[colug-432] Emailing COLUG list

[R P Herrold]

On Thu, 8 Oct 2009, William Yang wrote:

> While greylisting really worked for me for a while, I found that -- at
> least for my user base -- there's a kind of statistical plateau to the
> process.  I think this is probably because there are different kinds of
> spammers who generate their lists differently  ...

Actually it is a partition, split between one-off driveby's 
who tend to not use a compliant MTA (and shotgun out huge runs 
to collect the bounties for volume of attempts), and the more 
systematic (viral) 'injectors' who hijack a true MTA which is 
not configured to reject their attack

Content from the second group will always eventually get past 
a simple delay system, which milter-greylist is an example of, 
when the retry at delivery is made for long enough by a 'real' 
MTA

This implies that a layered approach to defense is needed. 
(add spam-assassin, etc)

I note with some sadness that the old DSBL, which I 
participated in the founding of, has closed its doors -- it 
had a wonderful and cryptographically sound test suite to 
generate test pieces which permitted identication of 'open 
relays' of all manner and type, and maintained a RBL corpus 
queriable by sendmail and friends.  There were too few testers 
(under a couple hundred), and we published without obsfucation 
the originating IPs of test pieces in a 'spam in hand' archive

Over time, the spammers in turn targeted with DDOS each such 
originating IP and saturated the links.  One cannot win a 
football game playing defense alone

There was another fault in our model in that it was not 
futureproof:  we did not 'age out' listed IP's, which probably 
does not fit the brave new present of transient uses of IP's 
in a cloud computing environment.  Obviously playing migratory 
tester might have worked, but as DSBL had no revenue model, we 
were competing against an opponent who was funded, and could 
be 'outspent'

-- Russ herrold