ietf-asrg
[Top] [All Lists]

Re: [Asrg] Re: SPF abused by spammers

2004-09-10 10:13:39
On Fri, Sep 10, 2004 at 11:05:28AM -0400, Seth Breidbart wrote:
1. Greylisting:  Email from a new domain that passes SPF is greylisted
   for 30 minutes.
2. Spamtraps: Email that hits a spamtrap, and which passes SPF, causes
   the domain to be blacklisted.  This will typically take well under
   30 minutes for a serious spam run.
3. When the greylisting expires, the domain is blacklisted.

Hmmm ...
If you delete the SPF relation in the above items, and substitute
"domain" with "IP address" so that it reads:

*> 1. Greylisting:  Email from a new IP address is greylisted for 30 minutes.
*> 2. Spamtraps: Email that hits a spamtrap, causes the IP address to be
*>    blacklisted.  This will typically take well under
*>    30 minutes for a serious spam run.
*> 3. When the greylisting expires, the IP address is blacklisted.

What makes the real difference? Is there any real advantage of SPF over
the IP address method?

When I looked at greylisting (the classic triple method) I checked the
logfiles of one of our mailservers of 5 days. We had 1.2 million transfers
and 980,000 unique triples (i.e. 87%). We burn a lot of spam with
"artificial" backup MX hosts that accept *everything* but return 4xx
at the end of the DATA phase, so I'd say the spam part of those 1.2
million transfers is around 60% or so.
If we delay for 4 hours (ignoring all the problems with Yahoo mailservers
and Lotus and other broken MTAs that cause failures) still a significant
portion of legitimite message to our customer will be delayed for about
half a work shift and messages sent shortly after noon will not make it
to the recipient the same day.

Our support hotline is flooded with calls if a larger German Mail Service
Provider have problems, because customers ask "I am waiting for a
message that usually takes 2 minutes and it hasn't arrived within
30 minutes now. Is your mailserver dead or what?". This is also
the case if they wait for an email of a random communication partner.

People rely on emails as a fast and reliable medium. The classic form of
greylisting IMHO breaks the first assumption and because of that we
didn't put it into production. IMHO (I haven't talked to customers about
that, however, but it is true for me at least) people tend to accept
some spam as long as email communication is fast.

I did write "classic greylisting" as we DO use a form of greylisting.
If in a multi-RCPT transfer one of the addresses causes a permanent
failure the while session (even with intermediate RSETs) is temporarily
rejected (the bad address is signaled permanent).

        \Maex

-- 
SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
 proportional to the amount of vacuity between the ears of the admin"

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg