ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Greylisting BCP

2011-10-24 18:42:27
from [Dave Warren] [Permanent Link] 
On 10/24/2011 1:33 AM, Murray S. Kucherawy wrote:

-----Original Message-----
From: asrg-bounces(_at_)irtf(_dot_)org 
[mailto:asrg-bounces(_at_)irtf(_dot_)org] On Behalf Of Douglas Otis
Sent: Tuesday, October 18, 2011 8:39 PM
To: asrg(_at_)irtf(_dot_)org
Subject: Re: [Asrg] Greylisting BCP

Grey listing challenges stateful processing of the sender to test an
often erroneous assumption that bots sending spam don't maintain state.
Thanks to grey listing, many bots retry against the same recipients,
just not always with the same message.

That doesn't sound like a "retry" to me, in the MTA queueing sense.  For your 
claim to be true, it would mean bots institute MTA-style queue-and-retry systems, but 
that substantially increases the footprint on the infected machine.  It's been my 
impression that their reluctance to do this is precisely why greylisting is perceived to 
be effective.
Keep in mind that zombies don't necessarily need to create some copy of each message and "queue" it. Rather, it's just as simple as keeping track of MAIL/RCPT pairs that should be retried and this doesn't need to incur much of a footprint at all. Whether they have a DB entry to track which message they wanted to deliver or not is an implementation detail. Either way, it's well within the capabilities of a zombie running on a midrange laptop/desjtop computer.
However, all of this misses a huge part of why greylisting can be a powerful tool: It's a happy accident that bots still don't retry properly. I only greylist if I'm already suspicious based on rDNS patterns, mismatching reverse DNS, and similar. I don't greylist because I care if they retry (although it's nice that so many still don't). I greylist to let URIBLs and similar have a chance to catch up and detect a new zombie, to let my bayesian have time to learn, and to hope they hit one of my traps and get themselves blacklisted.
I don't advocate greylisting everything, I found it's too obnoxious for general purpose use here, but in cases where I'm already suspicious, it's a second chance for a poorly managed sender to get through some front-line filters. 

--
Dave Warren, CEO
Hire A Hit Consulting Services
http://ca.linkedin.com/in/davejwarren

_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Greylisting BCP, Chris Lewis
Next by Date:  Re: [Asrg] Greylisting BCP, Jose-Marcio Martins da Cruz
Previous by Thread:  Re: [Asrg] Greylisting BCP, Murray S. Kucherawy
Next by Thread:  Re: [Asrg] Greylisting BCP, Jose-Marcio Martins da Cruz
Indexes:  [Date] [Thread] [Top] [All Lists]