Milter-greylist

Does TLS bypass greylisting like authentication?

Oct 26 16:39:13 host sm-acceptingconnections[2716]: STARTTLS=server, 
relay=deliver.hol.gr [62.38.3.31], version=TLSv1/SSLv3, verify=OK, 
cipher=DHE-RSA-AES256-SHA, bits=256/256
Oct 26 16:39:13 host milter-greylist: STARTTLS succeeded for 
DN="/C=GR/postalCode=GR-
15124+20Maroussi/ST=Attica/L=Athens/streetAddress=Building+20B./streetA
ddress=59-
61+20Ag.+20Konstatntinou+20St./O=Hellas+20On+20Line+20S.A./OU=IT+20Dept
./OU=Provided+20by+20DigiCert,+20Inc./OU=DigiCertSSL+20Wildcard/CN=*.ho
l.gr", bypassing greylisting

Jim

Jim Hermann wrote:
> Does TLS bypass greylisting like authentication?

Yep. You'll see messages like this in your logs:

milter-greylist: STARTTLS succeeded for DN="xyz", bypassing greylisting

Which is really quite reasonable. Any system, even if it is a spammer, that can 
do starttls is also quite capable of retrying, so will ultimately get past a 
greylist anyway..

On Fri, 26 Oct 2007, Matt Kettler wrote:

> Jim Hermann wrote:
>> Does TLS bypass greylisting like authentication?
>
> Yep. You'll see messages like this in your logs:
>
> milter-greylist: STARTTLS succeeded for DN="xyz", bypassing greylisting
>
> Which is really quite reasonable. Any system, even if it is a spammer, that can
> do starttls is also quite capable of retrying, so will ultimately get past a
> greylist anyway..

Hrmmm, then the next question is: does greylisting check the cert 
validity?  My own system has the CA roots fully configured, so if it's a 
true Thawte/Geotrust/Verisign cert, I'll get VERIFY=ok.  Does 
milter-greylist care?

(Lest spammers link their trojans against openssl...)

--

"Check it out, it's just like Christmas.  Except it sucks."

-Jason Seguerra, 3/2/05

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------

Jim Hermann <hostmaster@...> wrote:

> Does TLS bypass greylisting like authentication?

RTFM! :-)

TLS validation cause a message to be whitelisted, except if you use the
noauth configuration statement.

You can also setup ACL using the tls clause, which lets you decide which DN
should be whitelisted/blacklisted/greylisted. Using a tls clause cause an
implicit noauth: by default TLS does not cause whitelisting anymore.

Example:
racl whitelist tls /,dc=example,dc=net/

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

--- In milter-greylist@yahoogroups.com, manu@... wrote:
>
> Jim Hermann <hostmaster@...> wrote:
> 
> > Does TLS bypass greylisting like authentication?
> 
> RTFM! :-)
> 

Which part of TFM says that TLS bypasses greylisting?

This part in Chapter 14 Using TLS?

"Using the "tls" clause, an ACL could match any email that succeeded 
TLS check in sendmail (STARTTLS giving "verify=OK"). This assumes 
you already have TLS working in sendmail."

I don't know whether a spammer can use STARTTLS or not.  I don't 
consider STARTTLS verification to be equivalent to SMTP 
authentication.  I don't see any justification to equate the two 
processes.

Jim

Dan Mahoney, System Admin wrote:
> On Fri, 26 Oct 2007, Matt Kettler wrote:
> 
>> Jim Hermann wrote:
>>> Does TLS bypass greylisting like authentication?
>> Yep. You'll see messages like this in your logs:
>>
>> milter-greylist: STARTTLS succeeded for DN="xyz", bypassing greylisting
>>
>> Which is really quite reasonable. Any system, even if it is a spammer, that can
>> do starttls is also quite capable of retrying, so will ultimately get past a
>> greylist anyway..
> 
> Hrmmm, then the next question is: does greylisting check the cert 
> validity?  My own system has the CA roots fully configured, so if it's a 
> true Thawte/Geotrust/Verisign cert, I'll get VERIFY=ok.  Does 
> milter-greylist care?
> 
> (Lest spammers link their trojans against openssl...)

Does it matter? If they link against openSSL, they can also jut as easily retry..

Remember, greylisting isn't resistant to a "clever" spammer. Never will be.

On Sat, 27 Oct 2007, Matt Kettler wrote:

> Dan Mahoney, System Admin wrote:
>> On Fri, 26 Oct 2007, Matt Kettler wrote:
>>
>>> Jim Hermann wrote:
>>>> Does TLS bypass greylisting like authentication?
>>> Yep. You'll see messages like this in your logs:
>>>
>>> milter-greylist: STARTTLS succeeded for DN="xyz", bypassing greylisting
>>>
>>> Which is really quite reasonable. Any system, even if it is a spammer, that can
>>> do starttls is also quite capable of retrying, so will ultimately get past a
>>> greylist anyway..
>>
>> Hrmmm, then the next question is: does greylisting check the cert
>> validity?  My own system has the CA roots fully configured, so if it's a
>> true Thawte/Geotrust/Verisign cert, I'll get VERIFY=ok.  Does
>> milter-greylist care?
>>
>> (Lest spammers link their trojans against openssl...)
>
> Does it matter? If they link against openSSL, they can also jut as easily retry..
>
> Remember, greylisting isn't resistant to a "clever" spammer. Never will be.

That was more tongue-in-cheek than anything else, heh.

-Dan

--

"You recreate the stars in the sky with cows?"

-Furrball, March 7 2005, on Katamari Damacy

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------

Jim Hermann <hostmaster@...> wrote:

> Which part of TFM says that TLS bypasses greylisting?

greylist.conf man page.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

--- In milter-greylist@yahoogroups.com, manu@... wrote:
>
> Jim Hermann <hostmaster@...> wrote:
> 
> > Which part of TFM says that TLS bypasses greylisting?
> 
> greylist.conf man page.

You mean the passing reference to "global STARTTLS and SMTP AUTH 
whitelisting" under the WHITELIST Section?  I can't find any other 
reference to STARTTLS.

       auth   This  is  used  to select a user that succeeded SMTP 
AUTH. In order to select any user that succeeds SMTP AUTH, you can 
use a regular expression  matching, like below;

                racl whitelist auth /.*/

              Using  such  a  clause  automatically  disable  global 
STARTTLS and SMTP AUTH whitelisting, like if the noauth keyword 
would have been used.

       tls    This is used to select the distinguished name (DN) of 
a user  that  succeeded STARTTLS.  Using such a clause automatically 
disable global STARTTLS and SMTP AUTH whitelisting, like if the 
noauth keyword would have been used.

The COMMAND-LINE FLAG EQUIVALENTS Section tells me how to turn off 
the global SMTP AUTH whitelisting.

       noauth Greylist clients regardless if they succeeded SMTP 
AUTH. Equivalent to the -A flag.

How do I turn of the global STARTTLS whitelisting?

Jim

--- In milter-greylist@yahoogroups.com, Matt Kettler <mkettler@...> 
wrote:
>
> Does it matter? If they link against openSSL, they can also jut as 
easily retry..

Why can they just as easily retry if they can link against openSSL?

I thought that spammers did not retry because it took too much time or 
they weren't using a real email server.  I did not realize that 
linking against openSSL took a lot of time or required a real email 
server.

Jim

Jim Hermann <hostmaster@...> wrote:

> You mean the passing reference to "global STARTTLS and SMTP AUTH 
> whitelisting" under the WHITELIST Section?  I can't find any other 
> reference to STARTTLS.

       tls    This is used to select the distinguished name  (DN)  of  a  user
              that  succeeded STARTTLS. Using such a clause automatically dis-
              able global STARTTLS and SMTP AUTH  whitelisting,  like  if  the
              noauth keyword would have been used.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Jim Hermann wrote:
> --- In milter-greylist@yahoogroups.com, Matt Kettler <mkettler@...> 
> wrote:
>> Does it matter? If they link against openSSL, they can also jut as 
> easily retry..
> 
> Why can they just as easily retry if they can link against openSSL?
> 
> I thought that spammers did not retry because it took too much time or 
> they weren't using a real email server.  I did not realize that 
> linking against openSSL took a lot of time or required a real email 
> server.

You don't need a real mailserver to retry. You also don't need a lot of time to 
retry.

Spammers don't retry because they're trying to keep their bot payloads small and 
simple. Complex bots means more potential for bugs, which means more downtime 
from sending spam runs. Implementing OpenSSL/STARTTLS isn't small and simple.

Look, I don't want to give spammers any ideas, so I'm going to be a bit vague 
here. I apologize in advance, but it's in the best interest of milter-greylist 
users that I not publicly post good, efficient methods for bypassing it that 
spammers haven't thought of yet.

Suffice to say, in my opinion, it would be substantially easier to implement a 
retry in a spam bot than it would be to link OpenSSL and implement everything 
needed to support STARTTLS.