On Tue, 20 Feb 2007, Theo de Raadt wrote: > > In the case of a greylisting type of solution, it seems that > > identification would be especially devastating since the work-around > > is so trivial. Unless my understanding is very wrong, the whole > > effectiveness of the solution depends on the spammers not realizing > > the difference between a "normal" MTA and one that greylists. > > If a spammer knows I am running spamd because he can detect it, and > then disconnects, no spam makes it througg -- no spam is delivered. > There is no workaround for the spammer, except to act as a regular > "follow the RFC, and retry", which most of the spammers don't do (and > which we want them to do, since then they are easier to fight).
Well, yes and no. I don't understand how causing spammers to modify their 'bots to move greylisted victims to a "failed-451" list and rerunning it after 30 minutes would be more easily fought. I do not see that causing the spammer of tomorrow to become RFC compliant in the area of retry intervals. My impression of 'botnets and the hosts comprising them is that software of the complexity of sendmail could be hidden from their clueless users and apparently indifferent "virus protection scanners". But complex software is not needed to work around greylisting. > In fact, there are spammers who ARE noticing that greylisting servers > look (or behave) different, and they are disconnecting and not sending > spam through them. Thus, no spam is delivered. > > But you don't get it, do you? Stopping spam from being delivered is > the reason for doing all this in the first place! You have it > entirely backwards. > > I think you had better book yourself into a course on logical > thinking. We are saying that spamd provides the spammer with a hook to improve his spamming. I do not see how mimicking sendmail responses for a 451 would aid spammers, but it might not make a difference. I assume a competant spam lord has some level of 451's above which he will implement and deploy improved spamware on his 'botnet, i.e. it is thr 451 error itself that will trigger the improvement, not the 250 taunts. In that respect, I stand corrected. I do not see how RFC compliant spam is better than noncompliant spam. As for logic, we have a situation in which greylisting works only until it is effective above some threshold. If all mail receivers implemented greylisting Wednesday, the spam lords would have the work-around deployed on Thursday, or so I fear. If spamming were still the province of the cottage industry spammer with warez of the "Bull's Eye Gold" vintage, I would have no fear. Dave
