James Wilkinson wrote:
My point -- the standard recommends a retry interval of 30 minutes. That doesn't mean that a shorter interval doesn't follow the standard, merely that a longer retry period should be considered normal, according to the standard.
One could also say "a shorter retry period should be considered normal" as well. Better still, "it is normal that admins don't change the default settings of a given MTA". I think the use of the word "normal" requires a definition of what is "normal".
Your point -- in practice, few MTAs follow the recommendation in their default configuration.
In actuality, my point is that the RFC only makes a recommendation buy use of the keyword SHOULD and not all MTA's follow the recommendations.
You said, "Retries may come from any of those computers" and this is an incorrect statement. While a major provider has many systems sending out emails when an individual email is placed in the queue of a sending system it stays in that system's queue.
You pointed out "SHOULD", I'll point out "MAY" in my statement. For many major senders, what you right is absolutely true. I maintain that it is not universally true, and there are some major exceptions.
I understand that a number of major senders (who have their own, custom-written SMTP engines) do resend from different servers. There is a fair amount of evidence to support this:
http://www.merakmailserver.com/forum/Greylisting_Bypass_Info/m_1441/tm.htm http://en.wikipedia.org/wiki/Greylisting makes this point. http://www.dataenter.co.at/doc/xwall_greylisting_exclusions.htm
Sorry, I don't consider those "evidence" since they are merely statements by some individuals. The wikipedia entry simply says "or if the retry comes from a different IP address than the original attempt" but it doesn't offer any proof that it does happen in reality. Also, the section this comes from has a disclaimer of " This does not cite its references or sources."
If you really want evidence, I'll send you my logs and you can see for yourself.
I think we're pretty nearly saying the same thing -- the more greylisting is used, the greater the return on investment would be. If everyone used greylisting, then spambots would be worthless unless they learned to retry.
So, greylisting is a good thing to implement.
It looks as though most e-mail providers who are likely to use greylisting already have it in place, and that most spammers either aren't collecting or analysing reject rates, or they reckon the extra complexity of retrying isn't worth the hassle.
But I am seeing some evidence that a few spammers are retrying even on 5xx permanent rejects (for example, identical e-mails, down to To: From: and Message-ID: fields, from the same IP address).
So, you are now making a case for a blacklist. Yes?