How spammers seem to be coping with greylisting

July 29, 2005

I have a machine (my Debian Woody machine) that has far less aggressive antispam defenses than anything else (as a result of an old and incapable mailer that is the Debian Woody default). As a result, I get to see an interesting view of some current spammer methods, more or less live and unfiltered.

One of the interesting things is that when email addresses on this machine get spammed, they usually get several copies of the same message, all from the same origin address and the same machine.

My current theory is that this is an anti-greylisting technique. Rather than implement actual retry logic in their spamware, the spammers just program it to send the same message repeatedly, a few minutes apart. If there is greylisting, the last copy might work; if there is no greylisting, who cares about the recipient getting a few more copies? It's not like it costs the spammer anything.

(Interestingly, that machine's reject log shows that refused connections happen in close succession. I don't have any current trapped spam to check the timestamps on spam that got through, so it may be that this is a technique that will only work on greylisting that has a very short waiting time.)

I believe this machine is only getting spammed by one spammer group or one spammer software, because almost all of the SMTP sessions that deliver spam use the HELO name of 'localhost'. This HELO name is vanishingly rare in the SMTP logs of my other machines.

There is probably an interesting yet depressing research paper to be written on the spammer ecology, covering things like what spamware gets used by who and with what address lists. For example, the recent spam storm seems to have used an email address list that was hugely heavy on very old addresses, and since my Debian machine was untouched by it may not have been using any relatively recent ones.

Comments on this page:

From at 2005-07-30 00:16:49:

I don't tend to believe that this is a response to greylisting, I think it's more likely to be a symptom of badly written zombie control software or simply duplicates in address lists. I've been getting many copies of a given spam in short succession from separate sources since significantly before greylisting was introduced. The economics of spamming really doesn't give the spammers and the programmers developing their tools any incentive to clean it up.

Jonathan Conway

By cks at 2005-08-02 15:56:56:

The reason I think this isn't just badly written spamware is that the repeats look like the same spam run: same IP address, same MAIL FROM: and so on, and in close succession (often without any other addresses on the same machine in between). It could still be duplicate addresses, but if the spammers are going to sort their address lists to start with I'm surprised that they don't also drop duplicates.

I do also see what looks like duplicates from different IP addresses, which I usually attribute to address dups, bad spamware, or spammers just going for redundancy in case one IP address is blocked and another isn't.

(Sorry for the delay in replying. Long weekends make me lethargic.)

Written on 29 July 2005.
« Doing DNS queries in Python
Briefly doing DNS queries in Perl »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Fri Jul 29 17:05:07 2005
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.