Email ???

James Wilkinson fedora at aprilcottage.co.uk
Sat May 5 09:09:55 UTC 2007 

Ed Greshko wrote:
>  You said, "Retries may come from any of those computers" and this is an
>  incorrect statement.  While a major provider has many systems sending out
>  emails when an individual email is placed in the queue of a sending system
>  it stays in that system's queue.

I replied:
> For many
> major senders, what you right is absolutely true. I maintain that it is
> not universally true, and there are some major exceptions.
> 
> I understand that a number of major senders (who have their own,
> custom-written SMTP engines) do resend from different servers. There is
> a fair amount of evidence to support this:
> 
> http://www.merakmailserver.com/forum/Greylisting_Bypass_Info/m_1441/tm.htm
> http://en.wikipedia.org/wiki/Greylisting makes this point.
> http://www.dataenter.co.at/doc/xwall_greylisting_exclusions.htm

Ed replied:
> Sorry, I don't consider those "evidence" since they are merely statements by
> some individuals.
<snip>
> If you really want evidence, I'll send you my logs and you can see for
> yourself.

What would that show? I'm attempting to show that it does happen in
general, not that it happens to you.

The non-spam e-mail that people get is different. If you don't get
e-mail from those major senders, then you won't see the phenomenon in
your logs.  Good! That means greylisting works especially well for you.
(It *may* just also be that your greylisting software handles this
automatically for you -- what are you using, by the way?)

It sounds as though I'm going to have to come up with logs from people
who use greylisting who have seen retries from different servers. Would
enough examples of that convince you? Or are you essentially
unconvinceable on this point unless you see it in your own logs?

Part of the problem is that these logs are necessarily going to look
anecdotal. Part of the problem is that I'm going to have to rely on logs
other people have posted.

http://midori.shacknet.nu/OpenSourceProjects/Setting_up_Greylisting_with_Sendmail_v1.2.html#Disadvantages_with_Greylisting
shows eleven different addresses that Paypal is using to send one
message.

http://forum.powweb.com/archive/index.php/t-38837.html includes
greylisting logs:
hawkers at isecard.com
68.99.120.72

hawkers at isecard.com
68.99.120.69

hawkers at isecard.com
68.99.120.71

hawkers at isecard.com
68.99.120.68

You can see there that the same e-mail from the same individual (the
poster's mother) was retried from four different, similar IP addresses.
But then, they're excerpts of logs "from some individual".

How much Googling do you want me to do?

Ed wrote:
> So, greylisting is a good thing to implement.

Maybe I should have clarified my position, then. Greylisting is a good
and valid anti-spam practice that has a few downsides. That's fair
enough -- every anti-spam practice has a few downsides. Greylisting has
comparatively few downsides -- many have a lot more. It also has a
number of upsides that we haven't mentioned[1].

If I've been discussing the downsides of greylisting, that merely means
I'm interested in the technicalities. Depending on the particular
situation, the best combination of spam techniques may not involve
greylisting (because the downsides are greater and the benefits less
than for another 

I wrote:
>  But I am seeing some evidence that a few spammers are retrying even on
>  5xx permanent rejects (for example, identical e-mails, down to To: From:
>  and Message-ID: fields, from the same IP address).

Ed asked: 
> So, you are now making a case for a blacklist.  Yes?

No. I'm making an observation that a few spammers' practices are
changing in a way that would defeat greylisting.

What we *do* about that is another question. It certainly doesn't make
greylisting worthless, and won't do unless most spammers change.

James.

[1] Spammers using "real" MTAs that do retry may not be on DNSBLs the
first time they try sending a spam, but have found their way onto
automated DNSBLs by the time the greylist time-out has expired. In this
case, the greylist is effectively delaying mail until the sender's had a
chance to get themselves caught by the spamtraps.

-- 
E-mail:     james@ | And the cuckoo isn't cooing,
aprilcottage.co.uk | But he's cucking and he's ooing,
                   | And a Pooh is simply pooh-ing
                   | Like a bird.                          -- 'Noise', by Pooh

More information about the users mailing list