On Tue, 20 Feb 2007 12:57:54 -0800, "Brian Keefer"

said:

quoted text
> On Feb 20, 2007, at 12:36 PM, Darren Spruell wrote:

>

> > On 2/20/07, Brian Keefer  wrote:

> >> In the case of a greylisting type of solution, it seems that

> >> identification would be especially devastating since the work-around

> >> is so trivial.  Unless my understanding is very wrong, the whole

> >> effectiveness of the solution depends on the spammers not realizing

> >> the difference between a "normal" MTA and one that greylists.

> >

> > The reason that greylisting has been effective is because spammers

> > apparently don't waste resources on maintaining queues and attempting

> > redelivery later. Why worry about redelivery to 500 temporarily failed

> > recipients when in the same time and processor cycles you can delivery

> > to 500,000 more mailboxes?

>

> Historically true, but the tighter anti-spam defenses become, the

> more it's worth it to put a little extra effort into reaching

> "defended" mailboxes.  Also, if the spammers can figure out the

> difference between an error because a mailbox is full, user doesn't

> exist, etc and the fact that they're talking to a greylisting daemon,

> it's worth it to make the effort if they can bypass a spam filter,

> where as it's really not worth retrying of a user's mailbox is full

> or they don't exist.  Whether it's worth retrying depends on why the

> original delivery attempt failed.  Right now it's probably still not

> worth doing, since there are so few greylisting systems deployed.

> Eventually it might be worth it.

>

> >

> > It (in practice, apparently) matters not to the spammer if they've got

> > an antispam measure returning a 45x error or a legitimate MTA. If you

> > were a spammer, and thought that working around 450s from spamd was

> > worth wasting resources on to reattempt delivery, why wouldn't you

> > just reattempt delivery on any temporary error under the hopes that it

> > will succeed?

>

> See above.

>

> > By definition a temporary error will go away at some

> > point if you reattempt delivery.

>

> Depends what the error was.

>

> >

> > For every point that someone has brought up against greylisting (from

> > since it was originally proposed by Harris in 2003), it continues to

> > work effectively. So while people adopts this

> > sky-is-falling-spammers-will-figure-it-out-soon mentality, the numbers

> > don't lie. Greylisting has been, still is, and will continue to be for

> > some time at least an effective measure.

>

> This is the part where I believe I'm being misunderstood.  I'm not

> saying that greylisting is necessarily bad, and I'm not saying that

> it's ineffective.  What I am saying is that I think it could be even

> more effective if it was more difficult for spammers to recognize a

> difference between unprotected and protected systems.

>

> How spammers are behaving right now doesn't necessarily predict how

> they're always going to behave.  A particular technique for fighting

> spam has to be pretty wide-spread before spammers will spend the time

> to figure out the flaws.  I've worked in e-mail for about 8 years,

> starting with a hosting company that had millions of e-mail boxes and

> hundreds of thousands of domains, then two different e-mail security

> companies.  The one thing I've noticed is that no one method of

> fighting spam is a panacea.

>

> Originally when "Beysian filtering" was proposed, it was supposed to

> be the Final Ultimate Solution for Spam and everyone was gushing on

> all the usenet groups and mailing lists about how great it was and

> how they never got a single piece of spam any more.  A lot of

> commercial solutions rushed to include Beysian-based techniques, but

> eventually spammers overwhelmed it and you don't hear much about it

> any more since it's just not effective as spam evolved.

>

> Recently spammers have taken to sending "image based spam".  I'm sure

> anyone who follows spammers is familiar with it, but it's pretty

> sophisticate and is pretty successful at evading OCR-based systems.

>

> Any way, the point is that nothing is perfect and, in my experience,

> you have to keep evolving the techniques to stop spam as the spammers

> evolve their techniques to avoid being blocked.

>

> Obviously in the case of greylisting and spamd, the goal is to avoid

> being put on the blacklist in the first place, and one way to do that

> would be resending to avoid being assumed a spammer.  When I first

> started fighting spam, all the spammers had to pay for their

> rackspace, DNS hosting, bandwidth, etc and usually they had to pay

> above average prices because of all the headaches they caused for

> their providers.

>

> Now they've evolved to using botnets and the vast majority of spam

> comes from such systems, so the bandwidth costs are gone and the

> hosting costs are pretty much limited to how much they have to pay

> the criminals for the botnet C&C passwords.  It's not a matter of

> cost any more, it's a matter only of efficiency.  If they make more

> money by spending some cycles to resend, they'll do it.  Your average

> spammer might be pretty dumb, but the people who are writing their

> tools are usually pretty clever.  I wouldn't underestimate them.

OK, now please propose a solution.