On Sat, Jan 24, 2009 at 08:55:12AM +1200, Franck Martin wrote:
To be noted I see now that infected machines will send several times
the same message to the same email. So I think the spammers are now
fighting greylisting, and greylisting is becoming less and less effective.
Somewhat, but not entirely. One thing that greylisting still does is buy
time for various DNSBLs and RHSBLs to note abuse and create an entry.
Granted, this is a roll of the dice, but if the greylisting period is
sufficiently long (which is probably appropriate for some classes of
hosts) then it sometimes works. (And when it doesn't? It may result
in a FN.)
I kind of like the idea of OS fingerprinting, anyone has a working filter?
The one I provided a link to:
http://use.perl.org/~merlyn/journal/17094
is an example. You'll need a packet filter (like pf) that has the capability
in order to use it, or something similar.
---Rsk
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg