Clever bots - was Re: Multi (split) image spam

[Hugo van der Kooij]

On Sun, 6 May 2007, Andrew MacLachlan wrote:

> That's right - most are 5 mins, which is about right for most MTAs first retry.
> Any decent greylister will tell an early retry to go away again, but either more spammers are using MTAs or the bots are getting cleverer. I'd say the latter is more likely.
> A cursory glance at a couple of spams from today gives me headers like this:
>
> X-Greylist: delayed 00:10:01 by SQLgrey-1.7.5
>
> Received: from 89-172-120-92.adsl.net.t-com.hr (89-172-120-92.adsl.net.t-com.hr [89.172.120.92])
>
> X-Greylist: delayed 00:10:02 by SQLgrey-1.7.5
>
> Received: from 236.Red-81-36-176.dynamicIP.rima-tde.net (236.red-81-36-176.dynamicip.rima-tde.net [81.36.176.236])
>
> Interestingly the delay was over 10 mins by a second or 2 - so this means that grey needs to extend to 11 mins... Not sure what the effect of this will be - is  the bot smart enough to retry again if rejected at 10 mins?

Given that disabling greylisting still results in a significant rise of 
traffic for MailScanner I would say it is a usefull addition to the bag of 
tricks at this time.

At irregular intervals I play with some of them to see if disabling a 
restriction is having an effect. At this point I wrote a small script to 
report on greylisted entries daily and have added all the noisy entries to 
a static blacklist.

The first way I added was abo.wanadoo.fr and it had an immediate impact. 
Wanadoo users will need to send through their ISP mailserver to get a 
message delivered.

Hugo.

-- 
 	hvdkooij at vanderkooij.org	http://hugo.vanderkooij.org/
 	    This message is using 100% recycled electrons.

 	Some men see computers as they are and say "Windows"
 	I use computers with Linux and say "Why Windows?"
 		(Thanks JFK, for the insight.)

A: Yes.
>Q: Are you sure?
>>A: Because it reverses the logical flow of conversation.
>>>Q: Why is top posting frowned upon?