On 11/29/2012 17:37, John Levine wrote:
Does greylisting increase chances of bulk detectors (razor/pyzor/dcc) in
case of "yahoo like" spam sources?
No. A remarkable fraction of ratware still doesn't bother to retry,
so the most simple minded greylister will deter them. That's why it's
useful. I've never seen any support for the theory that greylisting
delays make it more likely that the host will be blacklisted when it
retries.
If I run my accepted-and-quarantined spam corpus through a filter to
test against DNSBL effectiveness, I always see higher effectiveness
ratings than what was shown during the SMTP phase. I haven't done so in
recent enough memory to have any actual numbers, but when I last did a
comparison, slow moving DNSBLs showed little/no change at all,
fast-acting trap-driven ones show more of a difference.
Now I've not studied the exactly amount of time it takes for hosts to
start getting listed, but since I only greylist questionable stuff
already and since I whitelist aggressively, I've been able to set my
greylisting in the 30-60 minute range without too many seizures from
users and with higher rejection counts -- Since greylisting doesn't
cause higher reject counts, I assume (yes, just assume) that it's due to
higher hit rates.
I admit that it would make sense to do further testing, but for
fast-acting DNSBLs, and body-hash based systems, it makes sense that the
longer one defers a message, the greater the odds of a hit against a new
zombie or a new spam-run.
--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren
