Milter-greylist

Matthias Scheler wrote:
> On Thu, Aug 23, 2007 at 01:31:38PM +0200, Kai Schaetzl wrote:
>> And if it comes in via the second MX IP and the tuple is not already 
>> known to the greylist db it must be a first attempt which is supposed to 
>> come from a spammer.
> 
> People tried that scheme in the past and didn't work very will. Problems
> like intermittend routing problem cause to many false positives.

The idea is that if the 2 addresses are on the same physical interface, 
on the same subnet of the same machine, it should not be affected by 
intermittend routing problems (or you are probably in greater troubles 
than just false positives).

Moreover, integrating this in milter-greylist makes it possible to use 
its database to let messages matching the (auto-)whitelist to get 
through even if they arrive on the address used as a spam trap, reducing 
even more the risk of false positives.

And greytrapping can be very dynamic. Blacklisting a bad IP for a small 
period (one hour or two) at a time is enough to be efficient. After this 
period, either you don't see it again, or it continues to attempt to 
deliver spam and gets blocked again. or it comes back with a "normal" 
activity -- so you had a false positive, but only lost the connection 
for a small period (too bad, but it's better than false positive in 
external DNSBLs that takes days to be removed),
-- 
Matthieu Herrb