Yahoo Groups archive

Milter-greylist

Index last updated: 2026-04-13 23:57 UTC

Message

Blacklisting a spammer?

2018-11-04 by Fred Smith

I've been using milter-greylist for a couple of years, with a huge
reduction in spam.

the past week or so I've had a huge increase, and looking at
/var/log/maillog I can see that one of the main culprits is being
auto-whitelisted! Also:

grep qq.com `locate greylist.db` | sort -k4
115.226.150.123	<2282748699@...>	<fredex@...>	1540995534 # 2018-10-31 10:18:54
124.6.159.130	<2846047090@...>	<fredex@...>	1541107270 # 2018-11-01 17:21:10
122.241.3.11	<2282748699@...>	<fredex@...>	1541164427 # 2018-11-02 09:13:47
115.230.76.104	<2282748699@...>	<fredex@...>	1541236666 # 2018-11-03 05:17:46
1.199.184.250	<1973524543@...>	<fredex@...>	1541243473 # 2018-11-03 07:11:13
124.6.159.130	<1982824309@...>	<fredex@...>	1541259038 # 2018-11-03 11:30:38
124.6.159.130	<1972695338@...>	<fredex@...>	1541266446 # 2018-11-03 13:34:06
124.6.159.130	<1963489674@...>	<fredex@...>	1541295470 # 2018-11-03 21:37:50
124.6.159.130	<2263814933@...>	<fredex@...>	1541302976 # 2018-11-03 23:42:56
124.6.159.130	<2276596163@...>	<fredex@...>	1541376051 AUTO # 2018-11-04 19:00:51
183.151.39.5	<2263814933@...>	<fredex@...>	1541402367 AUTO # 2018-11-05 02:19:27
222.189.144.75	<2282748699@...>	<fredex@...>	1541448054 AUTO # 2018-11-05 15:00:54

sorted into date/time order.

qq.com is probably a fake domain, as you can see many different addresses
listed for it.  In /var/log/maillog most messages are either rejected
outright, or are greylisted and never accepted, but as you can see, once
in a while one of them sneaks back in with a valid-apapearing response
and so gets whitelisted, then a bunch of their messages are accepted.

I tried to do a blacklist of qq.com, but apparently blacklisting requires
an IP address. Since they appear to be using random/invalid IP addresses,
I'm not sure that just blindly blacklisting every address it appears
under is either a good idea, or would be adequate to get rid of them.

I've re-read my way through all the milter-greylist doc I could find,
and to be frank there is a lot of it I don't understand.

So, I'm wondering if any of you can offer suggestions on any ways other
than directly blacklisting qq.com to stomp on this site's spam?

all advice will be appreciated, thanks in advance!

Here's my current milter-greylist.conf (with comments stripped):


	socket "/run/milter-greylist/milter-greylist.sock"
	dumpfile "/var/lib/milter-greylist/db/greylist.db" 600
	geoipdb "/usr/share/GeoIP/GeoIP.dat"
	dumpfreq 10m
	user "grmilter"
	greylist 10m
	extendedregex
	timeout 5d
	logexpired
	report all	# always add X-greylist mail header

	stat "|logger -p local7.info" \
	      "%T{%Y/%m/%d %T} %d [%i] %f -> %r %S (ACL %A) %Xc %Xe %Xm %Xh"

	quiet

	list "my network" addr { 127.0.0.1/8 192.168.2.0/24 }
	list "outlook.com" domain { outlook.com }
	list "mutt.org" domain { mutt.org }

	list "broken mta" addr {   \
		12.5.136.141/32    \ # Southwest Airlines (unique sender)
		12.5.136.142/32    \ # Southwest Airlines
		12.5.136.143/32    \ # Southwest Airlines
		12.5.136.144/32    \ # Southwest Airlines
		12.107.209.244/32  \ # kernel.org (unique sender)
		12.107.209.250/32  \ # sourceware.org (unique sender)
		63.82.37.110/32    \ # SLmail
		63.169.44.143/32   \ # Southwest Airlines
		63.169.44.144/32   \ # Southwest Airlines
		64.7.153.18/32     \ # sentex.ca (common pool)
		64.12.136.0/24     \ # AOL (common pool)
		64.12.137.0/24     \ # AOL
		64.12.138.0/24     \ # AOL
		64.124.204.39      \ # moveon.org (unique sender)
		64.125.132.254/32  \ # collab.net (unique sender)
		64.233.160.0/19    \ # Google
		66.94.237.16/28    \ # Yahoo Groups servers (common pool)
		66.94.237.32/28    \ # Yahoo Groups servers (common pool)
		66.94.237.48/30    \ # Yahoo Groups servers (common pool)
		66.100.210.82/32   \ # Groupwise?
		66.135.192.0/19    \ # Ebay
		66.162.216.166/32  \ # Groupwise?
		66.206.22.82/32    \ # Plexor
		66.206.22.83/32    \ # Plexor
		66.206.22.84/32    \ # Plexor
		66.206.22.85/32    \ # Plexor
		66.218.66.0/23     \ # Yahoo Groups servers (common pool)
		66.218.67.0/23     \ # Yahoo Groups servers (common pool)
		66.218.68.0/23     \ # Yahoo Groups servers (common pool)
		66.218.69.0/23     \ # Yahoo Groups servers (common pool)
		66.27.51.218/32    \ # ljbtc.com (Groupwise)
		66.102.0.0/20      \ # Google
		66.249.80.0/20     \ # Google
		72.14.192.0/18     \ # Google
		74.125.0.0/16	   \ # Google
		152.163.225.0/24   \ # AOL
		194.245.101.88/32  \ # Joker.com
		195.235.39.19/32   \ # Tid InfoMail Exchanger v2.20
		195.238.2.0/24     \ # skynet.be (wierd retry pattern, common pool)
		195.238.3.0/24     \ # skynet.be
		195.46.220.208/32  \ # mgn.net
		195.46.220.209/32  \ # mgn.net
		195.46.220.210/32  \ # mgn.net
		195.46.220.211/32  \ # mgn.net
		195.46.220.221/32  \ # mgn.net
		195.46.220.222/32  \ # mgn.net
		195.238.2.0/24     \ # skynet.be (wierd retry pattern)
		195.238.3.0/24     \ # skynet.be
		204.107.120.10/32  \ # Ameritrade (no retry)
		205.188.0.0/16     \ # AOL
		205.206.231.0/24   \ # SecurityFocus.com (unique sender)
		207.115.63.0/24    \ # Prodigy - retries continually
		207.171.168.0/24   \ # Amazon.com
		207.171.180.0/24   \ # Amazon.com
		207.171.187.0/24   \ # Amazon.com
		207.171.188.0/24   \ # Amazon.com
		207.171.190.0/24   \ # Amazon.com
		209.132.176.174/32 \ # sourceware.org mailing lists (unique sender)
		209.85.128.0/17    \ # Google
		211.29.132.0/24    \ # optusnet.com.au (wierd retry pattern)
		213.136.52.31/32   \ # Mysql.com (unique sender)
		216.33.244.0/24    \ # Ebay
		216.239.32.0/19    \ # Google
		217.158.50.178/32  \ # AXKit mailing list (unique sender)
	}

	list "grey users" rcpt {  \
		user1@... \
		user2@... \
		user3@... \
	}

	racl "My Network" whitelist list "my network"
	racl "Broken MTA" whitelist list "broken mta"
	racl "outlook.com" whitelist list "outlook.com" 
	racl "NoMoRobo" whitelist domain nomorobo.zendesk.com flushaddr
	racl "ZBS Foundation" whitelist domain zbs.org flushaddr
	racl "Linux Counter" whitelist domain linuxcounter.net flushaddr
	racl "Faith Church" whitelist domain faithchurchac.org flushaddr

	racl "spammers-4" blacklist domain qq.com flushaddr


-- 
---- Fred Smith -- fredex@... -----------------------------
  "For him who is able to keep you from falling and to present you before his 
 glorious presence without fault and with great joy--to the only God our Savior
 be glory, majesty, power and authority, through Jesus Christ our Lord, before
                     all ages, now and forevermore! Amen."
----------------------------- Jude 1:24,25 (niv) -----------------------------

Attachments

  • No local attachments were found for this message.

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.