-----BEGIN PGP SIGNED MESSAGE-----
On 5 Dec 2007 at 13:08, John C Klensin <john+smtp(_at_)jck(_dot_)com> said:
--On Wednesday, 05 December, 2007 17:30 +0000 Sabahattin
Gucukoglu <mail(_at_)sabahattin-gucukoglu(_dot_)com> wrote:
Does this notion bother anyone, in particular?
The argument for greylisting is apparently no longer - and if
it is, it can't be for *much* longer - that, "So what if we
can't detect non-MTSs anymore? We can still trap the bad
ones by letting our favourite non- greylisting BL spamtraps
So all Mr. Bad Guy needs to do now is realise the significant
uptake of greylisting for this one purpose, and never spam
any host that seems to accept all initial transactions. They
can do this simply by not entering the DATA state. And if
that's used as metric, by sharing data amongst themselves as
to the exact purpose of non-greylisting hosts.
First, your subject line appears to be wrong to me: "everyone"
other than honeypots do not greylist.
Not now. The subject line is the idea some spammer has when Greylisting
is implemented across the board and it's clear they have to target
greylisted hosts. This is what greylisters say will happen, of course, as
it most certainly will eventually. And when it does, the only lasting
counterattack is RBLs and similar, which spammers have a vested interest
in not getting listed on because if they did then every single time a spam
run gets caught a whole bunch of hosts don't accept their mail after a
delay just long enough for the spammers to incriminate themselves. (Sorry
for assuming, as I sometimes do, that you can read my mind.)
Second, if I correctly understand what you are proposing above
(and it is possible that I do not), why do you believe that the
spammers will cooperate in behaving the way you want/ expect?
This isn't a proposal, I'm just thinking like a spammer for a moment
(urgh). I don't think you've understood what I'm saying up until now,
though. This is just a terrible thought - that the lasting argument for
greylisting's continued existence is kind of dead if it becomes so
absolutely prevalent that spammers go back to square one, that of stepping
very carefully so as to avoid trapping themselves. Knowing who the
spamtraps are won't require any special skill or cooperation if legitimate
receivers rely on BLs actually catching spamtrap mail, because (of course)
the MTS can now be easily tricked into revealing the purpose of the
spamtrap address - that is, since it now accepts every kind of mail from
anywhere, it *must* be intended as bate.
I suppose the continued practice of hiding spamtraps in obscure places and
relying on their being found by robots alone can still work even with
greylisting in effect, but the results are probably much less useable
because there's no mail evidence to coroborate the spamminess of the
trap's input without waiting for the usual greylisting delay (assuming the
spammer really does come back, as will be the case later). Still, no
doubt it would be the next defense - just auto-blacklist any attempted use
of bogus addresses and then share. I know though that I wouldn't trust my
traps' inputs alone all to be spam, and have on a couple of occasions had
to moderate input from misinformed humans trying to send mail into the
feed on a couple of the more exposed addresses.
They have about zero incentive to go to extra effort to not send
mail to particular addresses unless doing so will net them a
_huge_ (think severals orders of magnitude) increase in the
number of messages that get delivered.
So we'll imagine that's happened. Even now, quite a few greylistings are
aborted on a friend's machine of mine for spams that get through because
of the class C exception rule; zombies on the same ISP as initial sender
just happen to redo the transaction as part of their campaign, often
within minutes of the initial time (5 mins) running out. I'm sure the
spammers are keeping their eyes open on this. Also, spamtraps look and
feel just like regular email addresses until mail is sent to them, so
spammers have no more or less reason to try them over regular accounts.
Sabahattin Gucukoglu <mail<at>sabahattin<dash>gucukoglu<dot>com>
Address harvesters, snag this: feedme(_at_)yamta(_dot_)org
Phone: +44 20 88008915
Mobile: +44 7986 053399
-----BEGIN PGP SIGNATURE-----
Version: PGP 8
Comment: QDPGP - http://community.wow.net/grt/qdpgp.html
-----END PGP SIGNATURE-----