On 26 September 2007, Peter N. M. Hansteen <[EMAIL PROTECTED]> wrote:
> Liviu Daia <[EMAIL PROTECTED]> writes:
>
> > Why should it? The second copy is sent in a separate run,
> > that's the whole point. The only thing the bot has to figure out
> > is how long to wait until the second run. A smart one would send
> > a second copy after 10 minutes, and a third one after, say, 35
> > minutes.
>
> *BZZT!* Assuming facts not in evidence: a *smart* spambot /and/
> a spammer who actually *cares* about the delivery of individual
> messages.
My point is it doesn't have to. The third copy passes regardless of
what happens with the first two.
[...]
> > Moral: randomize the greylisting time...
>
> Random numbers can be fun, but I'd like to see real world data which
> support your theory.
Ok, since you ask, here's a recent one. The message passed all my
filters, so it was received three times. Please note the identical
message-id.
First run:
Sep 25 18:06:16 ns1 postfix-localhost/smtpd[27143]: 9FAE1142A7:
client=unknown[212.239.40.101]
Sep 25 18:06:17 ns1 postfix/cleanup[3734]: 9FAE1142A7: message-id=<[EMAIL
PROTECTED]>
Sep 25 18:06:18 ns1 postfix/qmgr[1554]: 9FAE1142A7: from=<[EMAIL PROTECTED]>,
size=2545, nrcpt=2 (queue active)
Sep 25 18:06:18 ns1 postfix/pipe[25075]: 9FAE1142A7: to=<[EMAIL PROTECTED]>,
relay=uucpz, delay=1.8, delays=1.7/0/0/0.06, dsn=2.0.0, status=sent (delivered
via uucpz service)
Sep 25 18:06:18 ns1 postfix/local[7260]: 9FAE1142A7: to=<[EMAIL PROTECTED]>,
relay=local, delay=1.9, delays=1.7/0/0/0.24, dsn=2.0.0, status=sent (delivered
to command: /usr/local/sbin/gather_stats.pl /usr/local/share/Mail_stats)
Sep 25 18:06:18 ns1 postfix/qmgr[1554]: 9FAE1142A7: removed
The same message, sent 8 minutes later:
Sep 25 18:14:14 ns1 postfix-localhost/smtpd[8404]: 1649714331:
client=unknown[212.239.40.101]
Sep 25 18:14:15 ns1 postfix/cleanup[21622]: 1649714331: message-id=<[EMAIL
PROTECTED]>
Sep 25 18:14:15 ns1 postfix/qmgr[1554]: 1649714331: from=<[EMAIL PROTECTED]>,
size=2547, nrcpt=2 (queue active)
Sep 25 18:14:15 ns1 postfix/pipe[25075]: 1649714331: to=<[EMAIL PROTECTED]>,
relay=uucpz, delay=1.4, delays=1.4/0/0/0.05, dsn=2.0.0, status=sent (delivered
via uucpz service)
Sep 25 18:14:15 ns1 postfix/local[7260]: 1649714331: to=<[EMAIL PROTECTED]>,
relay=local, delay=1.6, delays=1.4/0/0/0.25, dsn=2.0.0, status=sent (delivered
to command: /usr/local/sbin/gather_stats.pl /usr/local/share/Mail_stats)
Sep 25 18:14:15 ns1 postfix/qmgr[1554]: 1649714331: removed
Same, 28 minutes later:
Sep 25 18:42:52 ns1 postfix-localhost/smtpd[13055]: 72BCD142A7:
client=unknown[212.239.40.101]
Sep 25 18:42:53 ns1 postfix/cleanup[21622]: 72BCD142A7: message-id=<[EMAIL
PROTECTED]>
Sep 25 18:42:53 ns1 postfix/qmgr[1554]: 72BCD142A7: from=<[EMAIL PROTECTED]>,
size=3724, nrcpt=2 (queue active)
Sep 25 18:42:53 ns1 postfix/pipe[25075]: 72BCD142A7: to=<[EMAIL PROTECTED]>,
relay=uucpz, delay=0.81, delays=0.75/0.01/0/0.05, dsn=2.0.0, status=sent
(delivered via uucpz service)
Sep 25 18:42:53 ns1 postfix/local[7260]: 72BCD142A7: to=<[EMAIL PROTECTED]>,
relay=local, delay=1, delays=0.75/0.01/0/0.24, dsn=2.0.0, status=sent
(delivered to command: /usr/local/sbin/gather_stats.pl
/usr/local/share/Mail_stats)
Sep 25 18:42:53 ns1 postfix/qmgr[1554]: 72BCD142A7: removed
Should I have used spamd, the first two copies would have been
discarded, but the third would have passed.
That said, randomizing the greylisting time probably is probably
a lot of trouble, for little added value (it still doesn't solve the
problem).
> I'm beginning to think that this is another one of those 'I refuse to
> believe greylisting works because I refuse to understand it' episodes.
Oh, I'm not saying it doesn't work. What I'm saying is, greylisting
is trivial to bypass, and some spammers have figured that out.
Amazingly, most of them still haven't, which is why it still works in a
significant number of cases.
Regards,
Liviu Daia
--
Dr. Liviu Daia http://www.imar.ro/~daia
