Milter-greylist

Hi,

Just a small question:  Is there a way to disable the
auto-whitelisting for certain IP addresses?  I.e. I want
mails from IP 12.34.56.78 (example) to always be delayed
(i.e. greylisted), no matter if the ip/sender/recipient
triple is known or not.  In other words, that IP address
should never appear in the auto-whitelist.

If that's currently not possible, are there plans to
implement it?  Would it be diffcult to implement?

Thank you very much in advance!

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"With sufficient thrust, pigs fly just fine.  However, this
is not necessarily a good idea.  It is hard to be sure where
they are going to land, and it could be dangerous sitting
under them as they fly overhead." -- RFC 1925

On Mon, Jul 17, 2006 at 01:33:56PM +0200, Oliver Fromme wrote:

> Just a small question:  Is there a way to disable the
> auto-whitelisting for certain IP addresses?  I.e. I want
> mails from IP 12.34.56.78 (example) to always be delayed
> (i.e. greylisted), no matter if the ip/sender/recipient
> triple is known or not.  In other words, that IP address
> should never appear in the auto-whitelist.

It seems to me you might be missing something in what your asking.  If
it doesn't auto-whitelist you won't recive your mail afterwords.
Perhaps what you relaly want is a 1 time whitelist.  Where after your
delay the address is whitelisted, then once a message is recived from
that tupple the entry is removed. this should give you a delay on each
message, with some possible toming quirks depending on how the sending
server queues and resends.

I could see this scenario happining:

0 Message A recives the tempfail for 5 minutes, sending server queues
+6min Message B from same tupple is seen and sccepted
+6:01 Message A is resent and recives tempfail for 5 minutes
+12:00 Message C from same tupple is seen and sccepted

repeat ad-infinutum, or at least long enough for the original mail to
fail on retrys.

-- 
Till Later,
Jake <karrde@...>
http://www.viluppo.net/

Jake Di Toro wrote:
 > Oliver Fromme wrote:
 > 
 > > Just a small question:  Is there a way to disable the
 > > auto-whitelisting for certain IP addresses?  I.e. I want
 > > mails from IP 12.34.56.78 (example) to always be delayed
 > > (i.e. greylisted), no matter if the ip/sender/recipient
 > > triple is known or not.  In other words, that IP address
 > > should never appear in the auto-whitelist.
 > 
 > It seems to me you might be missing something in what your asking.  If
 > it doesn't auto-whitelist you won't recive your mail afterwords.
 > Perhaps what you relaly want is a 1 time whitelist.  Where after your
 > delay the address is whitelisted, then once a message is recived from
 > that tupple the entry is removed.

I see.  You're right.  I forgot the fact that milter-
greylist is not able to identify mails, and that
different mails with the same tuple could arrive in
and interleaved fashion (without milter-greylist
noticing).

 > I could see this scenario happining:
 > 
 > 0 Message A recives the tempfail for 5 minutes, sending server queues
 > +6min Message B from same tupple is seen and sccepted

What header would be added to message B?  If this one:

   X-Greylist: Delayed for 00:06:00 by milter-greylist-...

then it would be lying (or at least very confusing), because
the text implies that _this_ email was delayed for 6 minutes,
but it really wasn't delayed at all.  Afterwards, if message
A is resent and not delayed (because it's auto-whitelisted),
it would get this header:

   X-Greylist: ... auto-whitelisted, not delayed ...

but this email really _was_ delayed (for at least 6 minutes).

I think that's a bug that needs to be fixed.

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

--- In milter-greylist@yahoogroups.com, Oliver Fromme <olli@...> wrote:
>
> 
> Jake Di Toro wrote:
>  > Oliver Fromme wrote:
>  > 
>  > > Just a small question:  Is there a way to disable the
>  > > auto-whitelisting for certain IP addresses?  I.e. I want
>  > > mails from IP 12.34.56.78 (example) to always be delayed
>  > > (i.e. greylisted), no matter if the ip/sender/recipient
>  > > triple is known or not.  In other words, that IP address
>  > > should never appear in the auto-whitelist.
>  > 
>  > It seems to me you might be missing something in what your
asking.  If
>  > it doesn't auto-whitelist you won't recive your mail afterwords.
>  > Perhaps what you relaly want is a 1 time whitelist.  Where after your
>  > delay the address is whitelisted, then once a message is recived from
>  > that tupple the entry is removed.
> 
> I see.  You're right.  I forgot the fact that milter-
> greylist is not able to identify mails, and that
> different mails with the same tuple could arrive in
> and interleaved fashion (without milter-greylist
> noticing).
> 
>  > I could see this scenario happining:
>  > 
>  > 0 Message A recives the tempfail for 5 minutes, sending server queues
>  > +6min Message B from same tupple is seen and sccepted
> 
> What header would be added to message B?  If this one:
> 
>    X-Greylist: Delayed for 00:06:00 by milter-greylist-...
> 
> then it would be lying (or at least very confusing), because
> the text implies that _this_ email was delayed for 6 minutes,
> but it really wasn't delayed at all.  Afterwards, if message
> A is resent and not delayed (because it's auto-whitelisted),
> it would get this header:
> 
>    X-Greylist: ... auto-whitelisted, not delayed ...
> 
> but this email really _was_ delayed (for at least 6 minutes).
> 
> I think that's a bug that needs to be fixed.
> 
> Best regards
>    Oliver
> 
> -- 
> Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
> Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
> Any opinions expressed in this message may be personal to the author
> and may not necessarily reflect the opinions of secnetix in any way.
>
Maybe it's not a bug, but it is a problem that milter-greylist cannot
identify mails.
I'm almost shure that some spammers send a number of spammails with
the same sender to the same list of recipients. The first mail get
greylisted and never comes through, but the second and every mail
after that gets autowhitelisted.

I don't really know what to do about this. 
I had an idea of letting Spamassassin check the mails and remove any
entry from the whitelist if it was spam.
Disable auto-whitelisting is another suggestion.
There was a discussion about dark-greylisting I didn't quite
understand that pionts to the same direction.

Maybe everything would be solved if milter-greylist could identify the
mails in a better way?
Maybe with help from Message-Id or the first Received header?

> I'm almost shure that some spammers send a number of
> spammails with
> the same sender to the same list of recipients. The first
> mail get
> greylisted and never comes through, but the second and
> every mail
> after that gets autowhitelisted.
> 
> I don't really know what to do about this. 

one thing is to decrease the grey time. i think the default
is something like 3d. when i set mine to 16h the people who
send stuff out daily get foiled.

> I had an idea of letting Spamassassin check the mails and
> remove any
> entry from the whitelist if it was spam.
> Disable auto-whitelisting is another suggestion.
> There was a discussion about dark-greylisting I didn't
> quite
> understand that pionts to the same direction.
> 

i use milter-greylist in concert with other milters
allowing greylist to be the first line of defense. for me
this works pretty well, but i have to resort to rbl's

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com