Re: We need an IETF BCP for GREY LISTING

[Richard Kulawiec <rsk@xxxxxxx>]

On Tue, Oct 11, 2011 at 08:06:16AM -0400, Keith Moore wrote:
> I'm not sure that it's worth the trouble.   The whole point of
> greylisting is to marginalize naive client implementations on the
> assumption (largely valid to this point) that they're likely to
> be spambots.   But I expect that spambots will start to deal with
> greylisting very soon.  If IETF were to document greylisting it would
> only accelerate that process.

I don't think documenting greylisting will accelerate the
(already-underway) process of spammer adaptation.  I think the prime
mover there is the adoption rate of greylisting.  This isn't unique
to greylisting -- we've seen spammers adapt to other countermeasures
when they've (apparently) judged that those measures are sufficiently
widely-used to merit their attention and effort.

On the other hand, it's not clear to me what benefit we could achieve
by doing so.  That is, I'm not sure I see many instances of greylisting
implementations behaving badly -- thus, potentially benefitting from
a document that would give some guidance.  I think that most of the ones
I've observed are doing a reasonable (if, perhaps, sometimes annoying
or inconvenient) job of deferring mail traffic for a sensible length
of time.  Are others' logs reflecting a different picture?

---rsk