In message <20100129115758.GA16187@???>, Alain Williams
<addw@???> writes
>On Thu, Jan 28, 2010 at 04:55:38PM +0000, Richard Clayton wrote:
>
>> I've seen combining the IP address with sending (or receiving) domain
>> work very badly indeed with ISP smarthosts (ie the machines that
>> millions of customers use...)
>
>Hmmm. An ISP might want to use the triplet: destination domain, sender domain
>& relaying IP. A spammer will send to many addresses, if 2 of them are hosted
>by the ISP then only the first tried will be protected by greylisting.
Indeed ... however, this can make the scenario I described even worse
>> What happens is that the sending machine tries one email, which is then
>> greylisted. The sending machine then marks the destination as
>> unresponsive -- but eventually gets around to trying again. However, a
>> different email is at the front of the queue, with a different customer
>> domain and so that is also greylisted. The sending machine then marks
>> the destination as unresponsive -- but eventually gets around to trying
>> again. However, a different email is at the front of the queue...
>>
>> ... rinse and repeat until 4xx has been seen far too often, and all
>> queued email is then marked undeliverable and returned to the senders.
>>
>> I don't understand why you feel that the property "will try again after
>> a 4xx response" would not be associated solely with the IP address ??
>
>So: are you suggesting that the only thing that should be stored in the database
>is the relaying IP address ? That would seem to address your concern above,
>however what happens if a group of machines behind one IP address (a small
>business with a NATting firewall) become part of a spamming botnet ?
>The first attempt will be blocked and the next ones be allowed through.
You'll find that a lot of bots send two emails, <n> minutes apart. If
you are using greylisting the second one is delivered, if you are not
then two copies of the email are delivered -- what's not to like!
viz: greylisting isn't perfect; merely a heuristic that (remarkably in
my opinion) still has some impact on incoming spam levels (or to be more
precise -- reduces the load on the next layer of spam filtering)
>The pair (relay_ip & sender_domain) tends to be more robust since spammers
>tend to set the sender_domain ''at random'',
No general statements about spammers are ever true...
I daily see large amounts of logging of spam (I look after a log
processing system that picks out the patterns of wickedness and draws
the abuse@ team's attention to it) and I would say that randomly chosen
domains are in the minority at present... however, there are still some
senders doing this
- --
richard Richard Clayton
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
