Milter-greylist

--- In milter-greylist@yahoogroups.com, manu@... wrote:
>
> Joel Reicher <joel@...> wrote:
> 
> > OK, at least that addresses my concern for known mail farms, but the
> > larger part of my concern is for *unknown* mail farms. When mail first
> > arrives from them, it can be greylisted a very, very long time if the
> > maillog and greylist.db trawling isn't done often enough. I was hoping
> > making the greylisting facility SPF-aware would solve this.
> 
> If I understand correctly your idea, you want to do this:
> 
> if (spf) 
>         greylist (*, from, rcpt)
> else
>         greylist (addr, from, rcpt)
> 
> What happens if a spammert sends from a botnet with from addresses in a
> domain that has a ?all SPF record (ie: any host may send mail from the
> domain)? 
> 
> 

I beleive the answer is in two parts.

When a mail is recieved from a mail farm that has spl set up, instead of
using just that one ip number for the tuples in the db, use the spl ip
number list in the tuples so that when the same mail is resend from the
different ip but from the same mailfarm, greylist will treat it as the
same mail.

What about the spammers that use 0.0.0.0/0 ccdr(?), use a acl dnsrpl
check to get them before the acl spf check.

--Techwolf