Milter-greylist

----- Original Message ----- 

From: <manu@...>
To: <milter-greylist@yahoogroups.com>
Sent: Wednesday, April 05, 2006 11:58 PM
Subject: [milter-greylist] "Dark-grey"listing dynamic IP address


> Filtering on reverse DNS name with three 0-255 numbers sounds therefore
> a good idea. The drawback is that you will catch power users that send
> from their home machines, and SME using SMTP appliances.

That's why I suggested to only lengthen the delay for those addresses, and 
not completely block them...

Actually, these power users should normally have installed some regular MTA, 
featuring the ability of relaying mail from the outside.

That mean they should commonly have port 25 open on their computers, 
available for SMTP connections.

Even if that MTA is not available for open-relaying, could we just check if 
something is open on port 25 (with a consistent greeting message) on the 
sender's IP address, without actually trying to send any message through 
them, and decide to lighten back the greylisting on that basis ?

This process would be done, of course, only on those addresses already 
assumed to be dynamic ...

I think there are a lot of chances that spammers use some other mean to 
inject their spam inside their botnets : they apparently very often use 
quite complex distributed spamming techniques that let me thinking they 
should access their own botnet with some non standard protocols, and also 
they have no reason to build a complete MTA inside their engines. Their 
botnets are normally specialized in sending spam, not regular mails from 
regular mailers.

This may be not very realistic, of course, I suppose, but I am just trying 
to find a way to more accurately differentiate between regular MTAs and 
spammers botnets ...

Gingko

> Actually, these power users should normally have installed some  
> regular MTA,
> featuring the ability of relaying mail from the outside.
>
> That mean they should commonly have port 25 open on their computers,
> available for SMTP connections.
>
> Even if that MTA is not available for open-relaying, could we just  
> check if
> something is open on port 25 (with a consistent greeting message)  
> on the
> sender's IP address, without actually trying to send any message  
> through
> them, and decide to lighten back the greylisting on that basis ?

oh, this sounds like what Verizon does.

It's amazing what traffic I get when I had verizon blocked, then  
tried to send them an email.
I swear, I must of had 2,000 bounce messages in just a couple of hours.

Bill

Tere.

I'm confused, what's the difference between tuples vs auto-whitelist, 
rihgt now I have set:

# How long will the greylist database retain 
tuples.                                                               
                                                                                                     

timeout 8h 

# How long does auto-whitelisting last (set it to 
0                                                               
# to disable auto-whitelisting). Here, 3 
days.                                                                    
# May be overridden by the "-a autowhite_delay" command line 
argument.                                            
autowhite 0

So I presume, that autowhite 0 means, that no auto-whitelisted senders 
will be in database? But there is still line Auto-whitelisted tuples and 
senders? Should I set also timeout 0?

-- 
Sysadmin

Sysadmin wrote on Thu, 06 Apr 2006 19:34:00 +0300:

> Tere. 

Is that some sort of greeting?

>  
> I'm confused, what's the difference between tuples vs auto-whitelist, 
> rihgt now I have set:

tuples just refers to how stuff is saved in the database. It's not just 
whitelist entries that get saved, there's also those that get greylisted 
and they need to be saved either, until they go the whitelist or expire. 
So, in this respect it refers to how long a hostname remains greylisted 
until it expires and will greylist again if it comes back.

Kai

-- 
Kai Sch\ufffdtzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com