Chris Lewis writes:
The simple fact of the matter is that open proxy/socks code will _not_
queue - so they won't try a second time[2]. I would strongly suspect
that if you made your greylisting timeout _zero_, and simply 400'd the
first appearance of a given sender/IP/recipient tuple and accept the
next appearance, no matter how quickly, you'd still be getting 90% of
what greylisting with a very long timeout would give you.
Of course, spamming tools will evolve, so then you consider increasing
the timeouts. Too far, tho, and it's worse than where you started. And
I don't think you'd ever get to where you'll be able to take into
account DNSBL latency.
My opinion is that, if greylisting becomes common, spammers will
simply start saving enough data to perform retries.
After all, a spam message contains
a) 1 piece of message body text (as a template with $RANDOMIZE
references etc.), into which these are inserted:
b) obfuscated email addresses
c) "random" text
(a) never changes for a given spam run. (b) never changes for a given
recipient address. (c) just needs the srand seed to be saved.
That's not a lot of data required to be saved for retries to be
supported...
[2] That's not _entirely_ true, I've seen some spammers that retry 550's
after DATA several times very quickly (within minutes). Not sure
whether that's proxy or relay behaviour.
Actually, probably broken spamware that's been interrupted/crashed/moved
to another host, without checkpointing which addrs have already been
mailed. I regularly get duplicated spams to the same address multiple
times in 1 4-hour interval.
--j.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg