Most already know that I'm not a big fan of greylisting, mainly because I believe that simply delaying mails is not acceptable in larger environments and is very easy to bypass. If everyone were using greylisting, we'd have to throw more hardware at outgoing mail as well. Good for bussiness though ;)
For a while now I have been using selective greylisting on my personal server, only greylisting senders without a valid reverse DNS or those that are listed in blacklists. This has worked pretty well, however recently the guys from openminds reported that spammers are getting smarter, retrying messages when they were refused by greylisting. For a long time I suspected that spammers would adapt real soon, but it took them far longer than I thought.
Does anyone have more accurate numbers about this? I don't have large systems running greylisting to pull such statistics from but I do think it's strange that only a couple people reported this. Was this only a local glitch or are spammers really starting to adapt?
On a sidenote, have a look at the interesting reverse DNS behavior of networks like 65.111.26.0/24, 64.191.43.0/24, 216.74.115.0/24.. and many more. They have PTR records with a very short TTL (120 seconds) and are regulary switching from one domain to another.
For example in the past few days the address 65.111.26.16 has resolved to:
- crowflies16.forexpose.com
- crowflies16.hiccupeast.com
- crowflies16.againwhite.com
- crowflies16.shortgypsy.com
And probably many more because I only checked a few times. An attempt at circumventing reputation filters based on domain name?
My name is Bart Jansens.
I have been using greylisting for 9 months, and during that time I have not seen an increase in spam getting through the greylist filter.
That implies that spammers find it too expensive to use RFC compliant mailservers, of which greylisting is very kind to.
If the sender sends mail to me again within 35 days, they stay automatically whitelisted. So there is only a delay the very first time greylisting is used on my senders. And for those that send their messages to me more than 35 days apart, the delay is only 5 to 15 minutes on servers that are not overloaded and that are RFC compliant and configured properly.
I think the only ones who need to complain about greylisting are:
* spammers - costs them money to be RFC compliant
* large mail senders - costs them money to be RFC compliant and to not cut corners
That implies that spammers find it too expensive to use RFC compliant mailservers, of which greylisting is very kind to.
I'm not so sure about that one. I think that the reason is that no large mail gateways use greylisting. It's a solution for hobby users, not for ISPs or larger companies. If you deliberately break your mailserver to keep out spam (which is basically what greylisting does), your on the wrong track. Its an easy solution for people running their own small scale mailserver, like myself. But for companies there are far better solutions out there, just not for free.
Bypassing greylisting is very easy, for spammers to fix their code so that it retries after a few minutes shouldn't cost that much. Note that they don't have to implement a real queue, with some clever programming this can easily be done without much impact on resources.
So why don't they? Probably because it won't gain them much. The day a large vendor starts using greylisting, the spammers will probably update their software in weeks. But for now, i don't think its an issue to them.
Post new comment