2005-07-29
How spammers seem to be coping with greylisting
I have a machine (my Debian Woody machine) that has far less aggressive antispam defenses than anything else (as a result of an old and incapable mailer that is the Debian Woody default). As a result, I get to see an interesting view of some current spammer methods, more or less live and unfiltered.
One of the interesting things is that when email addresses on this machine get spammed, they usually get several copies of the same message, all from the same origin address and the same machine.
My current theory is that this is an anti-greylisting technique. Rather than implement actual retry logic in their spamware, the spammers just program it to send the same message repeatedly, a few minutes apart. If there is greylisting, the last copy might work; if there is no greylisting, who cares about the recipient getting a few more copies? It's not like it costs the spammer anything.
(Interestingly, that machine's reject log shows that refused connections happen in close succession. I don't have any current trapped spam to check the timestamps on spam that got through, so it may be that this is a technique that will only work on greylisting that has a very short waiting time.)
I believe this machine is only getting spammed by one spammer group
or one spammer software, because almost all of the SMTP sessions that
deliver spam use the HELO name of 'localhost'. This HELO name is
vanishingly rare in the SMTP logs of my other machines.
There is probably an interesting yet depressing research paper to be written on the spammer ecology, covering things like what spamware gets used by who and with what address lists. For example, the recent spam storm seems to have used an email address list that was hugely heavy on very old addresses, and since my Debian machine was untouched by it may not have been using any relatively recent ones.