Derek T Posted August 14, 2008 Posted August 14, 2008 A fellow-user recently introduced me to the greylist and I am trying it out. My held mail has gone down from 200-300 per day to about 10 and I have many fewer 'false negatives' in my inbox. This is great for me but what about the community? Are the ones the greylist stopped helping to feed the blaclists (as I am no longer reporting them)? - keen to 'do my bit'.
DavidT Posted August 14, 2008 Posted August 14, 2008 No, I'm sure that it doesn't. It's only protecting those who have it turned on. DT
petzl Posted August 14, 2008 Posted August 14, 2008 A fellow-user recently introduced me to the greylist and I am trying it out. My held mail has gone down from 200-300 per day to about 10 and I have many fewer 'false negatives' in my inbox. This is great for me but what about the community? Are the ones the greylist stopped helping to feed the blaclists (as I am no longer reporting them)? - keen to 'do my bit'. The Greylist does not feed any blacklist or notify the ISP alleged spam came from. Major majority of Greylisted/stopped email is from bots, not email servers. When a bot tries to send to a greylisting it is blocked and often jams the bot from sending spam and jams the computer sending it. This should alert the computer owner something is wrong. Bots are not email servers and have no way (yet) of dealing with server responses (what greylisting does) so the spam email freezes shutting down the spam run, which last for hours if not days (to send a few million emails is not quick at best) The growing number of bots sending spam is just growing and the infected computer owners are usually naive operators (Grandma, Grandpa, kids etc) If a ISP does get their infection cleared they usually just get re-infected. Without greylisting implemented you are fighting a losing battle IMO Bots (major majority) do not timeout and resend they just lock-up. Greylisting (unless a whitelisted email)requires a 30 minute wait before resending by a email server which if properly configured recognise this command
StevenUnderwood Posted August 14, 2008 Posted August 14, 2008 Bots (major majority) do not timeout and resend they just lock-up. Greylisting (unless a whitelisted email)requires a 30 minute wait before resending by a email server which if properly configured recognise this command Where are you getting this information... all of the explanations I have seen, the bots do not even wait for a response, instead simply start sending their payload then move to the next address. This would not have the effect on the sending bot you are talking about. I would guess the bot machine would act no differently but greylisting definitely helps those behind it.
SpamCopAdmin Posted August 14, 2008 Posted August 14, 2008 introduced me to the greylistGreylist is a procedure, not a list. "Greylisting" means that a mail server will not accept mail on the first delivery attempt. Normal mail servers will try again and again (for a reasonable time) until they deliver the mail. Spammer servers (and SpamCop servers) only try once and then give up. - Don D'Minion - SpamCop Admin - .
petzl Posted August 15, 2008 Posted August 15, 2008 Where are you getting this information... all of the explanations I have seen, the bots do not even wait for a response, instead simply start sending their payload then move to the next address. This would not have the effect on the sending bot you are talking about. I would guess the bot machine would act no differently but greylisting definitely helps those behind it. My understanding from feedback Bots wait for spam email to be sent (port 25. Most competant providers block port 25) before moving to next spam. Very simple effective program but limited in comands when server accepts send, then sends resend command (bot does not understand just waits for "SEND - connection finished - 1 message(s) sent)" In the case of greylisting the message is held (as far as bot is concerned) not allowing message through. It therfore does not move to next email and hangs.
StevenUnderwood Posted August 15, 2008 Posted August 15, 2008 Bots wait for spam email to be sent (port 25. Most competant providers block port 25) before moving to next spam. (bot does not understand just waits for "SEND - connection finished - 1 message(s) sent)" malware I have heard about don't wait for ANY responses... simply run through their scri_pt of commands and move on to the next one. ISP's blocking port 25 outbound only means the malware is virually running only on that machine, not able to contact any other host (connections from internal host anywhere but our server on port 25 are simply dropped) Greylists I have seen the logs for (SpamCop's) simply drop the connection after sending the 4xx code. Now. I have read that spamd (one way to implement greylisting) can be used to slow down the spammers operation by slowing the connection and NOT letting it go, but that IP needs to be identified as a spammer for that purpose. You would not do that on EVERY connection or your server would never get through valid messages.
turetzsr Posted August 15, 2008 Posted August 15, 2008 ...IIUC, greylisting is available only on SpamCop e-mail accounts, therefore I am moving this Forum thread from the "SpamCop Blocklist Help" forum to the "SpamCop Email System & Accounts" forum.
petzl Posted August 16, 2008 Posted August 16, 2008 Greylists I have seen the logs for (SpamCop's) simply drop the connection after sending the 4xx code. Even spam contains data which takes time to send "Greylists I have seen the logs for (SpamCop's) simply drop the connection after sending the 4xx code. " As soon as this happens the malware has not sent its data(?) and waits and waits(?)
DavidT Posted August 16, 2008 Posted August 16, 2008 As soon as this happens the malware has not sent its data(?) and waits and waits(?) No...look at Don's post above, where he wrote: Spammer servers (and SpamCop servers) only try once and then give up. DT
petzl Posted August 16, 2008 Posted August 16, 2008 No...look at Don's post above, where he wrote: QUOTE(SpamCopAdmin [at] Aug 14 2008, 03:44 PM) Spammer servers (and SpamCop servers) only try once and then give up. Do they though? They can't connect most certainly and have not uploaded spam package These bots are very simple programs and (mainly) cannot deal with unexpected dropouts As far as a greylististing mail server is concerned "they give up" My belief/info is they then (in most cases) fold over SpamCop email does record IP & email from address for rejected attempts
StevenUnderwood Posted August 16, 2008 Posted August 16, 2008 My belief/info is they then (in most cases) fold over SpamCop email does record IP & email from address for rejected attempts Instead, look at the "Blocked Entries" section and see how many of then have "# Blocked" > 1. I have found only 2 and both were valid senders who (1) did not resend or (2) whose resend timing is "off" to fit with SpamCop's.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.