[Top] [All Lists]

Re: Everyone Greylists Except Honeypots ... So Let's Not Spam Honeypots!

2007-12-05 12:33:58

Hash: SHA1

Hi John,

On 5 Dec 2007 at 13:08, John C Klensin <john+smtp(_at_)jck(_dot_)com> said:

--On Wednesday, 05 December, 2007 17:30 +0000 Sabahattin
Gucukoglu <mail(_at_)sabahattin-gucukoglu(_dot_)com> wrote:

Does this notion bother anyone, in particular?

The argument for greylisting is apparently no longer - and if
it is, it  can't be for *much* longer - that, "So what if we
can't detect non-MTSs  anymore?  We can still trap the bad
ones by letting our favourite non- greylisting BL spamtraps
capture them!"

So all Mr. Bad Guy needs to do now is realise the significant
uptake of  greylisting for this one purpose, and never spam
any host that seems to  accept all initial transactions.  They
can do this simply by not entering  the DATA state.  And if
that's used as metric, by sharing data amongst  themselves as
to the exact purpose of non-greylisting hosts.

Any thoughts?


First, your subject line appears to be wrong to me: "everyone"
other than honeypots do not greylist.

Not now.  The subject line is the idea some spammer has when Greylisting 
is implemented across the board and it's clear they have to target 
greylisted hosts.  This is what greylisters say will happen, of course, as 
it most certainly will eventually.  And when it does, the only lasting 
counterattack is RBLs and similar, which spammers have a vested interest 
in not getting listed on because if they did then every single time a spam 
run gets caught a whole bunch of hosts don't accept their mail after a 
delay just long enough for the spammers to incriminate themselves.  (Sorry 
for assuming, as I sometimes do, that you can read my mind.)

Second, if I correctly understand what you are proposing above
(and it is possible that I do not), why do you believe that the
spammers will cooperate in behaving the way you want/ expect?

This isn't a proposal, I'm just thinking like a spammer for a moment 
(urgh).  I don't think you've understood what I'm saying up until now, 
though.  This is just a terrible thought - that the lasting argument for 
greylisting's continued existence is kind of dead if it becomes so 
absolutely prevalent that spammers go back to square one, that of stepping 
very carefully so as to avoid trapping themselves.  Knowing who the 
spamtraps are won't require any special skill or cooperation if legitimate 
receivers rely on BLs actually catching spamtrap mail, because (of course) 
the MTS can now be easily tricked into revealing the purpose of the 
spamtrap address - that is, since it now accepts every kind of mail from 
anywhere, it *must* be intended as bate.

I suppose the continued practice of hiding spamtraps in obscure places and 
relying on their being found by robots alone can still work even with 
greylisting in effect, but the results are probably much less useable 
because there's no mail evidence to coroborate the spamminess of the 
trap's input without waiting for the usual greylisting delay (assuming the 
spammer really does come back, as will be the case later).  Still, no 
doubt it would be the next defense - just auto-blacklist any attempted use 
of bogus addresses and then share.  I know though that I wouldn't trust my 
traps' inputs alone all to be spam, and have on a couple of occasions had 
to moderate input from misinformed humans trying to send mail into the 
feed on a couple of the more exposed addresses.

They have about zero incentive to go to extra effort to not send
mail to particular addresses unless doing so will net them a
_huge_ (think severals orders of magnitude) increase in the
number of messages that get delivered.

So we'll imagine that's happened.  Even now, quite a few greylistings are 
aborted on a friend's machine of mine for spams that get through because 
of the class C exception rule; zombies on the same ISP as initial sender 
just happen to redo the transaction as part of their campaign, often 
within minutes of the initial time (5 mins) running out.  I'm sure the 
spammers are keeping their eyes open on this.  Also, spamtraps look and 
feel just like regular email addresses until mail is sent to them, so 
spammers have no more or less reason to try them over regular accounts.


- -- 
Sabahattin Gucukoglu <mail<at>sabahattin<dash>gucukoglu<dot>com>
Address harvesters, snag this: feedme(_at_)yamta(_dot_)org
Phone: +44 20 88008915
Mobile: +44 7986 053399

Version: PGP 8
Comment: QDPGP -