Writing

Feed Software, technology, sysadmin war stories, and more.

Saturday, July 9, 2011

Greylisting before greylisting

I used to spend a lot of time just watching logs scroll by for one of my sysadmin jobs. It was probably most of what I did there, since everything else I used to do by hand had been replaced by a small script, program, or some combination of the two. These scripts were handy, but they still aren't up to the point of noticing patterns and creating new helpers to solve some new problem. That's where I come in.

I started seeing patterns in the incoming mail logs. Some host in the middle of nowhere that did not seem to be a mail server would connect and spew spam at us. Then it would never be heard from again. Others would connect and start doing dictionary attacks, trying to suss out which usernames were valid based on what sort of response came back. I didn't want that info to leak.

It looked like I needed to add some new behavior to my mail server. The first time someone comes around trying to deliver mail, play dumb. It would throw back a 4xx series response, like "421 Disk full". The sender would just have to try back later.

Nearly all real mail servers would retry, and nearly all open proxy hijackers would not, so this was a wonderful signal for stopping badness. There were a few "real" mail servers which did not retry on 4xx (something by Lotus comes to mind...), and probably a few open proxies which got lucky, but as far as most people were concerned, it Just Worked.

I was pretty proud of this, but I didn't want it to be well known, since it would just lead to an arms race. I used it for my own mail servers and those where I worked, but never released it to the world. Naturally, about a year later, someone posted this whole thing about "greylisting" to Slashdot, and that was it. The cat was out of the bag.

Given that it's now been 10 years since my original idea was hatched and that I'm no longer relying on it, I figured it was time to talk about these things at last. Anyone who was ever going to figure out a way around this kind of stuff would have done it by now.


January 3, 2012: This post has an update.