On 26 September 2007, Peter N. M. Hansteen  wrote:

quoted text
> Liviu Daia  writes:

>

> >     Why should it?  The second copy is sent in a separate run,

> > that's the whole point.  The only thing the bot has to figure out

> > is how long to wait until the second run.  A smart one would send

> > a second copy after 10 minutes, and a third one after, say, 35

> > minutes.

>

> *BZZT!* Assuming facts not in evidence: a *smart* spambot /and/

> a spammer who actually *cares* about the delivery of individual

> messages.

    My point is it doesn't have to.  The third copy passes regardless of

what happens with the first two.
[...]

quoted text
> >     Moral: randomize the greylisting time...

>

> Random numbers can be fun, but I'd like to see real world data which

> support your theory.

    Ok, since you ask, here's a recent one.  The message passed all my

filters, so it was received three times.  Please note the identical

message-id.
    First run:
Sep 25 18:06:16 ns1 postfix-localhost/smtpd[27143]: 9FAE1142A7: client=unknown[212.239.40.101]

Sep 25 18:06:17 ns1 postfix/cleanup[3734]: 9FAE1142A7: message-id=<20070925150257.7239.qmail@web05.aziendeitalia.com>

Sep 25 18:06:18 ns1 postfix/qmgr[1554]: 9FAE1142A7: from=, size=2545, nrcpt=2 (queue active)

Sep 25 18:06:18 ns1 postfix/pipe[25075]: 9FAE1142A7: to=, relay=uucpz, delay=1.8, delays=1.7/0/0/0.06, dsn=2.0.0, status=sent (delivered via uucpz service)

Sep 25 18:06:18 ns1 postfix/local[7260]: 9FAE1142A7: to=, relay=local, delay=1.9, delays=1.7/0/0/0.24, dsn=2.0.0, status=sent (delivered to command: /usr/local/sbin/gather_stats.pl /usr/local/share/Mail_stats)

Sep 25 18:06:18 ns1 postfix/qmgr[1554]: 9FAE1142A7: removed
    The same message, sent 8 minutes later:
Sep 25 18:14:14 ns1 postfix-localhost/smtpd[8404]: 1649714331: client=unknown[212.239.40.101]

Sep 25 18:14:15 ns1 postfix/cleanup[21622]: 1649714331: message-id=<20070925150257.7239.qmail@web05.aziendeitalia.com>

Sep 25 18:14:15 ns1 postfix/qmgr[1554]: 1649714331: from=, size=2547, nrcpt=2 (queue active)

Sep 25 18:14:15 ns1 postfix/pipe[25075]: 1649714331: to=, relay=uucpz, delay=1.4, delays=1.4/0/0/0.05, dsn=2.0.0, status=sent (delivered via uucpz service)

Sep 25 18:14:15 ns1 postfix/local[7260]: 1649714331: to=, relay=local, delay=1.6, delays=1.4/0/0/0.25, dsn=2.0.0, status=sent (delivered to command: /usr/local/sbin/gather_stats.pl /usr/local/share/Mail_stats)

Sep 25 18:14:15 ns1 postfix/qmgr[1554]: 1649714331: removed
    Same, 28 minutes later:
Sep 25 18:42:52 ns1 postfix-localhost/smtpd[13055]: 72BCD142A7: client=unknown[212.239.40.101]

Sep 25 18:42:53 ns1 postfix/cleanup[21622]: 72BCD142A7: message-id=<20070925150257.7239.qmail@web05.aziendeitalia.com>

Sep 25 18:42:53 ns1 postfix/qmgr[1554]: 72BCD142A7: from=, size=3724, nrcpt=2 (queue active)

Sep 25 18:42:53 ns1 postfix/pipe[25075]: 72BCD142A7: to=, relay=uucpz, delay=0.81, delays=0.75/0.01/0/0.05, dsn=2.0.0, status=sent (delivered via uucpz service)

Sep 25 18:42:53 ns1 postfix/local[7260]: 72BCD142A7: to=, relay=local, delay=1, delays=0.75/0.01/0/0.24, dsn=2.0.0, status=sent (delivered to command: /usr/local/sbin/gather_stats.pl /usr/local/share/Mail_stats)

Sep 25 18:42:53 ns1 postfix/qmgr[1554]: 72BCD142A7: removed
    Should I have used spamd, the first two copies would have been

discarded, but the third would have passed.
    That said, randomizing the greylisting time probably is probably

a lot of trouble, for little added value (it still doesn't solve the

problem).
> I'm beginning to think that this is another one of those 'I refuse to

quoted text
> believe greylisting works because I refuse to understand it' episodes.

    Oh, I'm not saying it doesn't work.  What I'm saying is, greylisting

is trivial to bypass, and some spammers have figured that out.

Amazingly, most of them still haven't, which is why it still works in a

significant number of cases.
    Regards,
    Liviu Daia
--

Dr. Liviu Daia                                  http://www.imar.ro/~daia