Jump to content

Does the greylist feed the blacklist?


Recommended Posts

A fellow-user recently introduced me to the greylist and I am trying it out. My held mail has gone down from 200-300 per day to about 10 and I have many fewer 'false negatives' in my inbox. This is great for me but what about the community? Are the ones the greylist stopped helping to feed the blaclists (as I am no longer reporting them)? - keen to 'do my bit'.

Link to comment
Share on other sites

A fellow-user recently introduced me to the greylist and I am trying it out. My held mail has gone down from 200-300 per day to about 10 and I have many fewer 'false negatives' in my inbox. This is great for me but what about the community? Are the ones the greylist stopped helping to feed the blaclists (as I am no longer reporting them)? - keen to 'do my bit'.

The Greylist does not feed any blacklist or notify the ISP alleged spam came from.

Major majority of Greylisted/stopped email is from bots, not email servers.

When a bot tries to send to a greylisting it is blocked and often jams the bot from sending spam and jams the computer sending it. This should alert the computer owner something is wrong.

Bots are not email servers and have no way (yet) of dealing with server responses (what greylisting does) so the spam email freezes shutting down the spam run, which last for hours if not days (to send a few million emails is not quick at best)

The growing number of bots sending spam is just growing and the infected computer owners are usually naive operators (Grandma, Grandpa, kids etc) If a ISP does get their infection cleared they usually just get re-infected. Without greylisting implemented you are fighting a losing battle IMO

Bots (major majority) do not timeout and resend they just lock-up. Greylisting (unless a whitelisted email)requires a 30 minute wait before resending by a email server which if properly configured recognise this command

Edited by petzl
Link to comment
Share on other sites

Bots (major majority) do not timeout and resend they just lock-up. Greylisting (unless a whitelisted email)requires a 30 minute wait before resending by a email server which if properly configured recognise this command

Where are you getting this information... all of the explanations I have seen, the bots do not even wait for a response, instead simply start sending their payload then move to the next address. This would not have the effect on the sending bot you are talking about. I would guess the bot machine would act no differently but greylisting definitely helps those behind it.

Link to comment
Share on other sites

introduced me to the greylist
Greylist is a procedure, not a list.

"Greylisting" means that a mail server will not accept mail on the first delivery attempt.

Normal mail servers will try again and again (for a reasonable time) until they deliver the mail.

Spammer servers (and SpamCop servers) only try once and then give up.

- Don D'Minion - SpamCop Admin -

.

Link to comment
Share on other sites

Where are you getting this information... all of the explanations I have seen, the bots do not even wait for a response, instead simply start sending their payload then move to the next address. This would not have the effect on the sending bot you are talking about. I would guess the bot machine would act no differently but greylisting definitely helps those behind it.

My understanding from feedback

Bots wait for spam email to be sent (port 25. Most competant providers block port 25) before moving to next spam. Very simple effective program but limited in comands when server accepts send, then sends resend command (bot does not understand just waits for "SEND - connection finished - 1 message(s) sent)"

In the case of greylisting the message is held (as far as bot is concerned) not allowing message through. It therfore does not move to next email and hangs.

Link to comment
Share on other sites

Bots wait for spam email to be sent (port 25. Most competant providers block port 25) before moving to next spam.

(bot does not understand just waits for "SEND - connection finished - 1 message(s) sent)"

malware I have heard about don't wait for ANY responses... simply run through their scri_pt of commands and move on to the next one.

ISP's blocking port 25 outbound only means the malware is virually running only on that machine, not able to contact any other host (connections from internal host anywhere but our server on port 25 are simply dropped)

Greylists I have seen the logs for (SpamCop's) simply drop the connection after sending the 4xx code.

Now. I have read that spamd (one way to implement greylisting) can be used to slow down the spammers operation by slowing the connection and NOT letting it go, but that IP needs to be identified as a spammer for that purpose.

You would not do that on EVERY connection or your server would never get through valid messages.

Link to comment
Share on other sites

Greylists I have seen the logs for (SpamCop's) simply drop the connection after sending the 4xx code.

Even spam contains data which takes time to send

"Greylists I have seen the logs for (SpamCop's) simply drop the connection after sending the 4xx code. "

As soon as this happens the malware has not sent its data(?) and waits and waits(?)

Link to comment
Share on other sites

No...look at Don's post above, where he wrote:

QUOTE(SpamCopAdmin [at] Aug 14 2008, 03:44 PM)

Spammer servers (and SpamCop servers) only try once and then give up.

Do they though?

They can't connect most certainly and have not uploaded spam package

These bots are very simple programs and (mainly) cannot deal with unexpected dropouts

As far as a greylististing mail server is concerned "they give up"

My belief/info is they then (in most cases) fold over

SpamCop email does record IP & email from address

for rejected attempts

Link to comment
Share on other sites

My belief/info is they then (in most cases) fold over

SpamCop email does record IP & email from address

for rejected attempts

Instead, look at the "Blocked Entries" section and see how many of then have "# Blocked" > 1. I have found only 2 and both were valid senders who (1) did not resend or (2) whose resend timing is "off" to fit with SpamCop's.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...