On Feb 20, 2007, at 12:36 PM, Darren Spruell wrote:
On 2/20/07, Brian Keefer <[EMAIL PROTECTED]> wrote:
In the case of a greylisting type of solution, it seems that
identification would be especially devastating since the work-around
is so trivial. Unless my understanding is very wrong, the whole
effectiveness of the solution depends on the spammers not realizing
the difference between a "normal" MTA and one that greylists.
The reason that greylisting has been effective is because spammers
apparently don't waste resources on maintaining queues and attempting
redelivery later. Why worry about redelivery to 500 temporarily failed
recipients when in the same time and processor cycles you can delivery
to 500,000 more mailboxes?
Historically true, but the tighter anti-spam defenses become, the
more it's worth it to put a little extra effort into reaching
"defended" mailboxes. Also, if the spammers can figure out the
difference between an error because a mailbox is full, user doesn't
exist, etc and the fact that they're talking to a greylisting daemon,
it's worth it to make the effort if they can bypass a spam filter,
where as it's really not worth retrying of a user's mailbox is full
or they don't exist. Whether it's worth retrying depends on why the
original delivery attempt failed. Right now it's probably still not
worth doing, since there are so few greylisting systems deployed.
Eventually it might be worth it.
It (in practice, apparently) matters not to the spammer if they've got
an antispam measure returning a 45x error or a legitimate MTA. If you
were a spammer, and thought that working around 450s from spamd was
worth wasting resources on to reattempt delivery, why wouldn't you
just reattempt delivery on any temporary error under the hopes that it
will succeed?
See above.
By definition a temporary error will go away at some
point if you reattempt delivery.
Depends what the error was.
For every point that someone has brought up against greylisting (from
since it was originally proposed by Harris in 2003), it continues to
work effectively. So while people adopts this
sky-is-falling-spammers-will-figure-it-out-soon mentality, the numbers
don't lie. Greylisting has been, still is, and will continue to be for
some time at least an effective measure.
This is the part where I believe I'm being misunderstood. I'm not
saying that greylisting is necessarily bad, and I'm not saying that
it's ineffective. What I am saying is that I think it could be even
more effective if it was more difficult for spammers to recognize a
difference between unprotected and protected systems.
How spammers are behaving right now doesn't necessarily predict how
they're always going to behave. A particular technique for fighting
spam has to be pretty wide-spread before spammers will spend the time
to figure out the flaws. I've worked in e-mail for about 8 years,
starting with a hosting company that had millions of e-mail boxes and
hundreds of thousands of domains, then two different e-mail security
companies. The one thing I've noticed is that no one method of
fighting spam is a panacea.
Originally when "Beysian filtering" was proposed, it was supposed to
be the Final Ultimate Solution for Spam and everyone was gushing on
all the usenet groups and mailing lists about how great it was and
how they never got a single piece of spam any more. A lot of
commercial solutions rushed to include Beysian-based techniques, but
eventually spammers overwhelmed it and you don't hear much about it
any more since it's just not effective as spam evolved.
Recently spammers have taken to sending "image based spam". I'm sure
anyone who follows spammers is familiar with it, but it's pretty
sophisticate and is pretty successful at evading OCR-based systems.
Any way, the point is that nothing is perfect and, in my experience,
you have to keep evolving the techniques to stop spam as the spammers
evolve their techniques to avoid being blocked.
Obviously in the case of greylisting and spamd, the goal is to avoid
being put on the blacklist in the first place, and one way to do that
would be resending to avoid being assumed a spammer. When I first
started fighting spam, all the spammers had to pay for their
rackspace, DNS hosting, bandwidth, etc and usually they had to pay
above average prices because of all the headaches they caused for
their providers.
Now they've evolved to using botnets and the vast majority of spam
comes from such systems, so the bandwidth costs are gone and the
hosting costs are pretty much limited to how much they have to pay
the criminals for the botnet C&C passwords. It's not a matter of
cost any more, it's a matter only of efficiency. If they make more
money by spending some cycles to resend, they'll do it. Your average
spammer might be pretty dumb, but the people who are writing their
tools are usually pretty clever. I wouldn't underestimate them.
Brian Keefer
www.Tumbleweed.com
"The Experts in Secure Internet Communication"
