I never thought about it before, but it is clear that spamd handles the greylisting the same regardless of whether or not the e-mail address is valid. That is, it doesn't check to make sure that the to address is legitimate before adding the IP address to the spamd-white table.
For example, if your domain is example.com and someone is trying to send to a bogus address, say 3dgeo...@example.com, then once they get through the greylisting, their ip address then added to the spamd-white table where it will remain for the next month or so, depending on the configuration. On the surface, this doesn't seem to be much of a problem since the spammer could always do the same for a real e-mail address if he had one at the domain and get whitelisted for the configured period of time. Furthermore, if the sender is not a spammer and just has the address wrong, say goe...@example.com instead of geo...@example.com, he gets a 5xx response much quicker telling him that the address does not exist so that he can correct it and resend it. So it doesn't seem like such a bad thing. But it also seems like this could be used by a savvy spammer to his benefit if he wants to have a better chance at getting past spamd on OpenBSD servers. Suppose a spammer was getting ready to make a big spam run. Then he could increase his probability of getting the IP address added to the spamd-white table by going through the various address lists earlier and "sending" a single e-mail to a completely random address at the same domain. For example, if his address list contained geo...@example.com, sa...@example.com, he...@example.com, and j...@example.com, a day or two earlier, he could fake an e-mail something like 1739512349...@example.com. Once the IP address is added to spamd-white, he will connect to the mail server on the next try where he will get a 5xx no such user error. The benefit he would gain by using a random made-up address instead of one on his list is because he won't definitively know which addresses on the list are spamtrap addresses. Instead, the random address is unlikely to have been added with "spamdb -T -a" and so he increases his chances of not getting trapped. Not only would this would make the spam run itself simpler and faster, but any addresses defined with spamdb as spamtrap addresses wouldn't cause the server to be trapped for 24 hours because since it had already been greylisted, spamd would never actually see the spamtrap addresses, if any. If, on the other hand, the address had to be legitimate before spamd would send it on, the above scenario would fail. The spammer would then only be able to get his IP addresses whitelisted by sending an e-mail to a legitimate user and avoiding the spamtrap addresses entirely. I've seen no signs that the spammers are doing that now, but it might be worth considering an option to spamd that would check the addresses and use that as part of the determination of whether or not to add to the spamd-white list just in case they should start doing that. Any thoughs on this? Eric Johnson
