Re: SMTP flood + spamdb

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Liviu Daia

Date: Wednesday, September 26, 2007 - 10:05 am

On 26 September 2007, Peter N. M. Hansteen <peter@bsdly.net> wrote:
quoted text> Liviu Daia <Liviu.Daia@imar.ro> writes:
>
> >     Why should it?  The second copy is sent in a separate run,
> > that's the whole point.  The only thing the bot has to figure out
> > is how long to wait until the second run.  A smart one would send
> > a second copy after 10 minutes, and a third one after, say, 35
> > minutes.
>
> *BZZT!* Assuming facts not in evidence: a *smart* spambot /and/
> a spammer who actually *cares* about the delivery of individual
> messages.

    My point is it doesn't have to.  The third copy passes regardless of
what happens with the first two.

[...]
quoted text> >     Moral: randomize the greylisting time...
>
> Random numbers can be fun, but I'd like to see real world data which
> support your theory.

    Ok, since you ask, here's a recent one.  The message passed all my
filters, so it was received three times.  Please note the identical
message-id.

    First run:

Sep 25 18:06:16 ns1 postfix-localhost/smtpd[27143]: 9FAE1142A7: client=unknown[212.239.40.101]
Sep 25 18:06:17 ns1 postfix/cleanup[3734]: 9FAE1142A7: message-id=<20070925150257.7239.qmail@web05.aziendeitalia.com>
Sep 25 18:06:18 ns1 postfix/qmgr[1554]: 9FAE1142A7: from=<root@web05.aziendeitalia.com>, size=2545, nrcpt=2 (queue active)
Sep 25 18:06:18 ns1 postfix/pipe[25075]: 9FAE1142A7: to=<daia@euler.imar.ro>, relay=uucpz, delay=1.8, delays=1.7/0/0/0.06, dsn=2.0.0, status=sent (delivered via uucpz service)
Sep 25 18:06:18 ns1 postfix/local[7260]: 9FAE1142A7: to=<gather_stats@localhost.imar.ro>, relay=local, delay=1.9, delays=1.7/0/0/0.24, dsn=2.0.0, status=sent (delivered to command: /usr/local/sbin/gather_stats.pl /usr/local/share/Mail_stats)
Sep 25 18:06:18 ns1 postfix/qmgr[1554]: 9FAE1142A7: removed

    The same message, sent 8 minutes later:

Sep 25 18:14:14 ns1 postfix-localhost/smtpd[8404]: 1649714331: client=unknown[212.239.40.101]
Sep 25 18:14:15 ns1 postfix/cleanup[21622]: 1649714331: message-id=<20070925150257.7239.qmail@web05.aziendeitalia.com>
Sep 25 18:14:15 ns1 postfix/qmgr[1554]: 1649714331: from=<root@web05.aziendeitalia.com>, size=2547, nrcpt=2 (queue active)
Sep 25 18:14:15 ns1 postfix/pipe[25075]: 1649714331: to=<daia@euler.imar.ro>, relay=uucpz, delay=1.4, delays=1.4/0/0/0.05, dsn=2.0.0, status=sent (delivered via uucpz service)
Sep 25 18:14:15 ns1 postfix/local[7260]: 1649714331: to=<gather_stats@localhost.imar.ro>, relay=local, delay=1.6, delays=1.4/0/0/0.25, dsn=2.0.0, status=sent (delivered to command: /usr/local/sbin/gather_stats.pl /usr/local/share/Mail_stats)
Sep 25 18:14:15 ns1 postfix/qmgr[1554]: 1649714331: removed

    Same, 28 minutes later:

Sep 25 18:42:52 ns1 postfix-localhost/smtpd[13055]: 72BCD142A7: client=unknown[212.239.40.101]
Sep 25 18:42:53 ns1 postfix/cleanup[21622]: 72BCD142A7: message-id=<20070925150257.7239.qmail@web05.aziendeitalia.com>
Sep 25 18:42:53 ns1 postfix/qmgr[1554]: 72BCD142A7: from=<root@web05.aziendeitalia.com>, size=3724, nrcpt=2 (queue active)
Sep 25 18:42:53 ns1 postfix/pipe[25075]: 72BCD142A7: to=<daia@euler.imar.ro>, relay=uucpz, delay=0.81, delays=0.75/0.01/0/0.05, dsn=2.0.0, status=sent (delivered via uucpz service)
Sep 25 18:42:53 ns1 postfix/local[7260]: 72BCD142A7: to=<gather_stats@localhost.imar.ro>, relay=local, delay=1, delays=0.75/0.01/0/0.24, dsn=2.0.0, status=sent (delivered to command: /usr/local/sbin/gather_stats.pl /usr/local/share/Mail_stats)
Sep 25 18:42:53 ns1 postfix/qmgr[1554]: 72BCD142A7: removed

    Should I have used spamd, the first two copies would have been
discarded, but the third would have passed.

    That said, randomizing the greylisting time probably is probably
a lot of trouble, for little added value (it still doesn't solve the
problem).

quoted text> I'm beginning to think that this is another one of those 'I refuse to
> believe greylisting works because I refuse to understand it' episodes.

    Oh, I'm not saying it doesn't work.  What I'm saying is, greylisting
is trivial to bypass, and some spammers have figured that out.
Amazingly, most of them still haven't, which is why it still works in a
significant number of cases.

    Regards,

    Liviu Daia

-- 
Dr. Liviu Daia                                  http://www.imar.ro/~daia

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

SMTP flood + spamdb, patrick keshishian, (Sun Sep 23, 3:33 pm)

Re: SMTP flood + spamdb, Darrin Chandler, (Sun Sep 23, 5:39 pm)

Re: SMTP flood + spamdb, patrick keshishian, (Sun Sep 23, 8:53 pm)

Re: SMTP flood + spamdb, Daniel Ouellet, (Sun Sep 23, 8:58 pm)

Re: SMTP flood + spamdb, Peter N. M. Hansteen, (Sun Sep 23, 10:34 pm)

Re: SMTP flood + spamdb, Stuart Henderson, (Mon Sep 24, 3:47 am)

Re: SMTP flood + spamdb, patrick keshishian, (Mon Sep 24, 8:01 pm)

Re: SMTP flood + spamdb, patrick keshishian, (Tue Sep 25, 12:08 am)

Re: SMTP flood + spamdb, Peter N. M. Hansteen, (Tue Sep 25, 12:38 am)

Re: SMTP flood + spamdb, Craig Skinner, (Tue Sep 25, 1:38 am)

Re: SMTP flood + spamdb, Peter N. M. Hansteen, (Tue Sep 25, 1:50 am)

Re: SMTP flood + spamdb, Stuart Henderson, (Tue Sep 25, 2:29 am)

Re: SMTP flood + spamdb, Peter N. M. Hansteen, (Tue Sep 25, 3:36 am)

Re: SMTP flood + spamdb, Stuart Henderson, (Tue Sep 25, 3:56 am)

Re: SMTP flood + spamdb, RW, (Tue Sep 25, 4:00 am)

Re: SMTP flood + spamdb, Liviu Daia, (Tue Sep 25, 4:14 am)

Re: SMTP flood + spamdb, Peter N. M. Hansteen, (Tue Sep 25, 4:22 am)

Re: SMTP flood + spamdb, Craig Skinner, (Tue Sep 25, 4:30 am)

Re: SMTP flood + spamdb, Craig Skinner, (Tue Sep 25, 4:40 am)

Re: SMTP flood + spamdb, Chris Smith, (Tue Sep 25, 7:51 am)

Re: SMTP flood + spamdb, RW, (Tue Sep 25, 4:04 pm)

Re: SMTP flood + spamdb, RW, (Tue Sep 25, 4:17 pm)

Re: SMTP flood + spamdb, Liviu Daia, (Tue Sep 25, 5:16 pm)

Re: SMTP flood + spamdb, RW, (Tue Sep 25, 9:25 pm)

Re: SMTP flood + spamdb, Craig Skinner, (Wed Sep 26, 12:50 am)

Re: SMTP flood + spamdb, Craig Skinner, (Wed Sep 26, 1:00 am)

Re: SMTP flood + spamdb, Peter N. M. Hansteen, (Wed Sep 26, 1:46 am)

Re: SMTP flood + spamdb, Liviu Daia, (Wed Sep 26, 4:18 am)

Re: SMTP flood + spamdb, Damien Miller, (Wed Sep 26, 5:45 am)

Re: SMTP flood + spamdb, Liviu Daia, (Wed Sep 26, 6:27 am)

Re: SMTP flood + spamdb, Craig Skinner, (Wed Sep 26, 6:41 am)

Re: SMTP flood + spamdb, Jeremy C. Reed, (Wed Sep 26, 6:51 am)

Re: SMTP flood + spamdb, Liviu Daia, (Wed Sep 26, 7:02 am)

Re: SMTP flood + spamdb, Luca Corti, (Wed Sep 26, 7:22 am)

Re: SMTP flood + spamdb, Craig Skinner, (Wed Sep 26, 7:29 am)

Re: SMTP flood + spamdb, Liviu Daia, (Wed Sep 26, 7:38 am)

Re: SMTP flood + spamdb, Liviu Daia, (Wed Sep 26, 7:48 am)

Re: SMTP flood + spamdb, Peter N. M. Hansteen, (Wed Sep 26, 7:54 am)

Re: SMTP flood + spamdb, Craig Skinner, (Wed Sep 26, 8:01 am)

Re: SMTP flood + spamdb, Dave Anderson, (Wed Sep 26, 8:03 am)

Re: SMTP flood + spamdb, Stuart Henderson, (Wed Sep 26, 8:23 am)

Re: SMTP flood + spamdb, Peter N. M. Hansteen, (Wed Sep 26, 8:26 am)

Re: SMTP flood + spamdb, Luca Corti, (Wed Sep 26, 8:59 am)

Re: SMTP flood + spamdb, Luca Corti, (Wed Sep 26, 9:06 am)

Re: SMTP flood + spamdb, Liviu Daia, (Wed Sep 26, 10:05 am)

Re: SMTP flood + spamdb, Bob Beck, (Wed Sep 26, 10:22 am)

Re: SMTP flood + spamdb, Jeremy C. Reed, (Wed Sep 26, 10:48 am)

Re: SMTP flood + spamdb, Liviu Daia, (Wed Sep 26, 11:13 am)

Re: SMTP flood + spamdb, Liviu Daia, (Wed Sep 26, 11:16 am)

Re: SMTP flood + spamdb, Rob, (Wed Sep 26, 2:03 pm)

Re: SMTP flood + spamdb, Hannah Schroeter, (Wed Sep 26, 2:33 pm)

Re: SMTP flood + spamdb, Rob, (Wed Sep 26, 2:51 pm)

Re: SMTP flood + spamdb, Peter N. M. Hansteen, (Wed Sep 26, 3:17 pm)

Re: SMTP flood + spamdb, RW, (Wed Sep 26, 3:21 pm)

Re: SMTP flood + spamdb, Eric Johnson, (Thu Sep 27, 2:45 am)

Re: SMTP flood + spamdb, Juan Miscaro, (Thu Sep 27, 9:36 am)

Re: SMTP flood + spamdb, Bob Beck, (Thu Sep 27, 10:50 am)

Re: SMTP flood + spamdb, Kurt Mosiejczuk, (Thu Sep 27, 11:04 am)


linux-kernel:
Paul Turner	[tg_shares_up rewrite v4 11/11] sched: update tg->shares after cpu.shares write
Mr. James W. Laferriere	Re: Linux 2.6.25-rc1 , syntax error near unexpected token `;'
Linus Torvalds	Linux 2.6.34-rc4
Colin Cross	[PATCH 12/21] ARM: tegra: Add suspend and hotplug support
Chuck Ebbert	Re: PCI: Unable to reserve mem region problem
git:
Fredrik Kuivinen	Re: fatal: unable to create '.git/index': File exists
Ralf Wildenhues	[PATCH] Fix typos in the documentation
Wink Saville	How-to combine several separate git repos?
Denis Bueno	Git clone error
pradeep singh	git-update-server-info may be required,cannot clone and pull from a remote reposit...
linux-netdev:
Jamie Lokier	Re: POHMELFS high performance network filesystem. Transactions, failover, performa...
Timo Teräs	ip xfrm policy semantics
Jarek Poplawski	Re: socket api problem: can't bind an ipv6 socket to ::ffff:0.0.0.0
Kurt Van Dijck	Re: [PATCH net-next-2.6 1/2] can: add driver for Softing card
Eric Dumazet	Re: [PATCH net-next-2.6] net: Introduce skb_orphan_try()
openbsd-misc:
Sevan / Venture37	Re: This is what Linus Torvalds calls openBSD crowd
Netmaffia.hu	Tini Lányok AKCIÓBAN OTTHON
Siju George	This is what Linus Torvalds calls openBSD crowd
Darrin Chandler	Re: OT: Python (was Re: vi in /bin)
frantisek holop	Re: splassert: vwakeup: and friends
git-commits-head:
Linux Kernel Mailing List	ASoC: fix registration of the SoC card in the Freescale MPC8610 drivers
Linux Kernel Mailing List	drivers/acpi: use kasprintf
Linux Kernel Mailing List	powerpc/fsl_msi: enable msi allocation in all banks
Linux Kernel Mailing List	bnx2x: Moving includes
Linux Kernel Mailing List	nfsd41: sanity check client drc maxreqs