Yahoo Groups archive

Milter-greylist

Index last updated: 2026-04-28 23:32 UTC

Message

is this a DoS?

2004-05-26 by Jacques Beigbeder

Hello,

Last week, I installed milter-greylist for some email addresses.
Last night, the file /var/milter-greylist/greylist.db displays:

---------------------- Sample 1 -----------------------------------
[ .... ]
222.136.25.31             <virginia@...>    <xxxx.xxxxxxxx@...> 1085536020 # 2004-05-26 03:47:00
24.60.250.191                  <ssu@...>    <xxxx.xxxxxxxx@...> 1085536023 # 2004-05-26 03:47:03
24.98.118.46                  <derrek@...>    <xxxx.xxxxxxxx@...> 1085536025 # 2004-05-26 03:47:05
24.34.148.233                <sakti@...>    <xxxx.xxxxxxxx@...> 1085536029 # 2004-05-26 03:47:09
61.84.231.102                <gaoyuan@...>    <xxxx.xxxxxxxx@...> 1085536033 # 2004-05-26 03:47:13
61.249.203.23                   <icap@...>    <xxxx.xxxxxxxx@...> 1085536039 # 2004-05-26 03:47:19
4.7.50.95                  <randall@...>    <xxxx.xxxxxxxx@...> 1085536048 # 2004-05-26 03:47:28
65.24.194.20                <subhednu@...>    <xxxx.xxxxxxxx@...> 1085536050 # 2004-05-26 03:47:30
66.188.95.20                    <gene@...>    <xxxx.xxxxxxxx@...> 1085536076 # 2004-05-26 03:47:56
67.163.217.46               <dryden@...>    <xxxx.xxxxxxxx@...> 1085536077 # 2004-05-26 03:47:57
67.162.129.13               <somasama@...>    <xxxx.xxxxxxxx@...> 1085536079 # 2004-05-26 03:47:59
[ .... ]
---------------------- Sample 2 -----------------------------------
200.53.248.142              <libpcap@...>     <yyyyyy@...>        1085544283 # 2004-05-26 06:04:43
24.16.253.21           <tudor@...>     <yyyyyy@...>        1085544284 # 2004-05-26 06:04:44
24.157.153.40          <cmsg@...>     <yyyyyy@...>        1085544361 # 2004-05-26 06:06:01
24.159.241.11         <orlandini@...>     <yyyyyy@...>        1085544364 # 2004-05-26 06:06:04
200.82.47.94      <Soille@...>     <yyyyyy@...>        1085544372 # 2004-05-26 06:06:12
24.128.119.17                <Qobi@...>     <yyyyyy@...>        1085544378 # 2004-05-26 06:06:18
24.14.26.219       <jamesm@...>     <yyyyyy@...>        1085544379 # 2004-05-26 06:06:19
218.48.37.81      <abiword_bugs@...>     <yyyyyy@...>        1085544384 # 2004-05-26 06:06:24
24.130.151.178              <snowhare@...>     <yyyyyy@...>        1085544388 # 2004-05-26 06:06:28
   [ ... 600 lines deleted : from 06:04:43 to 07:10:23 ]

Here 600 is a big number, but VERY OFTEN I have 20-30 connections in 
2 minutes for a SINGLE destination, but from 20-30 differents IP
and differents From:.

My interpretation: a spammer wants to send something to <yyyyyy@...>,
it fails from 200.53.248.142 / <libpcap@...>, and so he retries
from another PC within a pool of "relays", and so on.

So there are 2 denies of service:
. large amount of SMTP connections in a short time (= fork with sendmail);
. large amount of data collected in the greylist database.
	
	Question: isn't that the perfect tool to destroy the idea of greylisting?

--
Jacques Beigbeder                    |  Jacques.Beigbeder@...
Service de Prestations Informatiques |     http://www.spi.ens.fr
Ecole normale sup\ufffdrieure             |
45 rue d'Ulm                         |Tel : (+33 1)1 44 32 37 96
F75230 Paris cedex 05                |Fax : (+33 1)1 44 32 20 75

Attachments

  • No local attachments were found for this message.

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.