Milter-greylist

Many greylist users want to reduce the number of valid messages
being delayed by greylisting. I've had a close look on spam and
non-spam messages in the past, and a simple pattern seems to be
that messages with a sender like "user@..." which come
from a sender DNS name like "mailhost.domain.com" are never spam.

I guess this could probably easily implemented in milter-greylist.
Strip the domain part (everything after the @) from the sender
e-mail address, and compare the sender DNS hostname to 
"[^.*]\.$fromdomain" (that is, any hostname under the same domain
name as the from address). If it matches, accept the message
immediately, otherwise greylist it as usual. It would best be
implemented as an additional option to greylist.conf.

In my case, most of the whitelist entries for common senders
would be caught by that rule and would not be needed anymore.

Comments anyone, or a volunteer to implement it ?

mp.
-- 
                         Martin Paul | Systems Administrator
   Institute of Scientific Computing | martin@...
 Nordbergstrasse 15/C/3, A-1090 Wien | Tel: 01 4277 39403
        http://www.par.univie.ac.at/ | Fax: 01 4277 9394

Martin Paul <martin@...> wrote:

> Comments anyone, or a volunteer to implement it ?

You did, didn't you? :-)

What will be the name of this option?

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

> From: manu@...
> > Martin Paul <martin@...> wrote:
> > 
> > Comments anyone, or a volunteer to implement it ?
> 
> You did, didn't you? :-)

I just knew I shouldn't have asked .. :)

> What will be the name of this option?

Maybe "matchhostfrom", as it would basically check whether the
sender host (its domain name really) matches the from address
(again, the domain, after the @).

For a start, I implemented the matchhostfrom function that does
the actual work. I'll attach the code - it contains a main()
function for testing purposes. Here's a small testing shell script:

#!/bin/sh

gcc -Wall -o matchhostfrom matchhostfrom.c

echo "### MATCH"
./matchhostfrom mailhost.domain.com user@...
./matchhostfrom mailhost.domain.com '<user@...>'
./matchhostfrom mailhost.domain.com 'USER@...'
./matchhostfrom mailHOST.domain.COM 'user@...'
./matchhostfrom ' mailhost.domain.com ' ' <USER@... > '

echo "### NO MATCH"
./matchhostfrom spam.com user@...
./matchhostfrom domain.com user@...
./matchhostfrom 123.dsl.domain.com user@...
./matchhostfrom domain.com.org user@...
./matchhostfrom domain.com user@...
./matchhostfrom '[12.34.56.78]' user@...
./matchhostfrom host.domain.com '<>'
./matchhostfrom localhost '<user@...>'

Still, I'd prefer you to actually integrate this into milter-greylist
as an option. I guess it needs small changes to multiple conf* files
(lex/yacc/conf.[ch]), and my main problem would be to decide into which 
mlfi_* function and where exactly to put it. 

mp.

--- In milter-greylist@yahoogroups.com, Martin Paul <martin@p...> wrote:
> 
> > From: manu@n...
> > > Martin Paul <martin@p...> wrote:
> > > 
> > > Comments anyone, or a volunteer to implement it ?
> > 
> > You did, didn't you? :-)
> 
> I just knew I shouldn't have asked .. :)

*biggrin* That's one reason, why I don't ask for some features. I
don't have the time to implement them.


> > What will be the name of this option?
> 
> Maybe "matchhostfrom", as it would basically check whether the
> sender host (its domain name really) matches the from address
> (again, the domain, after the @).

Not that I care particularly about the feature...
(I get enough spam from dialup boxes with an envelope-sender that is
exactly equal to the hostname of the dialup box)

But: IF you start to consider it, please consider to add this inside
the acl-system. That way one can easily exclude things from this
"whitelist" (by just having an appropiate acl above it).

Just my 2 dirhem.


    Elrond

On Mon, May 30, 2005 at 12:13:31PM +0200, Martin Paul wrote:
> Many greylist users want to reduce the number of valid messages
> being delayed by greylisting. I've had a close look on spam and
> non-spam messages in the past, and a simple pattern seems to be
> that messages with a sender like "user@..." which come
> from a sender DNS name like "mailhost.domain.com" are never spam.

I wouldn't tie that to the hostname but to the MX records:
If you got an e-mail from "user@..." from IP address 1.2.3.4
and at least one of the MX records for "domain.com" points to a host
whose name resolves to 1.2.3.4 it is probably not spam.

[And even if it is spam you are probably dealing with a real mail server
 which will retransmit anyway.]

> Comments anyone, or a volunteer to implement it ?

I vote for you.

	Kind regards

-- 
Matthias Scheler                                  http://scheler.de/~matthias/

> From: "Elrond" <yahoo.com@...>
>
> Not that I care particularly about the feature...
> (I get enough spam from dialup boxes with an envelope-sender that is
> exactly equal to the hostname of the dialup box)

Those wouldn't be matched by the proposed function - I get a lot
of those which are spam, too. user@... from domain.com
will be greylisted as usual, only if it comes from host.domain.com
it will pass greylisting.

> But: IF you start to consider it, please consider to add this inside
> the acl-system. That way one can easily exclude things from this
> "whitelist" (by just having an appropiate acl above it).

yes, it's definitely a good idea to put this check after the
acl checks, and not before.

mp.

> I wouldn't tie that to the hostname but to the MX records:
> If you got an e-mail from "user@..." from IP address 1.2.3.4
> and at least one of the MX records for "domain.com" points to a host
> whose name resolves to 1.2.3.4 it is probably not spam.

This would probably be even more efficient, but the MX record
is for receiving mail, and it doesn't have to match the machine
which actually sends mail for this domain (although it often does). 
milter-greylist would have to make an MX lookup, while it already 
gets the hostname and sender from sendmail. This is more a job for
*real* solutions like SPF/MTAmark/etc.

I'd like to emphasize that my proposal is not a solution to
actually stop more spam at the greylist barrier. It's for those
greylist users who have a problem that lots of legitimate messages
are deferred or stopped by greylisting. It should make greylisting
be more acceptable even without local whitelists, while not letting
(much) more spam through. And spam that matches the new rule is
probably coming from only a handful of domains which can then be
blacklisted easily.

mp.

Martin Paul <martin@...> wrote:

> Maybe "matchhostfrom", as it would basically check whether the
> sender host (its domain name really) matches the from address
> (again, the domain, after the @).

The idea is good, but the name sucks :-)

-- 
Emmanuel Dreyfus
Publicité subliminale: achetez ce livre!
http://www.eyrolles.com/Informatique/Livre/9782212114638/livre-bsd.php
manu@...

On Tue, May 31, 2005 at 12:18:48PM +0200, Martin Paul wrote:
> This would probably be even more efficient, but the MX record
> is for receiving mail, ...

I know.

> ... and it doesn't have to match the machine which actually sends
> mail for this domain (although it often does).

That's the point. For whitelisting it is good enough to recognize some cases.

	Kind regards

-- 
Matthias Scheler                                  http://scheler.de/~matthias/

> 
> > Maybe "matchhostfrom", as it would basically check whether the
> 
> The idea is good, but the name sucks :-)

phasing

hans hm04 <hm04.yer@...> wrote:

> > > Maybe "matchhostfrom", as it would basically check whether the
> > The idea is good, but the name sucks :-)
> phasing 

Why phasing?

-- 
Emmanuel Dreyfus
Un bouquin en français sur BSD:
http://www.eyrolles.com/Informatique/Livre/9782212114638/livre-bsd.php
manu@...

>>
>> Maybe "matchhostfrom", ...
>
>The idea is good, but the name sucks :-)

How about what you named it first, "poormans-SPF" =)

But that name maybe sucks even more, since it isn't SPF...

/P

> > Maybe "matchhostfrom", as it would basically check whether the
> > sender host (its domain name really) matches the from address
> > (again, the domain, after the @).
> 
> The idea is good, but the name sucks :-)

I know, but I couldn't think of a better one. Hm, maybe "domaincheck",
or "matchdomain", or just "yao" - for "yet another option" :)

Choose any you like, and leave it to the man page to explain it
in a more verbose manner, I guess.

mp.

hi all 

is it possible, that milter-greylist is
listening on a tcp-port  to communicate with sendmail ? 
then milter-greylist and sendmail could 
run on different hosts. 

best regards 
hans 

--

hans hm04 <hm04.yer@...> wrote:

> is it possible, that milter-greylist is
> listening on a tcp-port  to communicate with sendmail ? 
> then milter-greylist and sendmail could 
> run on different hosts. 

The -p option should buy you that. Same syntax as usual.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

--- In milter-greylist@yahoogroups.com, manu@... wrote:
>
> hans hm04 <hm04.yer@...> wrote:
> 
> > is it possible, that milter-greylist is
> > listening on a tcp-port  to communicate with sendmail ? 
> > then milter-greylist and sendmail could 
> > run on different hosts. 
> 
> The -p option should buy you that. Same syntax as usual.
> 
> -- 
> Emmanuel Dreyfus
> http://hcpnet.free.fr/pubz
> manu@...
>

How I can use the option -p to run the milter-greylist in one host and
the sendmails in all others hosts?

Cristian Merz <cristianmerz@...> wrote:

> How I can use the option -p to run the milter-greylist in one host and
> the sendmails in all others hosts?

I don't recall the syntax exactly, but it's in milter documentation.
You can also grab the syntax from another milter: it will be the same,
since libmilter does the parsing.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...