[Top] [All Lists]

Re: We need an IETF BCP for GREY LISTING

2011-10-25 10:43:32

Patrik Faltstrom (pfaltstr) wrote:

Further, the whole idea with gray listing is that the assumption is that real smtp clients are more stable than spam senders.


If we make the life easier for spam senders, what do you think real clients and servers will do? Of course explore some other corner of the protocol.

This was somewhat addressed in the Security section. Plus there is no evidence of exploitation with at least seven current implementations already offering informal time hints. Plus, there is no negative evidence that moving a sender into a managed time window is actually bad, but desirable. Finally, extension or no extension, all SMTP systems MUST be able to deal with DoS issues and loading issues regardless any SMTP extension. This extension does not alter this prudent requirement and in IMO, actually improves server availability.

If this became an RFC, which I object to, I immediately would hack my smtp
server to lie, because only real smtp clients would probably retry enough to get the mail through.

Lie in which way?

I.e. a paper on this only help the spam generators.

I don't see the cons, but if so, IMV, the pros outweigh the cons.

There is even a risk people will require support for this which would limit the ability for spam fighters to on server side guess whether smtp flow is legitimate or not.

How so?

There is no change in operations other than to give MTA clients a retry time "hint" factor, the MTA can optionally use or not. It doesn't change its behavior that necessitate a retry. If a spammer adapts to this, then I ask, what took him so long when it could of just adapted the easy way - keep retrying?

I don't see why this give incentives to a spammer to finally do something that it could of done anyway long ago. And I'm sure many over the years that could adapt, did.

The fact is, Greylisting can't address any SMTP sender that retries. It only address the abusive random "single shot" senders that will never try the same transaction again.

I.e. the draft is not explaining what problem there is to solve, the contrary.

Didn't the background section go into details for the various issues and impact due to Greylisting? Does it need to be redone, rewritten?