Re: [exim] Defer as a spam filter

Top Page
Delete this message
Reply to this message
Author: Alan J. Flavell
Date:  
To: Exim-Users (E-mail)
Subject: Re: [exim] Defer as a spam filter
On Fri, 4 Mar 2005, Tom Kistner wrote:

> My experiences have been less positive. I like to get my email
> quickly. Some remote hosts (large organizations) have their initial
> retry times set up to 6 hours.


As so often, "it depends on what you're trying to achieve".

Waiting 6 hours would give a good chance of an abusive MTA turning up
in spamcop or cbl (or whatever one uses) if it's going to get
blacklisted at all; and thus push the item's spam rating up to the
point where it would be outright rejected. So I could see *some*
logic in that.

But many pump-and-dump spammers can be repulsed by simply deferring
their first offer. Those kind of senders won't try again, so if the
offering MTA *does* retry, you could accept at once, and still have
kept out a meaningful amount of spam.

(Disclaimer: At the moment, we're not doing either, on the production
system.)

Indeed, quite a few pump-and-dump spammers can be got rid of by simply
delaying for somewhat over 60 seconds at the RCPT stage, without
having to defer at all. Genuine MTAs usually cope with a delay of at
least a couple of minutes, if not the whole 5mins recommended in the
RFC. Of course I don't do this for all offering MTAs: I have a list
of criteria which are taken as at least *indicative* of a suspicious
source, and the ACL then applies this delay.

But of course it's an arms-race. If the majority of sites used these
techniques, the spammers would have to find a way of overcoming them.
The techniques only work as long as you're in the minority, so the
spammers can't be bothered to put in the effort to overcome them.

> But I know that email admins in academia are nearly untoucheable.


By no means: I get a steady trickle of complaints from our users about
spam that leaked through, asking me to implement better defences.
Plus just the occasional complaint about a false-positive rejection.

> That is another matter in real business.


I wouldn't presume to comment on that.

best regards