Re: Decrease in Threats?

On 1/27/06, Bill Borton <bborton@conwin.com> wrote:
> One of my mail servers that was getting 15,000 - 20,000 inbound
> infected messages a month was also getting pounded by spam.
> I an attempt to mitigate the spam I implemented "Greylisting".
> It's working very well for that site.  I don't have hard numbers
> available at the moment, but I guesstimate that it took spam
> down by about %90.

Greylisting works OK at the moment as spammers have no need to go
around it. But, you can be sure that once greylisting reaches critical
level of deployment, spammers will go around it very easy (basically
they just have to modify their applications).

One other problem of greylisting is that it will inevitably delay some
of your legitimate e-mail. If you can live with that, it's fine, but
some environments can't afford it. The problem today is that users
think that e-mail is "instant", while it's actually a store and
forward mechanism that does best effort and doesn't guarantee
anything. I had multiple cases of users on our campus complaining
about how slow e-mail is (when it took 5 minutes to deliver something
because the gateway was flooded). Imagine delay of 4 hours ...
I talked briefly about this on last AusCERT, search the CISSP forum
archives for the presentation if you want to download it.

Cheers,

Bojan