[Top] [All Lists]

Re: DoS attacks (was Re: SMTP Transferred-By-Reference)

2007-11-15 17:13:59

--On Friday, 16 November, 2007 12:13 +1300 Glenn Anderson
<glenn(_at_)eudora(_dot_)co(_dot_)nz> wrote:

Connection prioritization helps keep mail flowing from hosts
that aren't being graylisted. My MTA has two thresholds for
how many SMTP connections are remaining, when the first one is
exceeded connections from new hosts or hosts that are still
graylisted are not accepted. When the second one is exceeded
connections are only accepted from hosts that have been

The minor delays due to graylisting are far outweighed by it's
useful anti-DDoS features. Anti-spam solutions that want to
replace graylisting are of no interest to me if they can't
replace that functionality.


Unfortunately, graylisting is one of those techniques that works
well as long as sufficiently few people use it that the spammers
and bot architects don't feel motivated to go to the extra work
to overcome it.  My guess is that we have passed at least the
first version of that point: I'm seeing a rapidy increasing
number of spam messages arriving in a one-two sequence from the
same putative source.  First one message is sent, then a second
is sent a few minutes later.  That doesn't even require that the
bot maintain state, although graylisting that actually keeps
track of message headers or signatures will.  

This brings us back to the point I tried to make to Hector:
making these folks smarter may be unwise, especially when doing
so consumes more resources on our and and, with botnets, they
have essentially unlimited resources for which the costs to them
are trivial.   

So, since you are graylisting already, by all means enjoy the
advantages as long as they last.  But, given what I think we are
seeing already, don't expect them to last for a long time.  And
don't ask that we change the standards to make them more
friendly to anti-spam techniques that can reasonably expected to
have a relatively short lifespan.

Just my opinion, of course...