[Top] [All Lists]

Re: DoS attacks (was Re: SMTP Transferred-By-Reference)

2007-11-15 19:47:39

John C Klensin wrote:

Unfortunately, graylisting is one of those techniques that works
well as long as sufficiently few people use it that the spammers
and bot architects don't feel motivated to go to the extra work
to overcome it.

No, I don't agree.  Greylisting is useful to allow RBLs time to catch
up.  Forcing a sender to send from the same IP address for 20-30 minutes
or so can be useful.

My guess is that we have passed at least the
first version of that point: I'm seeing a rapidy increasing
number of spam messages arriving in a one-two sequence from the
same putative source.  First one message is sent, then a second
is sent a few minutes later.  That doesn't even require that the
bot maintain state, although graylisting that actually keeps
track of message headers or signatures will.  

We keep a hash of some message content and we find it to be quite
effective against ratware that mutates the message with each retry.
Unfortunately, this means we can't greylist until post-DATA, but
that's a tradeoff we're willing to make.

This brings us back to the point I tried to make to Hector:
making these folks smarter may be unwise, especially when doing
so consumes more resources on our and and, with botnets, they
have essentially unlimited resources for which the costs to them
are trivial.

Except that pinning them to the same IP address for a while lets
RBLs catch up so you can reject connection attempts very cheaply.

And don't ask that we change the standards to make them more
friendly to anti-spam techniques that can reasonably expected to
have a relatively short lifespan.

I agree with that.  I don't think greylisting deserves official
recognition in an RFC.  As much as I like it, it is at the end of
the day a hack. :-)