ietf-asrg
[Top] [All Lists]

Re: [Asrg] Re: SPF abused by spammers

2004-09-13 15:47:41
On 2004-09-13 12:27:26 -0400, Richard Rognlie wrote:
On Mon, Sep 13, 2004 at 05:48:34PM +0200, Peter J. Holzer wrote:
On 2004-09-13 17:14:37 +0200, Markus Stumpf wrote:
On Fri, Sep 10, 2004 at 07:44:11PM -0400, Seth Breidbart wrote:
The idea is that the spamtrap addresses will cause blacklisting before
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
the domain can green off the greylist.

At which point do greylist implementations make the entry for a
triple?

How about a
   MAIL FROM
   RCPT TO
   RCPT TO
   RCPT TO
   RCPT TO
   RCPT TO
   [ ... ]
   RSET
and come back 30 minutes later.

Such a pattern could be a reason to blacklist the sender, too. 

If you are greylisting, it's that pattern that well behaved MTAs will
use.

I seem to have been quite confused when I was writing that, sorry.

What I was thinking of was that the RSET would be sent even though some
addresses (e.g., the the spamtrap mentioned by Seth) would return a 250
reply to avoid triggering the spamtrap before the greylist period runs
out.

That could be detected (although there is a certain probability of false
positives), but that isn't necessary. Much better to trigger the
spamtrap when receiving the RCPT TO address than waiting for the DATA
command.

        hp

-- 
   _  | Peter J. Holzer    | Je höher der Norden, desto weniger wird
|_|_) | Sysadmin WSR       | überhaupt gesprochen, also auch kein Dialekt.
| |   | hjp(_at_)hjp(_dot_)at         | Hallig Gröde ist fast gänzlich 
dialektfrei.
__/   | http://www.hjp.at/ |   -- Hannes Petersen in desd

Attachment: pgpupivxhBG12.pgp
Description: PGP signature

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg