Clever bots - was Re: Multi (split) image spam

Andrew MacLachlan amaclach at yahoo.co.uk
Sun May 6 23:31:23 IST 2007 

That's right - most are 5 mins, which is about right for most MTAs first retry.
Any decent greylister will tell an early retry to go away again, but either more spammers are using MTAs or the bots are getting cleverer. I'd say the latter is more likely.
A cursory glance at a couple of spams from today gives me headers like this:

X-Greylist: delayed 00:10:01 by SQLgrey-1.7.5

Received: from 89-172-120-92.adsl.net.t-com.hr (89-172-120-92.adsl.net.t-com.hr [89.172.120.92])

X-Greylist: delayed 00:10:02 by SQLgrey-1.7.5

Received: from 236.Red-81-36-176.dynamicIP.rima-tde.net (236.red-81-36-176.dynamicip.rima-tde.net [81.36.176.236])

Interestingly the delay was over 10 mins by a second or 2 - so this means that grey needs to extend to 11 mins... Not sure what the effect of this will be - is  the bot smart enough to retry again if rejected at 10 mins?

Andy


----- Original Message ----
From: Hugo van der Kooij <hvdkooij at vanderkooij.org>
To: MailScanner discussion <mailscanner at lists.mailscanner.info>
Sent: Sunday, 6 May, 2007 11:07:18 PM
Subject: Re: Multi (split) image spam

On Sun, 6 May 2007, Andrew MacLachlan wrote:

> Some of the spammers are doing resends though to get around greylisting - this is a worrying trend, however it also means that they can only send half as many from each bot...
>
> Maybe time to re-tune the greylisting software so it does a second 450 before it finally accepts a sender?

Most greylisting solutions I have seen use a time window. So you need to 
resend it after the timewindow or you will still hit the greylist.

Hugo.

-- 
     hvdkooij at vanderkooij.org    http://hugo.vanderkooij.org/
         This message is using 100% recycled electrons.

     Some men see computers as they are and say "Windows"
     I use computers with Linux and say "Why Windows?"
         (Thanks JFK, for the insight.)
-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list