IETF Logo Mail Archive

Re: [ietf-smtp] [Emailcore] Status of Greylisting (i'd wish MessageID were part of SMTP prologue)

John Levine <johnl@taugh.com> Fri, 07 January 2022 23:08 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AD4D3A0DB5 for <ietf-smtp@ietfa.amsl.com>; Fri, 7 Jan 2022 15:08:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.85
X-Spam-Level:
X-Spam-Status: No, score=-1.85 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=x2YKUQur; dkim=pass (2048-bit key) header.d=taugh.com header.b=I+TTBVg4
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OGZ3f93HOLM8 for <ietf-smtp@ietfa.amsl.com>; Fri, 7 Jan 2022 15:07:58 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D9EB3A0DA2 for <ietf-smtp@ietf.org>; Fri, 7 Jan 2022 15:07:57 -0800 (PST)
Received: (qmail 16174 invoked from network); 7 Jan 2022 23:07:55 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=3f2b.61d8c7cb.k2201; bh=UoV/AwSVuj4Rps1UYfDB8xjY89c/Vo2IGwFM/j83bfU=; b=x2YKUQurMoqsnFvajOcBDuqRZa92oT5018P5n1GNU3EAhnXERxGGbUokpX78O1MkSkFzk2gtDxv2YPvmKL5HQSK1pjPpKsaogKFi9oiXSB3Dy+a5B+MRey8e9PkPHS9RhRgvOLnU0xPc+v3x/uTA4xRjFA2wZLWyARCXbL2AsfwDM/ov8D2jg5r1o2fHdx7Uy4siv9nueWU1ire4vz1wJwZyGQ885h1O8dNi+bwZDQ3TmWcHyyh2LcI02WoydQBWy2H05NEXfviCudH5bf2u6pfT3YM9SfbWnHJnb2FB0WIGVgJqvtyLov1f0/Finyhhi08k1vf/m48fN+uXHbnHQQ==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=3f2b.61d8c7cb.k2201; bh=UoV/AwSVuj4Rps1UYfDB8xjY89c/Vo2IGwFM/j83bfU=; b=I+TTBVg4yfO+UmDw+clcamhVBhKsJ2DSXFNy6UjtsCck9/LKpcIqyJPL8g/XkMpBnnl/nI/su3n/BmRgWSN5dJ9Ww3IyRooX76ZbUdSMRLLMbD1925Tzd6XhdBdjFBdDvKt9SITClhY0KvB/74PNN7At8cOMd7Npki3rL+5RmKvJ19yxfjyRNb/pOLu0EWN/WJ4zoi8SUCVFPUwF4wX7YPR0rfS1C4/fKjlNFFHDnkTI8H+mfeqTQxebP6Wmmy5nzh2MDTD1ezAHA26TlTn+Ce9ZsDjtg81k7B9h7zIrYhPthx9hRAZwQox+NQc8hKwDY40Mek1+wfImLnMO607ShQ==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 07 Jan 2022 23:07:54 -0000
Received: by ary.qy (Postfix, from userid 501) id 85D9634669D5; Fri, 7 Jan 2022 18:07:52 -0500 (EST)
Date: Fri, 07 Jan 2022 18:07:52 -0500
Message-Id: <20220107230754.85D9634669D5@ary.qy>
From: John Levine <johnl@taugh.com>
To: ietf-smtp@ietf.org
Cc: steffen@sdaoden.eu
In-Reply-To: <20220107175151.XI1dU%steffen@sdaoden.eu>
Organization: Taughannock Networks
X-Headerized: yes
Cleverness: minimal
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/uYTQQfPaW0s5WtZwzbv3lc8gkp8>
Subject: Re: [ietf-smtp] [Emailcore] Status of Greylisting (i'd wish MessageID were part of SMTP prologue)
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Jan 2022 23:08:04 -0000

It appears that Steffen Nurpmeso  <steffen@sdaoden.eu> said:
>doable, but i do see very much different behaviour, for example by
>NetBSD.org, with multiple deferrals and short-time whitelisting.

I have seen strange implementations of greylisting like this. When
I've asked people what the point of all of the extra delay is, the
most coherent answer I've gotten is that if they delay the mail and
it's spam, the IP might have gotten added to a DNSBL by the time they
retry. Of course, if that is what they really want, they should put
the incoming mail into a queue, wait a half hour, and then recheck the
DNSBLs before delivering it. It seems like they believe that making
greylisting stricter will make mail more secure, for ill defined
definitions of "more" and "secure."

I also think some of the thinking is stuck in the distant past
when consumer ISPs didn't block outgoing port 25 and it was
more common for mail to come from behind NATs.

>You know and that is what is so hard to believe.  Given that the
>concept is twenty years old and the standard becomes ten this
>year, wouldn't it make sense for a bot to simply try an address
>a second time after X minutes, if it has the time and space?

That's not how bot spamware works.  It's just about volume,
blasting mail out and not caring what happened to it.  To
retry you have to remember what you've sent and have some
sort of retry queue.  Naah, they have plenty of addresses,
they'll just send more spam.

>(falsely read the manual) that turned it into an open relay, and,
>i really should have kept the logs because it was so fascinating,
>one IP connected, and did nothing for several minutes, then
>another IP connected, and then they started sending mails
>simultaneously (how did they know??)

I see lots of botnets doing open relay scanning, with results
acted on quite fast.

R's,
John

v2.23.0 | Report a Bug | By Email