Milter-greylist

Hello everybody,

I would like to make another suggestion ...

I know that most spammers use now relays on dynamic IP addresses.
I know also that it is difficult to clearly identify dynamic IP addresses.
Even if we can identify these dynamic IP addresses, some of them can 
nevertheless host "legitimate" (i.e. not used for spamming) MTA engines.

But we can make an assumption with a something like 95 - 99% certainty that 
a given address is dynamic : for example by just looking at the digits 
groups inside its reverse DNS name. I we can find four (maybe even only 
three) different digits groups with any separators, and if none of them fall 
outside the range 0 - 255, I think that there is a lot of chances that the 
corresponding IP address is dynamic.

(we could also try to match these numbers with the numbers inside the 
sending IP address, either in direct or in reverse order)

It could be certainly dangerous to completely block them because some of 
them can send legitimate emails.

But why not trying to detect them and, for any address assumed as being 
dynamic, assign a specific greylisting delay (assumed longer than the normal 
one) to emails coming from these addresses ?

If an assumed dynamic address receives a delay of, say, one or two hours 
instead of 5 minutes for other addresses, the corresponding mailer, even if 
it tries to be RFC compliant, will have to retry more times, will consume 
more resources, and there are even some chances that it will give up before 
the end of this longer delay.

Spammers may have also decided that it is not interesting for them to retry, 
retry and retry for a time that could eventually lasts for as long as five 
days, because they can't necessarily know if their message is rejected 
because of greylisting or if it will be permanently rejected as many times 
as they will retry, for any other reason ....... and also, if the delay is 
long enough, there is a possibility that the infected sending computer could 
be powered down by its owner during that time.

If the assumption is bad and if it is a legitimate mailer, this won't be so 
bad because the message should end by reaching its destination anyway.

This would be a mean to more hardly greylist some more suspicious addresses, 
that's why I used in the subject line the (more or less joking) expression 
"dark-greylisting".

By the way, we should also decide what to do with those addresses that do 
not resolve at all when asking for their reverse DNS host name.
In that case, we could assume that it is either a static IP address, either 
a dynamic IP address, or better, class them in a third category with a third 
specific delay, leaving the user deciding how to manage them.

What do you think about that ?

Gingko
(France)