Yahoo Groups archive

Milter-greylist

Index last updated: 2026-04-28 23:32 UTC

Message

Re: [milter-greylist] Weak greylisting

2007-06-19 by Collin Baillie

At 15:13 4/05/2007, Michael Menge wrote:
>Hi
>
>weak greylisting is possible with the -L option or with subnetmatch in
>greylist.conf
>
>The reverse greylisting is not possible with milter-greylist as far as i know.
>I don't see the advantage form reverse greylisting over the
>subnetmatch (weak greylisting). Could you give us an example where
>reverse would be of use and a subnetmatch not?
>
>regards

Ok, after more experience with milter-greylist, I can agree that 
subnetmatch would work like weak greylisting.

However, weak greylisting (you may remember from reading the gps web 
page) is the last resort fallback for reverse greylisting failure.

Reverse greylisting is advantageous where (of course) a mail farm 
includes servers not on the same 'subnet'. Say I have a couple of 
servers 203.11.234.15, and 203.11.234.16 and I have 3 servers in 
64.117.82.98, 64.117.82.112 and 64.117.82.113, but they all resolve 
backe to mail*.my-odd-domain.com. NO decent subnet match would work 
in this case, where reverse greylisting would. Of course, if I don't 
have the reverse lookup of those servers working, the _fallback_ to 
weak or subnet match greylisting would fail.

Right now (Milter greylist 3.1) I can do

acl whitelist domain my-odd-domain.com

and everything get's through without being greylisted. But what if 
this was a public ISP which sold broadband services, and a spammer 
bought bandwidth from them. Suddenly I'm faced with, either receiving 
spam straight in, or losing valid emails because the server farm is 
from a very diverse IP range.

If Milter-greylist had reverse greylisting, if 
person.a@... emails me (thrugh the ISPs SMTP servers), 
their address, my address and the my-odd-domain.com triplet would be 
greylisted and eventually deliver. However if the spammer bulk emails 
me from his my-odd-domain.com broadband connection, the 
spammer@... address, my address and the my-odd-domain.com 
triplet would be greylisted, and effectively denied because his bulk 
email software performs true to form.

Reverse greylisting removes the need for (a) whitelisting domains, 
and (b) using a subnetmatch clause (unless the reverse lookup fails) 
and achieves fully functional greylisting not possible with any 
combination of whitelists/subnet matches.

Collin

Attachments

  • No local attachments were found for this message.

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.