so. But they do. And as their money that buys the ISP's product puts the bread on my table, I have to do what they want. And they want instant response if there is a problem in the ISP's systems. That won't happen if the monitoring system's e-mails that get sent out when there is a problem lie around in a mail queue for an hour waiting for a greylist at the cell company to let the messages through. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Greylisting -- Was: Anti Spam
On Apr 29, 2007, at 5:00 AM, Ted Mittelstaedt wrote: -Original Message- From: Bart Silverstrim [mailto:[EMAIL PROTECTED] Sent: Saturday, April 28, 2007 5:01 PM To: Ted Mittelstaedt Cc: Eric Crist; Grant Peel; Christopher Hilton; freebsd-questions@freebsd.org Subject: Re: Greylisting -- Was: Anti Spam On Apr 28, 2007, at 5:25 AM, Ted Mittelstaedt wrote: -Original Message- From: Bart Silverstrim [mailto:[EMAIL PROTECTED] Sent: Friday, April 27, 2007 1:58 PM To: Ted Mittelstaedt Cc: Christopher Hilton; Grant Peel; Eric Crist; freebsd-questions@freebsd.org Subject: Re: Greylisting -- Was: Anti Spam On Apr 26, 2007, at 12:15 AM, Ted Mittelstaedt wrote: There are legitimate technical reasons that someone may want their mail to not be greylisted. For example, my cell phone's e-mail address is in our monitoring scripts to page me in the event of a server failure. I would be pretty pissed off if Sprint suddenly started greylisting. It isn't just dumb-ass users making stupid political decisions to reject it, although in your case it probably was. If it is a legitimate mail server, it would be promoted to the auto- whitelist. Not all mail is constantly greylisted by most intelligent greylist systems. Only the first few messages would be delayed, until it is established as legitimate. That won't work in my case since I generally only have a failure that causes a problem which results in paging about once every 3 months or so. By the time the pages got through the greylist it would be at least an hour later after the system had gone down. That isn't acceptable for a notification system. What? What do you mean, a failure that causes a problem which results in paging once every 3 months? If your mail server tries to contact another mail server and it can't reach it, you're saying your mail server doesn't retry for an hour? If the monitoring system notices something down, I have to know about it within a few minutes. I cannot wait for the mailserver that sends the page out to retry sending the page to the cell carrier's mailserver in an hour. Ted, usually I find your posts intelligent and food for thought, but I almost think you're doing this on purpose now. When you're setting it up, you would set up manually to have your own system whitelisted. I would assume that if you really don't own your own domain/mail system, you still would have a provider that would whitelist *themselves* so you could send the email from your provider to yourself. If you're using SMS, I would personally either tell my phone provider about it or send a few messages myself to have it whitelist the entry and then periodically test the system, since really you should be testing such systems periodically anyway (and make sure the listing is still working). You said yourself you use greylisting, I thought. Don't you already have a system like this in place? Things go down rarely. The moonitoring system is not continually sending out pages to my cell phone every day. Many times many months will pass in between the monitoring system sending my cell phone a page. If the cell phone company was running greylisting, any whitelist entry for my monitoring system would be gone by then. We rarely lose power to the buildings, but our generator system still kicks over once a week to test. Why can't you send a page once or twice a week to make sure it's working properly? Things change, things get reconfigured or hiccup, and if this is that critical to you, what's the harm in one or two text messages a month to your phone saying howdy? I mean c'mon...it's so important you must be notified ASAP, but you can't afford to have it test the connection periodically is what it sounds like you're saying. If you're doing something SO critical that three or four mails delayed an hour, until you're establishes as a legit user, means life or death, you definitely should be doing something that backs up how you communicate with other sites, I'm monitoring systems at the ISP I work at. No, it is not life or death if a feed goes down for 3 hours and a bunch of people cannot download their daily freebsd-questions mailing list fix. At least, I don't think so. But they do. And as their money that buys the ISP's product puts the bread on my table, I have to do what they want. It's an interesting conundrum that people will bitch about how stupid their users are yet will turn around and give them what they want to the point where it encourages their bad habits and their reliance on bad practices and their ignorance. I'm not saying you're doing this, this is just a general observation. -Bart ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Greylisting -- Was: Anti Spam
On Apr 29, 2007, at 4:00 AMApr 29, 2007, Ted Mittelstaedt wrote: If the monitoring system notices something down, I have to know about it within a few minutes. I cannot wait for the mailserver that sends the page out to retry sending the page to the cell carrier's mailserver in an hour. Things go down rarely. The moonitoring system is not continually sending out pages to my cell phone every day. Many times many months will pass in between the monitoring system sending my cell phone a page. If the cell phone company was running greylisting, any whitelist entry for my monitoring system would be gone by then. Even if it does take an hour, the fact that it retried the server on the other side doing the greylisting means it would be whitelisted after a couple mails. But the whitelist would have expired by the next time there was a problem. If you're doing something SO critical that three or four mails delayed an hour, until you're establishes as a legit user, means life or death, you definitely should be doing something that backs up how you communicate with other sites, I'm monitoring systems at the ISP I work at. No, it is not life or death if a feed goes down for 3 hours and a bunch of people cannot download their daily freebsd-questions mailing list fix. At least, I don't think so. But they do. And as their money that buys the ISP's product puts the bread on my table, I have to do what they want. And they want instant response if there is a problem in the ISP's systems. That won't happen if the monitoring system's e-mails that get sent out when there is a problem lie around in a mail queue for an hour waiting for a greylist at the cell company to let the messages through. My ISP has a FreeBSD with a GSM modem with text messaging service. They send actual text messages across the cellular network - instantly. No email required. Perhaps you folks could do that? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Greylisting -- Was: Anti Spam
Email is not an instant messaging system, no matter how much you want it to be one. Cell phone companies won't take pages any other way no matter how much you want them to. This might be a good time to learn about outfits like clickatell.com that provide SMS gateway service. They charge about 10 cents a message. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for Dummies, Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor More Wiener schnitzel, please, said Tom, revealingly. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Greylisting -- Was: Anti Spam
On Apr 29, 2007, at 4:45 AM, Ted Mittelstaedt wrote: -Original Message- From: Sam Lawrance [mailto:[EMAIL PROTECTED] Sent: Saturday, April 28, 2007 2:59 AM To: Ted Mittelstaedt Cc: freebsd-questions@freebsd.org Subject: Re: Greylisting -- Was: Anti Spam Email is not an instant messaging system, no matter how much you want it to be one. Cell phone companies won't take pages any other way no matter how much you want them to. And as I already have to carry a cell phone, I am not going to carry a separate pager also. Email only, eh? I used to send messages to my boss via webform...I suppose that would imply that it's possible to have a message sent by some scripts to a website, unless there's captchas or something like that to defeat that method. But like I said...most people would already have whitelisted vitally important domains, or you could send periodic keepalives to test the system. -Bart ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Greylisting -- Was: Anti Spam
I'm monitoring systems at the ISP I work at. No, it is not life or death if a feed goes down for 3 hours and a bunch of people cannot download their daily freebsd-questions mailing list fix. At least, I don't think so. But they do. And as their money that buys the ISP's product puts the bread on my table, I have to do what they want. And they want instant response if there is a problem in the ISP's systems. That won't happen if the monitoring system's e-mails that get sent out when there is a problem lie around in a mail queue for an hour waiting for a greylist at the cell company to let the messages through. I understand where you are coming from on this, of course email is not the right medium to use for notifying of email failures. We built an SMS gateway. -- Kenny Dail [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Greylisting -- Was: Anti Spam
-Original Message- From: Bart Silverstrim [mailto:[EMAIL PROTECTED] Sent: Saturday, April 28, 2007 5:05 PM To: Ted Mittelstaedt Cc: Christopher Hilton; User Questions Subject: Re: Greylisting -- Was: Anti Spam Both of those are assumptions your making that are just not true anymore. Spammers are adapting to greylisting. I've been running it for at least 2 years now and every month more and more spam is making it past the greylist and getting caught by spamassassin. As I mentioned previously, it does not take a lot of programming effort to do it. Sure they're adapting. They're also adapting to Spamassassin. That's a bit different. It is trivial to adapt to greylisting. It is not trivial to adapt to spamassassin, particularly if they have the learner turned on. The fact that it doesn't take a lot of programming effort isn't the reason, Yes, it is actually. Because for the simple reason that the small amount of programming effort required makes it possible to countermand greylisting AT ALL. It isn't possible, I think, for a spammer to programmically get through a SA setup with the learner turned on, that has a dictionary that has been built up through both ham and spam submissions. The main reason spammers do get past that has more to do with the difficult of getting normal users to properly feed the learner. But the problem from the spammers point of view is that in the Internet, 10 different SA sites could have 10 different rules. But 10 different greylist sites will all act the same, so if your going to put effort into countering the filters, you would be smarter to counter greylisting first. though, since it doesn't take a lot of effort to NOT TOP POST yet people continue to do so. When I first setup greylisting the results were literally spectacular. Nowadays they are great, but not much beyond that. All of the things your saying about greylisting decreasing the load and all that are true, and just because it's not as effective as it once was doesen't mean you should not use it. But, I am not blind to what my eyes are telling me. In aonther 5 years, greylisting will be like all other spamfilter techniques, effective only against a minority of spam And yet there are still people, despite the problem spammers are creating, who think that email is a vital and reliable service upon which to hinge the success or failure of their business relations. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Greylisting -- Was: Anti Spam
-Original Message- From: Bart Silverstrim [mailto:[EMAIL PROTECTED] Sent: Friday, April 27, 2007 1:58 PM To: Ted Mittelstaedt Cc: Christopher Hilton; Grant Peel; Eric Crist; freebsd-questions@freebsd.org Subject: Re: Greylisting -- Was: Anti Spam On Apr 26, 2007, at 12:15 AM, Ted Mittelstaedt wrote: There are legitimate technical reasons that someone may want their mail to not be greylisted. For example, my cell phone's e-mail address is in our monitoring scripts to page me in the event of a server failure. I would be pretty pissed off if Sprint suddenly started greylisting. It isn't just dumb-ass users making stupid political decisions to reject it, although in your case it probably was. If it is a legitimate mail server, it would be promoted to the auto- whitelist. Not all mail is constantly greylisted by most intelligent greylist systems. Only the first few messages would be delayed, until it is established as legitimate. That won't work in my case since I generally only have a failure that causes a problem which results in paging about once every 3 months or so. By the time the pages got through the greylist it would be at least an hour later after the system had gone down. That isn't acceptable for a notification system. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Greylisting -- Was: Anti Spam
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Christopher Hilton Sent: Friday, April 27, 2007 2:45 PM To: Ted Mittelstaedt Cc: User Questions Subject: Re: Greylisting -- Was: Anti Spam Ted Mittelstaedt wrote: [snip] When I scan my maillogs I find that 22% of the hosts that generate a greylisting entry retry the mail delivery and thus get whitelisted. The other 78% don't attempt redelivery within the greylisting window. That's probably par. However, the reason your putting so much faith in the delaying, is simply that you aren't getting a lot of spam. I have published e-mail addresses. Without greylisting I got about 1500-2000 mail messages a day to each of them. Greylisting isn't just about delaying. IIRC greylisting is filtering for spam/ham based on behaviour in the message originators MTA. My greylister is using two behavioural assumptions: Spamming MTA's don't have the capability to queue and retry mail. Asking them to queue and retry will cause them to drop the mail on the floor thus filtering spam. Spamming MTA's don't like to be tarpitted. Stuttering at them and sizing the TCP Windows so they must wait will result in them disconnecting before they can exchanged mail thus filtering spam. Both of those are assumptions your making that are just not true anymore. Spammers are adapting to greylisting. I've been running it for at least 2 years now and every month more and more spam is making it past the greylist and getting caught by spamassassin. As I mentioned previously, it does not take a lot of programming effort to do it. When I first setup greylisting the results were literally spectacular. Nowadays they are great, but not much beyond that. All of the things your saying about greylisting decreasing the load and all that are true, and just because it's not as effective as it once was doesen't mean you should not use it. But, I am not blind to what my eyes are telling me. In aonther 5 years, greylisting will be like all other spamfilter techniques, effective only against a minority of spam Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Greylisting -- Was: Anti Spam
On 28/04/2007, at 7:25 PM, Ted Mittelstaedt wrote: -Original Message- From: Bart Silverstrim [mailto:[EMAIL PROTECTED] Sent: Friday, April 27, 2007 1:58 PM To: Ted Mittelstaedt Cc: Christopher Hilton; Grant Peel; Eric Crist; freebsd-questions@freebsd.org Subject: Re: Greylisting -- Was: Anti Spam On Apr 26, 2007, at 12:15 AM, Ted Mittelstaedt wrote: There are legitimate technical reasons that someone may want their mail to not be greylisted. For example, my cell phone's e-mail address is in our monitoring scripts to page me in the event of a server failure. I would be pretty pissed off if Sprint suddenly started greylisting. It isn't just dumb-ass users making stupid political decisions to reject it, although in your case it probably was. If it is a legitimate mail server, it would be promoted to the auto- whitelist. Not all mail is constantly greylisted by most intelligent greylist systems. Only the first few messages would be delayed, until it is established as legitimate. That won't work in my case since I generally only have a failure that causes a problem which results in paging about once every 3 months or so. By the time the pages got through the greylist it would be at least an hour later after the system had gone down. That isn't acceptable for a notification system. Email is not an instant messaging system, no matter how much you want it to be one. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Greylisting -- Was: Anti Spam
On Apr 28, 2007, at 5:29 AM, Ted Mittelstaedt wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Christopher Hilton Sent: Friday, April 27, 2007 2:45 PM To: Ted Mittelstaedt Cc: User Questions Subject: Re: Greylisting -- Was: Anti Spam Ted Mittelstaedt wrote: [snip] When I scan my maillogs I find that 22% of the hosts that generate a greylisting entry retry the mail delivery and thus get whitelisted. The other 78% don't attempt redelivery within the greylisting window. That's probably par. However, the reason your putting so much faith in the delaying, is simply that you aren't getting a lot of spam. I have published e-mail addresses. Without greylisting I got about 1500-2000 mail messages a day to each of them. Greylisting isn't just about delaying. IIRC greylisting is filtering for spam/ham based on behaviour in the message originators MTA. My greylister is using two behavioural assumptions: Spamming MTA's don't have the capability to queue and retry mail. Asking them to queue and retry will cause them to drop the mail on the floor thus filtering spam. Spamming MTA's don't like to be tarpitted. Stuttering at them and sizing the TCP Windows so they must wait will result in them disconnecting before they can exchanged mail thus filtering spam. Both of those are assumptions your making that are just not true anymore. Spammers are adapting to greylisting. I've been running it for at least 2 years now and every month more and more spam is making it past the greylist and getting caught by spamassassin. As I mentioned previously, it does not take a lot of programming effort to do it. Sure they're adapting. They're also adapting to Spamassassin. The fact that it doesn't take a lot of programming effort isn't the reason, though, since it doesn't take a lot of effort to NOT TOP POST yet people continue to do so. When I first setup greylisting the results were literally spectacular. Nowadays they are great, but not much beyond that. All of the things your saying about greylisting decreasing the load and all that are true, and just because it's not as effective as it once was doesen't mean you should not use it. But, I am not blind to what my eyes are telling me. In aonther 5 years, greylisting will be like all other spamfilter techniques, effective only against a minority of spam And yet there are still people, despite the problem spammers are creating, who think that email is a vital and reliable service upon which to hinge the success or failure of their business relations. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Greylisting -- Was: Anti Spam
On Apr 28, 2007, at 5:25 AM, Ted Mittelstaedt wrote: -Original Message- From: Bart Silverstrim [mailto:[EMAIL PROTECTED] Sent: Friday, April 27, 2007 1:58 PM To: Ted Mittelstaedt Cc: Christopher Hilton; Grant Peel; Eric Crist; freebsd-questions@freebsd.org Subject: Re: Greylisting -- Was: Anti Spam On Apr 26, 2007, at 12:15 AM, Ted Mittelstaedt wrote: There are legitimate technical reasons that someone may want their mail to not be greylisted. For example, my cell phone's e-mail address is in our monitoring scripts to page me in the event of a server failure. I would be pretty pissed off if Sprint suddenly started greylisting. It isn't just dumb-ass users making stupid political decisions to reject it, although in your case it probably was. If it is a legitimate mail server, it would be promoted to the auto- whitelist. Not all mail is constantly greylisted by most intelligent greylist systems. Only the first few messages would be delayed, until it is established as legitimate. That won't work in my case since I generally only have a failure that causes a problem which results in paging about once every 3 months or so. By the time the pages got through the greylist it would be at least an hour later after the system had gone down. That isn't acceptable for a notification system. What? What do you mean, a failure that causes a problem which results in paging once every 3 months? If your mail server tries to contact another mail server and it can't reach it, you're saying your mail server doesn't retry for an hour? Even if it does take an hour, the fact that it retried the server on the other side doing the greylisting means it would be whitelisted after a couple mails. If you're doing something SO critical that three or four mails delayed an hour, until you're establishes as a legit user, means life or death, you definitely should be doing something that backs up how you communicate with other sites, or you're not such a big fish that the other sites have already added you manually to their whitelists like AOL or Amazon mail servers would most likely be already, or other local ISPs that are known legit and I just don't feel like waiting for the system to add them automatically. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Greylisting -- Was: Anti Spam
-Original Message- From: Christopher Sean Hilton [mailto:[EMAIL PROTECTED] Sent: Thursday, April 26, 2007 9:05 AM To: Ted Mittelstaedt; User Questions Subject: Re: Greylisting -- Was: Anti Spam Ted Mittelstaedt wrote: [snip...] Greylisting works because many, and I'd like to say most, spam programs never retry message delivery. Actually, no. Greylisting works because it delays the spam injector long enough that the injector will get blacklisted by the time that the greylist opens the door for the mail to come in. Greylisting alone by itself is getting less and less effective every day. Spammers are now starting to setup spam injectors to retry. If you think about it, it is very easy to program. Simply create a list of victims, iterate through the list once, deleting all the victims that accept, then wait several hours and iterate through the list again. It didn't take a rocket scientist to figure that one out. Since SA has a lot of the major blacklist servers as score-feeders, the spam that gets past the greylist just gets tagged by SA. When I scan my maillogs I find that 22% of the hosts that generate a greylisting entry retry the mail delivery and thus get whitelisted. The other 78% don't attempt redelivery within the greylisting window. That's probably par. However, the reason your putting so much faith in the delaying, is simply that you aren't getting a lot of spam. I have published e-mail addresses. Without greylisting I got about 1500-2000 mail messages a day to each of them. With greylisting alone that drops down to about 400-500. The thing is, that spam is a numbers game. Someone who is only getting for example 50-100 spams a day to their mailbox is going to think greylisting is virtually 100% effective, simply because when they institute it, their spam goes from 50-100 down to 1-5 spams. So they are going to probably conclude that someone getting ten times the amount of spam as them will have their spam drop down to the same 1-5 after greylisting. But, spammers are perfectly willing to send 1000 spams to a single mailbox if they think that doing so will get 1 spam past the filters on that box. I do have customers with -unpublished- e-mail addresses that are perfectly satisfied with greylisting alone - simply because they don't get a lot of spam in the first place. But, that's like saying that injecting a can of stop-leak into a leaking tire is a fix for it. Stop-leak will reduce the rate that air leaks out down to an undetectable amount if the initial leak was small, but the tire still is leaking. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Greylisting -- Was: Anti Spam
On Apr 26, 2007, at 12:15 AM, Ted Mittelstaedt wrote: There are legitimate technical reasons that someone may want their mail to not be greylisted. For example, my cell phone's e-mail address is in our monitoring scripts to page me in the event of a server failure. I would be pretty pissed off if Sprint suddenly started greylisting. It isn't just dumb-ass users making stupid political decisions to reject it, although in your case it probably was. If it is a legitimate mail server, it would be promoted to the auto- whitelist. Not all mail is constantly greylisted by most intelligent greylist systems. Only the first few messages would be delayed, until it is established as legitimate. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Greylisting -- Was: Anti Spam
Ted Mittelstaedt wrote: [snip] When I scan my maillogs I find that 22% of the hosts that generate a greylisting entry retry the mail delivery and thus get whitelisted. The other 78% don't attempt redelivery within the greylisting window. That's probably par. However, the reason your putting so much faith in the delaying, is simply that you aren't getting a lot of spam. I have published e-mail addresses. Without greylisting I got about 1500-2000 mail messages a day to each of them. Greylisting isn't just about delaying. IIRC greylisting is filtering for spam/ham based on behaviour in the message originators MTA. My greylister is using two behavioural assumptions: Spamming MTA's don't have the capability to queue and retry mail. Asking them to queue and retry will cause them to drop the mail on the floor thus filtering spam. Spamming MTA's don't like to be tarpitted. Stuttering at them and sizing the TCP Windows so they must wait will result in them disconnecting before they can exchanged mail thus filtering spam. I may not receive as much spam as you but I do think that I receive a lot of spam. For mail vindaloo.com is a small domain. I'm a mail reflector for a couple of .orgs and I have a handful of addresses for which I'm the endpoint. My greylister trapped 1907 connections from 1566 hosts on Tuesday. I assume that without my greylister this would have been 1566 delivered messages and nearly all of them would have been spam. In a nutshell here's my math: Tuesday's spam statistics: 1907 connections from 1566 hosts to the greylister. 1411 hosts hung up before getting to an SMTP RCPT TO. (rejected by Tarpitting) 121 hosts worked with pf-spamd and sent an SMTP RCPT TO generating a greylisting tuple. None of these hosts attempted redelivery. (rejected by delay/queue) 34 hosts worked with pf-spamd as above enough to generate a whitelist transaction. For roughly the next month these 34 hosts can deliver mail to me. Assuming that the each host wanted to send one message and that the one message was spam my greylister has achieved a rejection rate of 97.8% over 1566 messages. The real beauty of this is that it comes with little resource cost to me. Without Greylisting those 1566 messages would have to be scanned by Spam Assassin. I use SA's bayes filter. Last time I looked at it SA was averaging 2 ~ 4 seconds per message scanned. I'm not sure it would have to be done how well SA works when concurrently scanning messages but if I just do the simple math that's 1.3 hours of real time scanning messages for spam. Without greylisting I'd have to buy new hardware for my mailserver and that's just not worth it. -- Chris -- __o All I was doing was trying to get home from work. _`\,_ -Rosa Parks ___(*)/_(*)___ Christopher Sean Hiltonchris | at | vindaloo.com pgp key: D0957A2D/f5 30 0a e1 55 76 9b 1f 47 0b 07 e9 75 0e 14 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Greylisting -- Was: Anti Spam
Ted Mittelstaedt wrote: [snip...] Greylisting works because many, and I'd like to say most, spam programs never retry message delivery. Actually, no. Greylisting works because it delays the spam injector long enough that the injector will get blacklisted by the time that the greylist opens the door for the mail to come in. Greylisting alone by itself is getting less and less effective every day. Spammers are now starting to setup spam injectors to retry. If you think about it, it is very easy to program. Simply create a list of victims, iterate through the list once, deleting all the victims that accept, then wait several hours and iterate through the list again. It didn't take a rocket scientist to figure that one out. Since SA has a lot of the major blacklist servers as score-feeders, the spam that gets past the greylist just gets tagged by SA. When I scan my maillogs I find that 22% of the hosts that generate a greylisting entry retry the mail delivery and thus get whitelisted. The other 78% don't attempt redelivery within the greylisting window. The reason that I'm using greylisting is to reduce the load on SA so I can continue to use spam bayes. Quite honestly spam bayes is either the most or second most effective spam filtering technique that I'm using but its a CPU hog. If I had to rank the effectiveness of the filtering that I'm doing I would say that greylisting is probably the most effective. I'm using spamd with tarpitting and that alone is responsible for filtering 90% of my spam. Spam bayes is probably second but I haven't counted the number of messages that are getting filed as spam based on the bayes classifier. Some numbers from crunching my combined maillogs (primary and secondary mx) from Apr 24th 20:00:00 ~ Apr 25th 20:00:00. 1566 hosts generated 1907 connections to my primary and secondary MXers. 155 hosts generated 192 greylisting entries on either one or both of my mailservers. 34 hosts attempted to retry mail generating 40 whitelist transactions on one or both of my mailservers. -- Chris __o All I was doing was trying to get home from work. _`\,_ -Rosa Parks ___(*)/_(*)___ Christopher Sean Hilton chris | at | vindaloo.com pgp: f5:30:0a:54:e1:55:76:9b:1f:47:0b:07:e9:75:0e:14 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Greylisting -- Was: Anti Spam
Just my $0.02. Have you considered adding greylisting. I find the combination of greylisting and Spamassassin with the SA's bayes filter completely handles my spam problem. On my primary MX I use spamd on OpenBSD and on my secondary MX I use spamd on FreeBSD. As a very informal method of measurement my Inbox.spam folder, held an average of 400 messages per day in October before I started using spamd. It currently averages about 80 messages per day. If you don't know about greylisting it works as follows. A greylister monitors port 25 for inbound mail connections. When a server connects to this port to exchange mail the greylister predetermines the response based on whether or not this server has exchanged mail in the recent past. If it has it's allowed to exchange mail again and the server's timestamp is updated. If the server has not exchanged mail in the recent past the greylister responds: 45x - I'm too busy to talk to you right now. Please try to deliver this mail later. It then puts the server and information about the mail being delivered onto a list. If the same server tries the same message later it passes and the greylister promotes the server onto it's list of okay mail servers (mail servers that it has exchanged mail with in the recent past). Greylisting works because many, and I'd like to say most, spam programs never retry message delivery. The best thing about greylisting is that combines well with filters like SA by reducing the amount of mail that they have to see. In my case something like 80% of the mail that Spamassassin used to process just never gets past the greylister today. The downsides to greylisting is that it delays the first message from a legitimate mailserver. In the most common case the incurred delay will be between 30 minutes and an hour. This assumes that then sending mail server retries queued mails every half hour or so. In an extreme case the delay may be longer. If the mail sender has a cluster for delivering outbound mails and that cluster features shared message storage and several processing units to handle the smtp transfer then the greylister will trap that message until the same server attempts redelivery. This is a problem with mail coming from very large internet companies like Google or AOL or very distributed corporations like General Electric, Unilever or United Technologies. Since you are in an ISP environment greylisting may not be something that you can do. I was extremely surprised when a client told me that the 1 hr delay in receiving mail from new and infrequent mail servers was too much to pay to stop the spam coming into his mailbox. I don't claim to know the political layer as much as I do the technical one. -- Chris -- __o All I was doing was trying to get home from work. _`\,_ -Rosa Parks ___(*)/_(*)___ Christopher Sean Hiltonchris | at | vindaloo.com pgp key: D0957A2D/f5 30 0a e1 55 76 9b 1f 47 0b 07 e9 75 0e 14 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Greylisting -- Was: Anti Spam
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Christopher Hilton Sent: Wednesday, April 25, 2007 3:25 PM To: Grant Peel Cc: Eric Crist; freebsd-questions@freebsd.org Subject: Greylisting -- Was: Anti Spam Just my $0.02. Have you considered adding greylisting. I find the combination of greylisting and Spamassassin with the SA's bayes filter completely handles my spam problem. On my primary MX I use spamd on OpenBSD and on my secondary MX I use spamd on FreeBSD. As a very informal method of measurement my Inbox.spam folder, held an average of 400 messages per day in October before I started using spamd. It currently averages about 80 messages per day. If you don't know about greylisting it works as follows. A greylister monitors port 25 for inbound mail connections. When a server connects to this port to exchange mail the greylister predetermines the response based on whether or not this server has exchanged mail in the recent past. If it has it's allowed to exchange mail again and the server's timestamp is updated. If the server has not exchanged mail in the recent past the greylister responds: 45x - I'm too busy to talk to you right now. Please try to deliver this mail later. It then puts the server and information about the mail being delivered onto a list. If the same server tries the same message later it passes and the greylister promotes the server onto it's list of okay mail servers (mail servers that it has exchanged mail with in the recent past). Greylisting works because many, and I'd like to say most, spam programs never retry message delivery. Actually, no. Greylisting works because it delays the spam injector long enough that the injector will get blacklisted by the time that the greylist opens the door for the mail to come in. Greylisting alone by itself is getting less and less effective every day. Spammers are now starting to setup spam injectors to retry. If you think about it, it is very easy to program. Simply create a list of victims, iterate through the list once, deleting all the victims that accept, then wait several hours and iterate through the list again. It didn't take a rocket scientist to figure that one out. Since SA has a lot of the major blacklist servers as score-feeders, the spam that gets past the greylist just gets tagged by SA. The best thing about greylisting is that combines well with filters like SA by reducing the amount of mail that they have to see. In my case something like 80% of the mail that Spamassassin used to process just never gets past the greylister today. The downsides to greylisting is that it delays the first message from a legitimate mailserver. In the most common case the incurred delay will be between 30 minutes and an hour. This assumes that then sending mail server retries queued mails every half hour or so. In an extreme case the delay may be longer. If the mail sender has a cluster for delivering outbound mails and that cluster features shared message storage and several processing units to handle the smtp transfer then the greylister will trap that message until the same server attempts redelivery. This is a problem with mail coming from very large internet companies like Google or AOL or very distributed corporations like General Electric, Unilever or United Technologies. That is why the greylist milter (that you use for sendmail) has an exception list. There are not many large senders that do this and it is easy enough to figure out who they are. Since you are in an ISP environment greylisting may not be something that you can do. I was extremely surprised when a client told me that the 1 hr delay in receiving mail from new and infrequent mail servers was too much to pay to stop the spam coming into his mailbox. That should not be a problem. The current greylist milter port allows you to define clients email addresses like this as an exception that won't get the benefits of the greylist, while allowing everyone else on the server to continue to enjoy it. I don't claim to know the political layer as much as I do the technical one. There are legitimate technical reasons that someone may want their mail to not be greylisted. For example, my cell phone's e-mail address is in our monitoring scripts to page me in the event of a server failure. I would be pretty pissed off if Sprint suddenly started greylisting. It isn't just dumb-ass users making stupid political decisions to reject it, although in your case it probably was. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
