On Tue, 20 Feb 2007 12:57:54 -0800, "Brian Keefer" <[EMAIL PROTECTED]> said: > On Feb 20, 2007, at 12:36 PM, Darren Spruell wrote: > > > On 2/20/07, Brian Keefer <[EMAIL PROTECTED]> wrote: > >> In the case of a greylisting type of solution, it seems that > >> identification would be especially devastating since the work-around > >> is so trivial. Unless my understanding is very wrong, the whole > >> effectiveness of the solution depends on the spammers not realizing > >> the difference between a "normal" MTA and one that greylists. > > > > The reason that greylisting has been effective is because spammers > > apparently don't waste resources on maintaining queues and attempting > > redelivery later. Why worry about redelivery to 500 temporarily failed > > recipients when in the same time and processor cycles you can delivery > > to 500,000 more mailboxes? > > Historically true, but the tighter anti-spam defenses become, the > more it's worth it to put a little extra effort into reaching > "defended" mailboxes. Also, if the spammers can figure out the > difference between an error because a mailbox is full, user doesn't > exist, etc and the fact that they're talking to a greylisting daemon, > it's worth it to make the effort if they can bypass a spam filter, > where as it's really not worth retrying of a user's mailbox is full > or they don't exist. Whether it's worth retrying depends on why the > original delivery attempt failed. Right now it's probably still not > worth doing, since there are so few greylisting systems deployed. > Eventually it might be worth it. > > > > > It (in practice, apparently) matters not to the spammer if they've got > > an antispam measure returning a 45x error or a legitimate MTA. If you > > were a spammer, and thought that working around 450s from spamd was > > worth wasting resources on to reattempt delivery, why wouldn't you > > just reattempt delivery on any temporary error under the hopes that it > > will succeed? > > See above. > > > By definition a temporary error will go away at some > > point if you reattempt delivery. > > Depends what the error was. > > > > > For every point that someone has brought up against greylisting (from > > since it was originally proposed by Harris in 2003), it continues to > > work effectively. So while people adopts this > > sky-is-falling-spammers-will-figure-it-out-soon mentality, the numbers > > don't lie. Greylisting has been, still is, and will continue to be for > > some time at least an effective measure. > > This is the part where I believe I'm being misunderstood. I'm not > saying that greylisting is necessarily bad, and I'm not saying that > it's ineffective. What I am saying is that I think it could be even > more effective if it was more difficult for spammers to recognize a > difference between unprotected and protected systems. > > How spammers are behaving right now doesn't necessarily predict how > they're always going to behave. A particular technique for fighting > spam has to be pretty wide-spread before spammers will spend the time > to figure out the flaws. I've worked in e-mail for about 8 years, > starting with a hosting company that had millions of e-mail boxes and > hundreds of thousands of domains, then two different e-mail security > companies. The one thing I've noticed is that no one method of > fighting spam is a panacea. > > Originally when "Beysian filtering" was proposed, it was supposed to > be the Final Ultimate Solution for Spam and everyone was gushing on > all the usenet groups and mailing lists about how great it was and > how they never got a single piece of spam any more. A lot of > commercial solutions rushed to include Beysian-based techniques, but > eventually spammers overwhelmed it and you don't hear much about it > any more since it's just not effective as spam evolved. > > Recently spammers have taken to sending "image based spam". I'm sure > anyone who follows spammers is familiar with it, but it's pretty > sophisticate and is pretty successful at evading OCR-based systems. > > Any way, the point is that nothing is perfect and, in my experience, > you have to keep evolving the techniques to stop spam as the spammers > evolve their techniques to avoid being blocked. > > Obviously in the case of greylisting and spamd, the goal is to avoid > being put on the blacklist in the first place, and one way to do that > would be resending to avoid being assumed a spammer. When I first > started fighting spam, all the spammers had to pay for their > rackspace, DNS hosting, bandwidth, etc and usually they had to pay > above average prices because of all the headaches they caused for > their providers. > > Now they've evolved to using botnets and the vast majority of spam > comes from such systems, so the bandwidth costs are gone and the > hosting costs are pretty much limited to how much they have to pay > the criminals for the botnet C&C passwords. It's not a matter of > cost any more, it's a matter only of efficiency. If they make more > money by spending some cycles to resend, they'll do it. Your average > spammer might be pretty dumb, but the people who are writing their > tools are usually pretty clever. I wouldn't underestimate them.
OK, now please propose a solution.
