Re: [anti-spam-wg] greylisting (was: RIPE 51 anti-spam WG minutes)

  • To: RIPE anti-spam WG <
    >
  • From: Bruce Campbell <
    >
  • Date: Tue, 13 Dec 2005 10:15:49 +0100 (CET)

On Mon, 12 Dec 2005, Markus Stumpf wrote:

On Wed, Dec 07, 2005 at 04:16:44PM +0000, Rodney Tillotson wrote:
Peter Koch: Greylisting is pushing the problem towards the
infrastructure. If I have a high-volume mail server, lots of mail
does not get delivered on time and puts burden on the sender side.
IMHO infrastructure is the wrong word here. Sender is the better term.
And isn't antispam all about making every mail harder and more cost intensive
for the sender (and thus even more for the spammer)?
When talking about Greylisting, most people critical of the tempory-reject-please-retry behaviour tend to ignore or forget that this behaviour is only on the first delivery attempt of the mail. On later attempts, the receiving machine already has the matching tuple within its database, and allows the mail through. (sendingdomain+sendingIP+receivingaddress)

Mail from lists, or if you'd like, regularly occuring events on the mail infrastructure are only a burden for the initial attempt. Attempts beyond that are, by and large, allowed straight through.

The only remaining burden on the mail infrastructure are the 'once-off' mails between two entities that have not previously communicated. Now, its entirely possible that my experience with email is not normal, but most people have a regular set of entities that they send/receive email to/from. The 'real' 'once-off' mails tend to be on the low side, vs the great number of try-once 'once-off' mails from other sources, eg:

For viruses and worms greylisting works exceptionally great. The
virusscanners for all customers with greylisting very rarely see any
of the current huge W32/Sober-Z wave or any other viruses.

But I do see a problem if greylisting gets wide adoption. Spamware will
not keep track of 2xx, 4xx or 5xx codes as it does now. Spamware will
"respam" each and every message again after - hmmm - 1 hour. This will
break the greylisters and will become really annoying to non-greylist
mailservers.
Yes, like most anti-spam technologies, the widespread adoption of Greylisting will result in the spammers changing their tactics to make Greylisting a technology with little effect. Until then, my inbox gets much less spam (wish I'd thought of putting it on the NCC mail servers, as it would have seriously cut down on the amount of crud received there).

However, one of the aims of Greylisting is that it delays the initial acceptance of the email for long enough that other techniques, such as RBLs or distributed checksums, have enough time to get a positive match on this particular spam source. In the end, all that matters to the end user is that the spam did not get to their inbox.

--
Bruce Campbell