On Sat, May 01, 2004 at 11:51:24AM +0200, Matthias Leisi wrote: > > >A checksum of the mail is created and if the same mail gets > >retransmitted after some time, it will be accepted. Virus- > >and spam-mails won't be retransmitted, so they don't get > >through. > > How long will it be until the spamware or worm-propagation mechanism du > jour will start retrying? > > That sort of greylisting will at best get some short term benefit at > long-run incremented cost (and at the expense of legitimate senders who > are forced to bear the cost of queueing and retransmission).
While I agree with a lot of what you are saying, I feel you are exagerrating some points.. Firstly, if a spammer has to build the workings of a real mail server (i.e. a queue and periodic retries at intervals resembling that of a real MTA) then this is many magnitudes less efficient for them. The conclusion from that is that they will hold off from doing that for as long as is possible. The tipping point won't come until it is nearly imnpossible for them to get mail through without it. For them under the current economic climate they would rather send 100 times as many emails to try to find more people who do not greylist, than spend more time and resources to successfully deliver the same amount to people who do. This is why I believe it is not as short-term as you suggest. Secondly, the number of legitimate mail servers on the Internet is actually in a minority compared to the number of compromised systems sending email. A legitimate MTA talks to comparatively few other legitimate MTAs, and a much larger pool of "bad" peers which is where trojan and proxy-delivered spam originates. Because under most greylisting strategies, only connections from unknown hosts are penalised, it should not cause as many delays as you suggest for the majority of systems you regularly exchange email with. Bear in mind that some networks (not ISPs of course) have found it possible to go to an entirely or mostly whitelisting approach where they *only* accept email from known and trusted peers. If this can work for some people, then greylisting, which by its nature is less restrictive than only accepting whitelisted email, must be applicable to more. I can't imagine this being easily explained to a customer though, who has had an important email they are expecting delayed by 30 minutes, and has been told of your greylisting idea by the person who sent the email and who has read the deferral reason out of their mail log. Which is why I can't really see any ISPs using this. Maybe some corporate networks. Also I have not personally tried greylisting yet as I simply haven't had time to play with it, but I know a few people who have.
pgpcXvkidRvaq.pgp
Description: PGP signature
