Milter-greylist

At 15:13 4/05/2007, Michael Menge wrote:
>Hi
>
>weak greylisting is possible with the -L option or with subnetmatch in
>greylist.conf
>
>The reverse greylisting is not possible with milter-greylist as far as i know.
>I don't see the advantage form reverse greylisting over the
>subnetmatch (weak greylisting). Could you give us an example where
>reverse would be of use and a subnetmatch not?


I had considered using -L, and now that you raise it, I may look 
closer at it. The difference of course is that if you use -L 24, you 
accept a whole 'C class' block (ie 255 hosts). Most people won't have 
255 email servers, and if they do, they're probably not all stuck on 
the same 'subnet' or 'C class' network. Doing reverse lookups and all 
the IPs used by a cluster of email gateways for a large provider (ie 
google, yahoo etc) and they *should* all resolve back to the same domain.

Blindly accepting 255 hosts sounds less intelligent (to me) than 
blindly accepting from all IPs which resolve to the same domain 
(sending from the same address to the same address). Yes it opens up 
_possibilities_ for abuse, but how would someone who may have an IP 
address which resolves to the same domain as a real email server, 
know the sender address and recipient address of those real email 
servers? Once again, how many spammers or viruses send from the same address?

As it stands I am whitelisting everyone in our organisation who uses 
gmail to commuicate with the internal network. However, this is going 
to be a pain I think, as we experience fairly frequent changes in staffing.

Collin