Milter-greylist

Hi,

I want to implement taRgrey into milter-greylist. I want to
hear comments about how should I implement it.

= Background

taRgrey is an anti-spam technique based on greylisting and
tarpitting:
  http://k2net.hakuba.jp/targrey/index.en.html

taRgrey's main purpose is decreasing false positives with
low maintenance cost. Decreasing false positives is more
important rather than increasing false negatives because
false negative mails can be detected content-based filter
(e.g. SpamAssassin) but false positive mails can't be
rescued easily. So taRgrey is valuable.


= About taRgrey

taRgrey don't apply greylisting until a SMTP client seems a
spammer. taRgrey uses S25R and tarpitting to decide a SMTP
client is a spammer. A SMTP client is treated as non-spammer
if it passes one of S25R, tarpitting and greylisting. It
decreases false positives.

S25R: It's an anti-spam technique that detects spam-bots
      with SMTP client's FQDN and 7 regular expressions:
        http://www.gabacho-net.jp/en/anti-spam/

      It's an effective technique to detect spammers because
      most of spams are sent by spam-bots.

Tarpitting: It's an anti-spam technique that detects
            spam-bots with less delay rather than greylisting:
              http://en.wikipedia.org/wiki/Tarpit_(networking)


Here is a flowchart that shows how taRgrey works:
  http://k2net.hakuba.jp/targrey/targrey_constitution.gif


= A question about configuration

I have some ideas for taRgrey configuration:

  (1) Adding 'targrey' action.
      e.g.: racl targrey CONDITIONS ... sleep 65s

      This ACL line means:
      - a SMTP client is passed and pushed into
        auto-whitelist if a SMTP client that matches
        'CONDITIONS ...' still connected after 65s.
      - a SMTP client is passed and pushed into
        auto-whitelist by greylisting if a SMTP client that
        matches 'CONDITIONS ...' and disconnected until 65s
        earlier resents the same messages.

      Pros.: Easy to read.
      Cons.: New action.

  (2) Adding 'tarpit' ACL clause.
      e.g.: racl greylist CONDITIONS ... not tarpit 65s

      This ACL line means that a SMTP client is greylisted
      if a SMTP client that matches 'CONDITIONS ...'
      disconnects until 65s earlier.

      Pros.:
      - No new action.
      - 'tarpit' can be used with 'blacklist' and/or
        'whitelist' instead of 'greylist'.
      Cons.:
      - 'not' keyword may be forgotten.

  (3) Or other idea...

I like (2) because (2) is more flexibly rather than (1).


= Questions about implementation

The next step. :)


Thanks,
--
kou

On Sun, Jul 05, 2009 at 09:21:12PM +0900, Kouhei Sutou wrote:
>   (1) Adding 'targrey' action.
>       e.g.: racl targrey CONDITIONS ... sleep 65s
(...)
>       Pros.: Easy to read.
>       Cons.: New action.

And the new action be difficult to integrate with existing ACL. 

>   (2) Adding 'tarpit' ACL clause.
>       e.g.: racl greylist CONDITIONS ... not tarpit 65s

That one seems nicer, but could be imporved a bit. Milter-greylist
actually has two kind of clauses in its ACL:
- condtionnal clauses, such as rcpt /@evilsapmmer\.com$/
- action clauses, with will always evalute to true. eg: msdg "go ayay"

IMO, tarpit fall in the latter category, since there is no conditionnal
testing to perform: if the remote host fails the tarpit, it hangs up 
before the delay, and the ACL evaluation stops here because the connexion
is closed.

Therefore, you can just drop the 'not' and add a tarpit action clause
to the ACL. It can be used both in racl and dacl, while we are there.


On the implementation: conditionnal clauses have been refactored some
time ago to use function pointers so tht less code is duplicated.
Check for acl_clause_rec in acl.c. Unfortunately, action clauses 
are still in the ancient world, with a lot of duplicated code.

You can choose to either add a quick hack to support the tarpit clause,
or refactor action clauses to use the same scheme as conditionnal clauses.
Choose the quick hack if you don't feel confortable with the code.

-- 
Emmanuel Dreyfus
manu@...

Hi,

Thanks for your comment.

In <20090705142730.GA22288@...>
  "Re: [milter-greylist] [RFC] implementing taRgrey" on Sun, 5 Jul 2009 14:27:30 +0000,
  Emmanuel Dreyfus <manu@...> wrote:

> 
> On Sun, Jul 05, 2009 at 09:21:12PM +0900, Kouhei Sutou wrote:
>> (1) Adding 'targrey' action.
>> e.g.: racl targrey CONDITIONS ... sleep 65s
> (...)
>> Pros.: Easy to read.
>> Cons.: New action.
> 
> And the new action be difficult to integrate with existing ACL.
> 
>> (2) Adding 'tarpit' ACL clause.
>> e.g.: racl greylist CONDITIONS ... not tarpit 65s
> 
> That one seems nicer, but could be imporved a bit.

OK. I'll use ACL clause not action.
We agree on configuration syntax, doesn't it?

I'll start to talk about implementation. It's the next stage. :)

>                                                    Milter-greylist
> actually has two kind of clauses in its ACL:
> - condtionnal clauses, such as rcpt /@evilsapmmer\.com$/
> - action clauses, with will always evalute to true. eg: msdg "go ayay"
> 
> IMO, tarpit fall in the latter category, since there is no conditionnal
> testing to perform: if the remote host fails the tarpit, it hangs up
> before the delay, and the ACL evaluation stops here because the connexion
> is closed.

I want to use tarpitting as a condition.

I want to use greylisting only if tarpitting IS
failed. Because a SMTP client that passes tarpitting may not
be spam-bot. spam-bot will not wait a long time because it
wants to send many spams. It doesn't want to wait a long
time.

I don't want to apply greylisting to spam-bot to reduce
false positives if a SMTP client isn't spam-bot.


I want to use tarpitting as a condition because of the above
reason but 'tarpit' clause behaves like action clause as you
write.

We can't use other conditions after 'tarpit' clause. We need
to wait the next milter event to detect the connection is
closed.

It's a limitation of both of libmilter and MTAs (Sendmail
and Postfix). Implementations of them can't detect the
connection is closed while a milter event is
processing. Connection closing is detected in their event
loop. We need to return a milter event response to cycle
their event loop.


Pass case:
  a SMTP client     milter
         RCPT TO -> ...
                    tarpitting
                 <- response
            DATA -> detect tarpitting is passed!

Failure case:
  a SMTP client     milter
         RCPT TO -> ...
                    tarpitting
   <disconnect>     ...
 (not detected yet) ...
 (not detected yet) tarpitting
    detected!    <- response
           abort -> detect tarpitting is failed!

We can't append another clauses after 'tarpit' clause. Is it
acceptable behavior?


> On the implementation: conditionnal clauses have been refactored some
> time ago to use function pointers so tht less code is duplicated.
> Check for acl_clause_rec in acl.c. Unfortunately, action clauses
> are still in the ancient world, with a lot of duplicated code.
> 
> You can choose to either add a quick hack to support the tarpit clause,
> or refactor action clauses to use the same scheme as conditionnal clauses.
> Choose the quick hack if you don't feel confortable with the code.

Thanks for the information!

I can choose both of them. :-)
If I choose the refactoring way, I'll send a patch for it
before send a patch for 'tarpit'.


Thanks,
--
kou

On Mon, Jul 06, 2009 at 09:20:44PM +0900, Kouhei Sutou wrote:
> I want to use tarpitting as a condition.

That does not make sense for milter-greylist ACL, as a negative
result cause ACL processing to stop there.

> We can't append another clauses after 'tarpit' clause. Is it
> acceptable behavior?

I think that what we need here is a new ACL class. I have been thinking
about it for a while: We have whitelist, greylist and blacklist, all of
them stop ACL evualuation on match. 

We need a continue ACL, that allows action clause to be fired whithout
having to stop ACL evaluation there:

racl whitelist addr 127.0.0.0/8
racl whitelist domain example.net
racl continue tarpit 65s
# if tarpit failed the client is not there anymore
racl greylist delay 15m



-- 
Emmanuel Dreyfus
manu@...

I've actually been eying tarpits for a while now, specifically leaders
like MailChannels (which some high-volume colleagues of mine use, plus
an award from the MIT Spam Conference).  Their product is actually
very similar to what could be added to milter-greylist with the
implementation of a tarpit command.

I wouldn't actually be surprised if tarpitting was in almost every way
better than greylisting; I'd strongly consider reconfiguring my
servers use tarpitting over greylisting in every case (perhaps with a
10s grey-time on Windows desktop OS "servers" before the tarpit).

The sendmail configuration option "greet_pause" is a basic form of
tarpitting with astounding affect.  See the testimonial at
http://www.acme.com/mail_filtering/sendmail_config.html#greet_pause
and data at http://mailchannels.com/images/drop-off.png

One important implementation note:  if the connecting server drops the
connection but then comes back later, the tarpit clock should have
been counting from that first connection.  (Otherwise, some
noncompliant servers might never deliver mail.)

One more note on tarpitting:  the full-on implementation is actually
that of a connection throttle; traffic is let through very very
slowly.  The idea of pausing often accomplishes the same thing, but
it's easily interpreted as a lost connection.  A good tarpit
implementation would actually have variable dynamic throttle rates (or
at least several bandwidth thresholds), and no tarpit mechanism should
throttle longer than 300-500 seconds (see above linked image).


As to taRgrey, it appears to bring two concepts to the table:  the
aforementioned tarpit ability, which is awesome, and S25C, which is
some kind of botnet detector.

After reading a bit on S25C, I'm quite dubious.  No concrete data on
false-positives is presented and the whitelist is MASSIVE.  I've
implemented S25C in SpamAssassin with near-zero scores to see what
kind of impact it would have on my servers, but I doubt it will prove
useful (since SA fires after greylisting).

I suspect the "botnet" plugin for SpamAssassin is far more
comprehensive, and I've already decided not to use it thanks to the
fact that greylisting's main function is combating botnets.  The same
will probably go for S25R.

Implementing S25R within milter-greylist once the tarpitting
functionality is present should prove trivial, so I see no need to
implement a "targrey" clause.

Hi,

In <20090706132156.GF28641@...>
  "Re: [milter-greylist] [RFC] implementing taRgrey" on Mon, 6 Jul 2009 13:21:56 +0000,
  Emmanuel Dreyfus <manu@...> wrote:

> On Mon, Jul 06, 2009 at 09:20:44PM +0900, Kouhei Sutou wrote:
>> I want to use tarpitting as a condition.
> 
> That does not make sense for milter-greylist ACL, as a negative
> result cause ACL processing to stop there.

It seems that I omitted needed information. Sorry.

milter-greylist needs to keep a SMTP client information
whether it passed tarpitting before. Its behavior is similar
to greylisting.

Greylisting:

  The 1st try:
    client-X                 milter-greylist
               - connect ->
                             marks client-X as pending.
               <- reject -

  The 2nd try:
    client-X                 milter-greylist
              - connect ->
                             checks client-X whether it is in
                             the pending clients.
        <- accept client-X -
          by auto-whitelist

Tarpitting (as I am proposing):

 case1:
  The 1st try:
    client-X                 milter-greylist
               - connect ->
                             checks client-X whether it had
                             been tarpitted. -> NO
               <- tarpit -
           (still connected)
         - the next command ->
                             puts client-X into auto-whitelist.

  The 2nd try:
    client-X                 milter-greylist
              - connect ->
                             checks client-X whether it is in
                             the auto-whitelist.
        <- accept client-X -
          by auto-whitelist

 case2:
  The 1st try:
    client-X                 milter-greylist
               - connect ->
                             checks client-X whether it had
                             been tarpitted. -> NO
               <- tarpit -
           (disconnected)
                 - abort ->
                             puts client-X into greylist.

  The 2nd try:
    client-X                 milter-greylist
              - connect ->
                             checks client-X whether it had
                             been tarpitted. -> YES
                             checks client-X whether it is in
                             the greylist. -> YES
        <- accept client-X -
          by auto-whitelist
          because client-X
          passes greylisting.
          (This is the 2nd try
           of client-X)

The key point of the above examples, tarpitting is used as a
pre-condition whether we use greylisting or not. Tarpitting
isn't used as a stand-alone anti-spam technique. Using
tarpitting as a pre-condition, we can decrease false
negatives. (A SMTP client can be accepted if it passes
either tarpitting or greylisting, not both of them.)


This is the reason why I want to use tarpitting as a
condition. Should I create a new ACL class instead of
'tarpit' clause for it? Could you here your comment?

> That does not make sense for milter-greylist ACL, as a negative
> result cause ACL processing to stop there.

In 'The 2nd try' cases, we can use a negative result because
milter-greylist knows 'client-X' was tarpitted before.
Does this make sense?

>> We can't append another clauses after 'tarpit' clause. Is it
>> acceptable behavior?
> 
> I think that what we need here is a new ACL class. I have been thinking
> about it for a while: We have whitelist, greylist and blacklist, all of
> them stop ACL evualuation on match.
> 
> We need a continue ACL, that allows action clause to be fired whithout
> having to stop ACL evaluation there:
> 
> racl whitelist addr 127.0.0.0/8
> racl whitelist domain example.net
> racl continue tarpit 65s
> # if tarpit failed the client is not there anymore
> racl greylist delay 15m

Thanks for your new idea.
But I want to use 'greylist' if the client was failed
by tarpitting before... It's negative condition.


Thanks,
--
kou

Hi,

In <4A52878B.3030209@...>
  "Re: [milter-greylist] [RFC] implementing taRgrey" on Mon, 06 Jul 2009 19:23:55 -0400,
  Adam Katz <yegsa-yahoo@...> wrote:

> One important implementation note: if the connecting server drops the
> connection but then comes back later, the tarpit clock should have
> been counting from that first connection. (Otherwise, some
> noncompliant servers might never deliver mail.)

I want to rescue the servers by greylisting not tarpitting.

> After reading a bit on S25C, I'm quite dubious. No concrete data on
> false-positives is presented and the whitelist is MASSIVE.

Yes. S25R has some false positives. We need a whitelist when
we use S25R.

We can use S25R with greylisting to maintain our whitelist
automatically.

Here is a configuration to use S25R in milter-greylist:

  extendedregex
  racl greylist domain /^\[.+\]$/ msg "S25R rule 0"
  racl greylist domain /^[^.]*[0-9][^0-9.]+[0-9].*\./ msg "S25R rule 1"
  racl greylist domain /^[^.]*[0-9][0-9][0-9][0-9][0-9]/ msg "S25R rule 2"
  racl greylist domain /^([^.]+\.)?[0-9][^.]*\.[^.]+\..+\.[a-z]/ msg "S25R rule 3"
  racl greylist domain /^[^.]*[0-9]\.[^.]*[0-9]-[0-9]/ msg "S25R rule 4"
  racl greylist domain /^[^.]*[0-9]\.[^.]*[0-9]\.[^.]+\..+\./ msg "S25R rule 5"
  racl greylist domain /^(dhcp|dialup|ppp|[achrsvx]?dsl)[^.]*[0-9]/ msg "S25R rule 6"



>                                                            I've
> implemented S25C in SpamAssassin with near-zero scores to see what
> kind of impact it would have on my servers, but I doubt it will prove
> useful (since SA fires after greylisting).

S25R detects most of spam-bots and greylisting also detects
(and rejects) most of spam-bots. SpamAssassin will not
receive mails that can be detected by S25R.


> I suspect the "botnet" plugin for SpamAssassin is far more
> comprehensive, and I've already decided not to use it thanks to the
> fact that greylisting's main function is combating botnets. The same
> will probably go for S25R.

S25R is very lightweight because it just uses only 7 regular
expressions. It seems that it's reasonable solution at the
first filter. We will use other comprehensive filters (that
may be heavy rather than S25R) for mails that they are
passed S25R (+ greylisting) check.


> Implementing S25R within milter-greylist once the tarpitting
> functionality is present should prove trivial, so I see no need to
> implement a "targrey" clause.

We doesn't need new codes for S25R because we can use S25R
with the current milter-greylist as I show in the above. :-)


Thanks,
--
kou

On Mon, 6 Jul 2009, Adam Katz wrote:
>
> One more note on tarpitting:  the full-on implementation is actually
> that of a connection throttle; traffic is let through very very
> slowly.  The idea of pausing often accomplishes the same thing, but
> it's easily interpreted as a lost connection.  A good tarpit
> implementation would actually have variable dynamic throttle rates (or
> at least several bandwidth thresholds), and no tarpit mechanism should
> throttle longer than 300-500 seconds (see above linked image).

It seems like this makes your server susceptible to DOS.  It also 
assumes that the bots are implemented well and will sever slow 
connections.

Bob
--
Bob Friesenhahn
bfriesen@..., http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/

I wrote:
>> One more note on tarpitting:  the full-on implementation is
>> actually that of a connection throttle; traffic is let through
>> very very slowly.  The idea of pausing often accomplishes the
>> same thing, but it's easily interpreted as a lost connection.

Bob Friesenhahn wrote:
> It seems like this makes your server susceptible to DOS.

If you don't have a hard connection rate throttle, you are correct.
http://www.acme.com/mail_filtering/sendmail_config.html (as referenced
in my previous email) has some good tips on that.

> It also assumes that the bots are implemented well and will sever
> slow connections.

Please refer to http://mailchannels.com/images/drop-off.png (also in
my last email), which uses Spamhaus data to prove that assumption.
More to the point, 500 seconds is enough time for the connection to be
severed, which is far less than the typical greylisting delay time.

On Tue, 7 Jul 2009, Adam Katz wrote:
>
> Bob Friesenhahn wrote:
>> It seems like this makes your server susceptible to DOS.
>
> If you don't have a hard connection rate throttle, you are correct.
> http://www.acme.com/mail_filtering/sendmail_config.html (as referenced
> in my previous email) has some good tips on that.

If you are talking about CONNECTION_RATE_THROTTLE, then this is just 
playing into the hands of someone who intends to cause DOS.  By making 
the server more resistent to those who intend to send spam, you make 
your mail server easier to block entirely, just like the kids who 
punch all the buttons on the elevator as they step out the door.

>> It also assumes that the bots are implemented well and will sever
>> slow connections.
>
> Please refer to http://mailchannels.com/images/drop-off.png (also in
> my last email), which uses Spamhaus data to prove that assumption.
> More to the point, 500 seconds is enough time for the connection to be
> severed, which is far less than the typical greylisting delay time.

This chart only summarizes current behavior.  It does not prove 
anything.  If many mail servers start to slow the connections, then 
the sbambots will respond by extending the allowed connection times. 
Spammers have more resources available than you do.

Bob
--
Bob Friesenhahn
bfriesen@..., http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/

I wrote:
>> One important implementation note: if the connecting server drops
>> the connection but then comes back later, the tarpit clock should
>> have been counting from that first connection. (Otherwise, some 
>> noncompliant servers might never deliver mail.)

Kouhei Sutou wrote:
> I want to rescue the servers by greylisting not tarpitting.

Eh?  Define "rescue" here...  If we offer a tarpit action, it has to
play well with the greylist action, even if you do not intend to use
tarpitting (in which case, I wonder why you suggested it).

>> After reading a bit on S25C, I'm quite dubious. No concrete data
>> on false-positives is presented and the whitelist is MASSIVE.
> 
> Yes. S25R has some false positives. We need a whitelist when we use
> S25R.
> 
> We can use S25R with greylisting to maintain our whitelist 
> automatically.

Perhaps if you use lazyaw, but even with that, massive mailers like
hotmail won't get properly whitelisted.  To somebody trying to limit
the negative impact of greylisting, this mandates whitelisting.

> Here is a configuration to use S25R in milter-greylist:
> 
>   extendedregex
>   racl greylist domain /^\[.+\]$/ msg "S25R rule 0"
>   racl greylist domain /^[^.]*[0-9][^0-9.]+[0-9].*\./ msg "S25R rule 1"
>   racl greylist domain /^[^.]*[0-9][0-9][0-9][0-9][0-9]/ msg "S25R rule 2"
>   racl greylist domain /^([^.]+\.)?[0-9][^.]*\.[^.]+\..+\.[a-z]/ msg "S25R rule 3"
>   racl greylist domain /^[^.]*[0-9]\.[^.]*[0-9]-[0-9]/ msg "S25R rule 4"
>   racl greylist domain /^[^.]*[0-9]\.[^.]*[0-9]\.[^.]+\..+\./ msg "S25R rule 5"
>   racl greylist domain /^(dhcp|dialup|ppp|[achrsvx]?dsl)[^.]*[0-9]/ msg "S25R rule 6"

Rule 0 is commonly hit by legit servers, so it will contain a large
number of false positives.  I would not recommend using it.  As to the
provided statistics, they are stale (April 2004) and insignificant
(only 567 IPs observed).  Because the paper's implementation blocked
rather than greylisted, false-positive rates cannot be determined.

The paper's stats show rules 4-6 are almost completely useless; rules
4 and 5 blocked 1.2% messages together and rule 6 failed to get even
0.1%, while rule 3 (the worst of remaining rules) blocked 6.5%.

For such broad-sweeping "high impact" rules, I see untested methods
which vary from too many false positives to too few hits.

>> I've implemented S25C in SpamAssassin with near-zero scores to
>> see what kind of impact it would have on my servers, but I doubt
>> it will prove useful (since SA fires after greylisting).
> 
> S25R detects most of spam-bots and greylisting also detects (and
> rejects) most of spam-bots. SpamAssassin will not receive mails
> that can be detected by S25R.

Sorry, I thought the last part of my above quoted sentence explained
that.  However, don't forget that botnets sometimes survive
greylisting or find their way onto whitelists like DNSWL (which is
becoming quite common).

Sure enough, I have results after less than a day.  In the following
table, I show hits as a ratio against of all spamassassin-scanned mail
(after passing or bypassing greylisting), then what percent of those
hits would have become marked at various thresholds.  I reject mail at
8+ points and mark mail at 5+ points, so the table has results for
scoring each rule at 3.0, 2.0, and 1.0 points. 2500 emails were
included in these stats.

So S25R rule 1 hit 12.0% of the SA-scanned mails.  If scored 3.0, 4.1%
more of those hits would have been marked as spam and 21.5% would have
been rejected.  If scored 2.0, 2.9% more of the hits would have been
marked and 14.6% would have been rejected, etc.

S25R   total      --- 3.0 ---       --- 2.0 ---       --- 1.0 ---
rule    hits      mark   block      mark   block      mark   block
 0      6.7%      zero    3.6%      zero    2.8%      zero    2.1%
 1     12.0%      4.1%   21.5%      2.9%   14.6%      0.3%    2.3%
 2      2.1%      0.8%    2.3%      0.2%    1.5%      0.0%    zero
 3      1.9%      0.4%    zero      0.0%    zero      0.0%    zero
 4      0.8%      zero    zero      zero    zero      zero    zero
 5      1.0%      zero    zero      zero    zero      zero    zero
 6      0.0%      zero    zero      zero    zero      zero    zero


My data agrees with the paper's numbers, suggesting rules 4-6 are
almost completely useless.  Of course, this makes me wonder about the
thoroughness of the paper and how much we should really trust it...

>> I suspect the "botnet" plugin for SpamAssassin is far more
>> comprehensive, and I've already decided not to use it thanks to the
>> fact that greylisting's main function is combating botnets. The same
>> will probably go for S25R.
> 
> S25R is very lightweight because it just uses only 7 regular
> expressions. It seems that it's reasonable solution at the
> first filter. We will use other comprehensive filters (that
> may be heavy rather than S25R) for mails that they are
> passed S25R (+ greylisting) check.

"only 7 regular expressions" though it should be obvious that rules 0,
4, 5, and 6 are poor quality ... which makes it "only 3" regexps, with
no data suggesting any degree of accuracy.  SpamAssassin's RDNS_NONE
is identical to S25R rule 0.  SpamAssassin's RDNS_DYNAMIC has a huge
overlap with the rest of S25R's rules.  Mass-check stats for these
tests are available:
http://ruleqa.spamassassin.org/week/RDNS_NONE/detail
http://ruleqa.spamassassin.org/week/RDNS_DYNAMIC/detail

While RDNS_NONE and RDNS_DYNAMIC both default to scores of 0.1, I
rescore them as 0.9 and 0.4 respectively.

>> Implementing S25R within milter-greylist once the tarpitting
>> functionality is present should prove trivial, so I see no need to
>> implement a "targrey" clause.
> 
> We doesn't need new codes for S25R because we can use S25R
> with the current milter-greylist as I show in the above. :-)

Then we agree on that issue; those two paragraphs say the same thing.

Bob Friesenhahn wrote:
> If you are talking about CONNECTION_RATE_THROTTLE, then this is just 
> playing into the hands of someone who intends to cause DOS.  By making 
> the server more resistent to those who intend to send spam, you make 
> your mail server easier to block entirely, just like the kids who 
> punch all the buttons on the elevator as they step out the door.

Hrm, interesting; I thought that was per IP.

>>> It also assumes that the bots are implemented well and will sever
>>> slow connections.
>> Please refer to http://mailchannels.com/images/drop-off.png (also in
>> my last email), which uses Spamhaus data to prove that assumption.
>> More to the point, 500 seconds is enough time for the connection to be
>> severed, which is far less than the typical greylisting delay time.
> 
> This chart only summarizes current behavior.  It does not prove 
> anything.  If many mail servers start to slow the connections, then 
> the sbambots will respond by extending the allowed connection times. 
> Spammers have more resources available than you do.

Right, it doesn't predict the future.  All it does is sum up the past.
 It's probably a safe assumption that the future will have smarter
bots, and smarter should in this case refer to aborting more readily
(time is money).

Allow me to apply your exact argument to greylisting:  "If many mail
servers start to greylist, then the spambots will respond by
implementing reconnection attempts."  Yet here you are on a
greylisting mailing list.

Spam fighting is an arms race.  When new tricks come about on either
side, the other side compensates.  That's just how it works.

The nice thing about greylisting and tarpitting is that they create
mandatory delays, which means that the number of spams a zombie can
blast out is drastically reduced.  It means that honeynets and other
indices can use this delay to do their work and publish their data in
time for the real-world recipients.

Other tricks like improperly faked email browser identification can
easily be fixed by attentive spambot programmers, but that just isn't
the case.  Most spammers aren't thorough enough to do it, and the
spammers' tools don't propagate from writers to users very
efficiently, so this is a race that we can (and do) consistently win.

My favorite example of an easily defeated anti-spam measure is
nolisting, as it's trivial to set up (it's just two DNS entries; no
software needed) and far safer to deploy than greylisting.  Spammers
don't evade uncommon techniques like nolisting and greylisting until
they are common, which arguably won't happen for either.

Fighting tarpits is quite nontrivial given its required sacrifice in
volume (since spam's profitability is something like one in a few
million emails, volume is EVERYTHING).  Tarpitting and greylisting
imply good protection which implies savvy users; even if you get
through whatever further spam-fighting measures remain, the users
aren't as likely to be suckers, so it's better to search for suckers
elsewhere.  The best target for spam is the non-technical end-user of
webmail or ISP-provided mail.