Milter-greylist

--- In milter-greylist@yahoogroups.com, manu@n... wrote:
> egcrosser <egcrosser@y...> wrote:
> 
> > 1.
> > Submissions that pass SPF check are not greylisted.  I think that
this
> > is wrong.  Being SPF-clean does not guarantee that the message is
not
> > spam.  There where even reports in press that there was more
SPF-clean
> > spam mesaured than SPF-clen valid mail.  What SPF does guarantee
is
> > that sender domain was not spoofed.
> > 
> > I think that better approach would be to greylist such messages,
but
> > instead of (sender-IP sender-address recipient-address) tuple use
> > (sender-domain sender-address recipient-address) or maybe rather
> > (sender-domain recipient-address).
> 
> Well, you don't really win anything. IMO spammers using SPF
compliant
> servers are not such a problem: they have a real server, so their
spam
> will get through.

I'm afraid that's not really the case.  What a spammer can do is
register a (number of) throwaway domain(s) and publish SPF record of
the kind "v=spf1 +all".  Then command his zombie army to use MAIL
FROM:<...@...>.

I agree that (such) bad domains belong to blacklists.  But the trouble
with blacklists (both IP and domain) is that they always lag behind. 
Greylisting come into play right here: it can minimize the harm done
in the window between creation of domain and putting it into
blacklist.

> Our usage of SPF just means it passes through
> immediatly instead of delayed. I don't see any change to that in
your
> proposal.
> 
> Spammers with real mail servers belong to the black list, IMO.
Whether
> they use SPF or not does not change much of the problem.

Really so.  Still the problem with the current approach is that it in
fact gives spammers a "fast track" around the greylist! (as described
above)

> > I find it very a compelling idea to have dynamic greylisting
delay,
> > per sender IP (or sender domain for SPF-verified submissions),
growing
> > if there are many submissioons for non-existent users from the IP.
> > This would be kinda simple reputation system.
> 
> That's an interesting idea. Don't you fear you could give higer and
> higher scores to ISP mail servers?

Possibly the delay can automatically drop down to default value once
"bad behavior" stops?

> > Dec  9 00:19:28 auhost sm-mta[14836]: iB8LJHFq014836: Milter
> > (milter-greylist):
> > timeout before data read

> milter-greylist timed out answering. If you use SPF, that's
probably the
> DNS request that caused it. Raise the timeout delay in sendmail.cf

Ah, thanks.

> > Also, from time to time, there is a message:
> > 
> > Dec  9 00:41:07 auhost milter-greylist: smfi_getsymval failed for
> > {if_addr}
> > 
> > in the log.
> > 
> > Any comments?
> 
> Mail comming from localhost?

Quite possible.  I see "address 127.0.0.1 is in exception list" in the
same second.  The message is alarming, though :-)  (and it also lacks
the ID tag btw).

Thanks
Eugene