Milter-greylist

hi,

I've been experimenting with blacklist and flushaddr using 2.1.12.
Here are some thoughts, in case someone is interested.

list "spam trap users" rcpt { trap1@... trap2@... trap3@... trap4@... }
acl blacklist list "spam trap users" flushaddr

(I've patched milter-greylist a little bit to have some stats and more
readable logs).

Aug  7 13:30:15 nexus milter-greylist: k77BU5m9001258: addr akl178.internetdsl.tpnet.pl[83.17.15.178] from <begin@...> to <addi@...> delayed for 00:05:00 (ACL 212)
Aug  7 13:30:15 nexus sm-mta[1258]: k77BU5m9001258: Milter: to=<addi@...>, reject=451 4.7.1 Greylisting in action, please come back later
Aug  7 13:30:15 nexus sm-mta[1258]: k77BU5m9001258: akl178.internetdsl.tpnet.pl [83.17.15.178]: Possible SMTP RCPT flood, throttling.
Aug  7 13:30:15 nexus milter-greylist: k77BU5tN001259: addr akl178.internetdsl.tpnet.pl[83.17.15.178] from <alex@...> to <jef@...> delayed for 00:05:00 (ACL 212)
Aug  7 13:30:15 nexus sm-mta[1259]: k77BU5tN001259: Milter: to=<jef@...>, reject=451 4.7.1 Greylisting in action, please come back later
Aug  7 13:30:15 nexus sm-mta[1259]: k77BU5tN001259: akl178.internetdsl.tpnet.pl [83.17.15.178]: Possible SMTP RCPT flood, throttling.
Aug  7 13:30:15 nexus sm-mta[1437]: k77BUFWO001437: rejecting commands from [86.108.81.7] [86.108.81.7] due to pre-greeting traffic
Aug  7 13:30:16 nexus milter-greylist: (local): addr 83.17.15.178 flushed, removed 1 grey and 0 autowhite
Aug  7 13:30:16 nexus milter-greylist: k77BU5m9001258: addr akl178.internetdsl.tpnet.pl[83.17.15.178] from <begin@...> to <trap1@...> blacklisted (ACL 200)
Aug  7 13:30:16 nexus sm-mta[1258]: k77BU5m9001258: Milter: to=<trap1@...>, reject=551 5.7.1 Go away!
Aug  7 13:30:16 nexus milter-greylist: (local): addr 83.17.15.178 flushed, removed 0 grey and 0 autowhite
Aug  7 13:30:16 nexus milter-greylist: k77BU5tN001259: addr akl178.internetdsl.tpnet.pl[83.17.15.178] from <alex@...> to <trap2@...> blacklisted (ACL 200)
Aug  7 13:30:16 nexus sm-mta[1259]: k77BU5tN001259: Milter: to=<trap2@...>, reject=551 5.7.1 Go away!
Aug  7 13:30:17 nexus milter-greylist: (local): addr 83.17.15.178 flushed, removed 0 grey and 0 autowhite
Aug  7 13:30:17 nexus milter-greylist: k77BU5tN001259: addr akl178.internetdsl.tpnet.pl[83.17.15.178] from <alex@...> to <trap4@...> blacklisted (ACL 200)
Aug  7 13:30:17 nexus sm-mta[1259]: k77BU5tN001259: Milter: to=<trap4@...>, reject=551 5.7.1 Go away!
Aug  7 13:30:19 nexus milter-greylist: k77BU5m9001258: addr akl178.internetdsl.tpnet.pl[83.17.15.178] from <begin@...> to <foo.orgpyro@...> delayed for 00:05:00 (ACL 212)
Aug  7 13:30:19 nexus sm-mta[1258]: k77BU5m9001258: Milter: to=<foo.orgpyro@...>, reject=451 4.7.1 Greylisting in action, please come back later
Aug  7 13:30:19 nexus milter-greylist: k77BU5tN001259: addr akl178.internetdsl.tpnet.pl[83.17.15.178] from <alex@...> to <baz@...> delayed for 00:05:00 (ACL 212)
Aug  7 13:30:19 nexus sm-mta[1259]: k77BU5tN001259: Milter: to=<baz@...>, reject=451 4.7.1 Greylisting in action, please come back later
Aug  7 13:30:20 nexus milter-greylist: (local): addr 83.17.15.178 flushed, removed 1 grey and 0 autowhite
Aug  7 13:30:20 nexus milter-greylist: k77BU5tN001259: addr akl178.internetdsl.tpnet.pl[83.17.15.178] from <alex@...> to <trap3@...> blacklisted (ACL 200)
Aug  7 13:30:20 nexus sm-mta[1259]: k77BU5tN001259: Milter: to=<trap3@...>, reject=551 5.7.1 Go away!
Aug  7 13:30:20 nexus milter-greylist: k77BU5m9001258: addr akl178.internetdsl.tpnet.pl[83.17.15.178] from <begin@...> to <foo.orgtrap2@...> delayed for 00:05:00 (ACL 212)
Aug  7 13:30:20 nexus sm-mta[1258]: k77BU5m9001258: Milter: to=<foo.orgtrap2@...>, reject=451 4.7.1 Greylisting in action, please come back later
Aug  7 13:30:21 nexus milter-greylist: k77BU5tN001259: addr akl178.internetdsl.tpnet.pl[83.17.15.178] from <alex@...> to <bar@...> delayed for 00:05:00 (ACL 212)
Aug  7 13:30:21 nexus sm-mta[1259]: k77BU5tN001259: Milter: to=<bar@...>, reject=451 4.7.1 Greylisting in action, please come back later

.... 380+ hits from that ip later ...

Aug  7 13:41:40 nexus milter-greylist: k77BfZxb001925: addr akl178.internetdsl.tpnet.pl[83.17.15.178] from <blinka666@...> to <bar-bounces@...> delayed for 00:05:00 (ACL 212)
Aug  7 13:41:40 nexus sm-mta[1925]: k77BfZxb001925: Milter: to=<bar-bounces@...>, reject=451 4.7.1 Greylisting in action, please come back later
Aug  7 13:41:40 nexus sm-mta[1925]: k77BfZxb001925: lost input channel from akl178.internetdsl.tpnet.pl [83.17.15.178] to Daemon0 after data
Aug  7 13:41:40 nexus sm-mta[1925]: k77BfZxb001925: from=<blinka666@...>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=Daemon0, relay=akl178.internetdsl.tpnet.pl [83.17.15.178]
Aug  7 13:41:53 nexus milter-greylist: k77BflMm001933: addr akl178.internetdsl.tpnet.pl[83.17.15.178] from <admin@...> to <bar-bounces@...> delayed for 00:05:00 (ACL 212)
Aug  7 13:41:53 nexus sm-mta[1933]: k77BflMm001933: Milter: to=<bar-bounces@...>, reject=451 4.7.1 Greylisting in action, please come back later
Aug  7 13:41:53 nexus sm-mta[1933]: k77BflMm001933: lost input channel from akl178.internetdsl.tpnet.pl [83.17.15.178] to Daemon0 after data
Aug  7 13:41:53 nexus sm-mta[1933]: k77BflMm001933: from=<admin@...>, size=0, class=0, nrcpts=0, proto=ESMTP, daemon=Daemon0, relay=akl178.internetdsl.tpnet.pl [83.17.15.178]

strangely, I ended up with 15 grey entries in greylist.db for 83.17.15.178 while I should have only 1 or 2.
I seems that the list of rcpt changes as the blacklisted rcpt disapeared, while it remains
constant with only greylist (no blacklist).
That's not good as the spam traps become useless. Not sure if those spam tools
are that smart. BTW, I've changed my conf to :

acl blacklist list "spam trap users" code "451" ecode "4.7.1" msg "Greylisting in action, please come back later" flushaddr

It now reports blacklist as greylist, hidding the spamtraps but still flushing the bad ips from the db.
Let see if that helps.

/Fabien

According to Fabien Tassin:
> 
> acl blacklist list "spam trap users" code "451" ecode "4.7.1" msg "Greylisting in action, please come back later" flushaddr
> 
> It now reports blacklist as greylist, hidding the spamtraps but still flushing the bad ips from the db.
> Let see if that helps.

hm, doesn't work.

sm-mta reports "reject=550 5.7.1 Command rejected" while it was "reject=551 5.7.1 Go away!" before.
I assume it's because m-g returned SMFIS_REJECT and not SMFIS_TEMPFAIL. I patched it.
Let see now.

/Fabien

On Mon, Aug 07, 2006 at 05:55:20PM +0200, Fabien Tassin wrote:
> > acl blacklist list "spam trap users" code "451" ecode "4.7.1" msg "Greylisting in action, please come back later" flushaddr
> > 
> > It now reports blacklist as greylist, hidding the spamtraps but still flushing the bad ips from the db.
> > Let see if that helps.
> 
> hm, doesn't work.
> 
> sm-mta reports "reject=550 5.7.1 Command rejected" while it was "reject=551 5.7.1 Go away!" before.
> I assume it's because m-g returned SMFIS_REJECT and not SMFIS_TEMPFAIL. I patched it.
> Let see now.

Why don't you just use flushaddr with an acl greylist statement? It should
work too...

-- 
Emmanuel Dreyfus
manu@...

According to Emmanuel Dreyfus:
> > > 
> > > It now reports blacklist as greylist, hidding the spamtraps but still flushing the bad ips from the db.
> > > Let see if that helps.
> > 
> > hm, doesn't work.
> > 
> > sm-mta reports "reject=550 5.7.1 Command rejected" while it was "reject=551 5.7.1 Go away!" before.
> > I assume it's because m-g returned SMFIS_REJECT and not SMFIS_TEMPFAIL. I patched it.
> > Let see now.
> 
> Why don't you just use flushaddr with an acl greylist statement? It should
> work too...

Yes but with grey, the entry that triggered the flush will end-up in the db, right?
I mean, it seems the flush occurs *before* grey or auto-white are commited to the db.

For now, I'm only experiencing various things to see what could work.

In fact, i'm more interested by killing the whole flow so neither are good.
It's really auto-black that could do that.
I could still do a local dnsrbl fed by something monitoring the logs
for "black" events but I don't like spam interacting (write) with a DNS server
in production. I've done that in the past using nsupdate but I'd prefer
milter to do that internaly (less dependancies, no monitoring, etc).

/Fabien

On Mon, Aug 07, 2006 at 07:43:38PM +0200, Fabien Tassin wrote:
> Yes but with grey, the entry that triggered the flush will end-up in the db, right?
> I mean, it seems the flush occurs *before* grey or auto-white are commited to the db.

That should do it:
acl greylist list "honeypots" delay 5d flushaddr

Ok, it goes into the database, but with a delay so long it won't ever be
used. And it will probably be flushed on the next spam that will fall into
the spamtrap.

> For now, I'm only experiencing various things to see what could work.
> 
> In fact, i'm more interested by killing the whole flow so neither are good.
> It's really auto-black that could do that.
> I could still do a local dnsrbl fed by something monitoring the logs
> for "black" events but I don't like spam interacting (write) with a DNS server
> in production. 

You can have a local named bound to 127.0.0.1 that serves only that purpose.
No need to send updates to your real domain.

> I've done that in the past using nsupdate but I'd prefer
> milter to do that internaly (less dependancies, no monitoring, etc).

Yes, but the change is heavy, and making the code stable and reliable may
take some time. Using a DNSRBL seems the most straightforward way.

-- 
Emmanuel Dreyfus
manu@...