Milter-greylist

Hi,

got some .ua spam today and was wondering why the delay for hosts 
without reverse DNS doesn't work:

Copied from:
http://milter-greylist.wikidot.com/greylisting-hosts-without-reverse-dns

# Greylisting Hosts Without Reverse DNS
racl greylist domain 
/^\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]$/ delay 1h


Logfile:
-----------
Sep  6 10:57:54 mailin sm-mta[12571]: u868vnV3012571: 
from=<tonva@...>, size=689, class=0, nrcpts=1, 
msgid=<001601d2081b$513e1cd0$311d8ada@MatricPCltpl9o>, proto=SMTP, 
daemon=MTA-v4, relay=[117.198.104.52]
Sep  6 10:57:54 mailin sm-mta[12571]: u868vnV3012571: Milter add: 
header: X-Greylist: Delayed for 00:10:11 by milter-greylist-4.3.9 (...); 
Tue, 06 Sep 2016 10:57:54 +0200 (CEST)
-----------

The 10 minutes delay is default, but above rules seems not to fit, 
although it is set before

   racl greylist list "grey users" delay 10m ......

Is "domain" the wrong keyword here?

Ciao!
Marcus

On mar, 2016-09-06 at 11:35 +0200, Marcus Schopen lists-
yahoogroups@localguru.de [milter-greylist] wrote:
> Hi,
> 
> got some .ua spam today and was wondering why the delay for hosts 
> without reverse DNS doesn't work:
> 

do you have "extendedregex" in your config file?

Cheers,

- leonardo

Hi,

On 2016-09-06 12:00, Leonardo Arena rnalrd@... [milter-greylist] 
wrote:
> On mar, 2016-09-06 at 11:35 +0200, Marcus Schopen lists-
> yahoogroups@... [milter-greylist] wrote:
>> Hi,
>> 
>> got some .ua spam today and was wondering why the delay for hosts�
>> without reverse DNS doesn't work:
>> 
> 
> do you have "extendedregex" in your config file?

Ahhh, no, I don't. What exactly is the difference between extendedregex 
and basic. The manpage doesn't say anything deeper to it.

Ciao!

On 2016-09-06 11:35, Marcus Schopen lists-yahoogroups@... 
[milter-greylist] wrote:
> Hi,
> 
> got some .ua spam today and was wondering why the delay for hosts
> without reverse DNS doesn't work:
> 
> Copied from:
> http://milter-greylist.wikidot.com/greylisting-hosts-without-reverse-dns
> 
> # Greylisting Hosts Without Reverse DNS
> racl greylist domain
> /^\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]$/ delay 1h
> 
> Logfile:
> -----------
> Sep 6 10:57:54 mailin sm-mta[12571]: u868vnV3012571:
> from=<tonva@...>, size=689, class=0, nrcpts=1,
> msgid=<001601d2081b$513e1cd0$311d8ada@MatricPCltpl9o>, proto=SMTP,
> daemon=MTA-v4, relay=[117.198.104.52]
> Sep 6 10:57:54 mailin sm-mta[12571]: u868vnV3012571: Milter add:
> header: X-Greylist: Delayed for 00:10:11 by milter-greylist-4.3.9
> (...);
> Tue, 06 Sep 2016 10:57:54 +0200 (CEST)
> -----------
> 
> The 10 minutes delay is default, but above rules seems not to fit,
> although it is set before
> 
> racl greylist list "grey users" delay 10m ......
> 
> Is "domain" the wrong keyword here?


Btw: is it a good idea not to delay such servers, but to blacklist?

Ciao!

6 \u0441\u0435\u043d\u0442\u044f\u0431\u0440\u044f 2016�\u0433. 12:55:16 CEST, "Marcus Schopen lists-yahoogroups@... [milter-greylist]" <milter-greylist@yahoogroups.com> \u043f\u0438\u0448\u0435\u0442:
>On 2016-09-06 11:35, Marcus Schopen lists-yahoogroups@... 
>[milter-greylist] wrote:
>> Hi,
>> 
>> got some .ua spam today and was wondering why the delay for hosts
>> without reverse DNS doesn't work:
>> 
>> Copied from:
>>
>http://milter-greylist.wikidot.com/greylisting-hosts-without-reverse-dns
>> 
>> # Greylisting Hosts Without Reverse DNS
>> racl greylist domain
>> /^\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]$/ delay 1h
>> 
>> Logfile:
>> -----------
>> Sep 6 10:57:54 mailin sm-mta[12571]: u868vnV3012571:
>> from=<tonva@...>, size=689, class=0, nrcpts=1,
>> msgid=<001601d2081b$513e1cd0$311d8ada@MatricPCltpl9o>, proto=SMTP,
>> daemon=MTA-v4, relay=[117.198.104.52]
>> Sep 6 10:57:54 mailin sm-mta[12571]: u868vnV3012571: Milter add:
>> header: X-Greylist: Delayed for 00:10:11 by milter-greylist-4.3.9
>> (...);
>> Tue, 06 Sep 2016 10:57:54 +0200 (CEST)
>> -----------
>> 
>> The 10 minutes delay is default, but above rules seems not to fit,
>> although it is set before
>> 
>> racl greylist list "grey users" delay 10m ......
>> 
>> Is "domain" the wrong keyword here?
>
>
>Btw: is it a good idea not to delay such servers, but to blacklist?
>
>Ciao!

Arguable. Usually having control over DNS including PTR entries of assigned IP addresses is a sign of legit relays. But not all ISPs are forthcoming in adding or delegating such names, and some legit mail servers are run from homes on static addresses from consumer ranges.

In my rulesets this adds a big score malus to delay longer in greylists, and by the time this mail might be accepted sender may be already in DNSBL.

Jim
--
Typos courtesy of K-9 Mail on my Samsung Android

Hi,

On 2016-09-06 20:41, Mauricio Teixeira mauricio.teixeira@... 
[milter-greylist] wrote:
>>>> # Greylisting Hosts Without Reverse DNS
>>>> racl greylist domain
>>>> /^\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]$/ delay 1h
>> 
>> In my rulesets this adds a big score malus to delay longer in
>> greylists, and by the time this mail might be accepted sender may be
>> already in DNSBL.
> 
> I find it interesting that this topic just happened while I was
> scratching my head on a similar situation.
> 
> I've seen cases where the reverse does not match the forward, and
> milter-greylist is filtering them anyway. Example:
> 
> milter-reject: RCPT from unknown[203.235.210.192]: 451 4.7.1
> Greylisting in action, please come back in 00:13:18; bad reverse DNS;
> from=<blah@...> to=<blah@...> proto=ESMTP
> helo=<mymail.skcc.com [1]>
> 
> This is my rule:
> racl greylist domain
> /^\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]$/ delay 120m msg
> "Greylisting in action, please come back in %R; bad reverse DNS"
> 
> 203.235.210.192 resolves to mymail.skcc.com [1]
> 
> but
> mymail.skcc.com [1] resolves to 203.235.210.190
> 
> So it seems like milter-greylist is getting confused, and thinks the
> fact that the reverse does not match the forward means there is no
> reverse.
> 
> How can I tell milter-greylist to just accept those cases when there
> is a reverse, even if it doesn't match the forward?

Am Dienstag, den 06.09.2016, 15:41 -0300 schrieb Mauricio Teixeira
mauricio.teixeira@... [milter-greylist]:
> 
> How can I tell milter-greylist to just accept those cases when there
> is a reverse, even if it doesn't match the forward?


I'm not sure if there is an RFC, which says forward DNS and rDNS must
match, but it's common practise for a well maintained sending host that
a lookup should be forward confirmed in result. If not you might tagged
as spam. Milter-greylist's result for your example IP 203.235.210.192 is
right to my mind, because 203.235.210.192 -> mymail.skcc.com ->
203.235.210.190 which doesn't match, even though there is a rDNS.

Ciao!

I also agree, this is the proper result.

Legit institutions that send mail should have their act together. (properly configured dns)

Also, if someone is running a mail server off a residential line, then they should be ashamed and or not trusted to begin with.

Bill

> On Sep 7, 2016, at 12:32 PM, Marcus Schopen lists-yahoogroups@... [milter-greylist] <milter-greylist@yahoogroups.com> wrote:
> 
> Hi,
> 
> On 2016-09-06 20:41, Mauricio Teixeira mauricio.teixeira@... 
> [milter-greylist] wrote:
>>>>> # Greylisting Hosts Without Reverse DNS
>>>>> racl greylist domain
>>>>> /^\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]$/ delay 1h
>>> 
>>> In my rulesets this adds a big score malus to delay longer in
>>> greylists, and by the time this mail might be accepted sender may be
>>> already in DNSBL.
>> 
>> I find it interesting that this topic just happened while I was
>> scratching my head on a similar situation.
>> 
>> I've seen cases where the reverse does not match the forward, and
>> milter-greylist is filtering them anyway. Example:
>> 
>> milter-reject: RCPT from unknown[203.235.210.192]: 451 4.7.1
>> Greylisting in action, please come back in 00:13:18; bad reverse DNS;
>> from=<blah@...> to=<blah@...> proto=ESMTP
>> helo=<mymail.skcc.com [1]>
>> 
>> This is my rule:
>> racl greylist domain
>> /^\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]$/ delay 120m msg
>> "Greylisting in action, please come back in %R; bad reverse DNS"
>> 
>> 203.235.210.192 resolves to mymail.skcc.com [1]
>> 
>> but
>> mymail.skcc.com [1] resolves to 203.235.210.190
>> 
>> So it seems like milter-greylist is getting confused, and thinks the
>> fact that the reverse does not match the forward means there is no
>> reverse.
>> 
>> How can I tell milter-greylist to just accept those cases when there
>> is a reverse, even if it doesn't match the forward?
> 
> Am Dienstag, den 06.09.2016, 15:41 -0300 schrieb Mauricio Teixeira
> mauricio.teixeira@... [milter-greylist]:
>> 
>> How can I tell milter-greylist to just accept those cases when there
>> is a reverse, even if it doesn't match the forward?
> 
> 
> I'm not sure if there is an RFC, which says forward DNS and rDNS must
> match, but it's common practise for a well maintained sending host that
> a lookup should be forward confirmed in result. If not you might tagged
> as spam. Milter-greylist's result for your example IP 203.235.210.192 is
> right to my mind, because 203.235.210.192 -> mymail.skcc.com ->
> 203.235.210.190 which doesn't match, even though there is a rDNS.
> 
> Ciao!
> 
> 
> 
> ------------------------------------
> Posted by: Marcus Schopen <lists-yahoogroups@localguru.de>
> ------------------------------------
> 
> 
> ------------------------------------
> 
> Yahoo Groups Links
> 
> 
>

I agree with you guys that the sender should be doing the right thing, but they're not, and this is only one example of a dozen I have. My only workaround so far has been to add them to the broken MTA white list, but that's a horrible solution. I would like something to accept those cases, specially because some of them are business related, and my customers are not happy about having their email being delayed. Thank you.

Mauricio Teixeira
(sent from mobile, sorry for my brevity)

7 \u0441\u0435\u043d\u0442\u044f\u0431\u0440\u044f 2016�\u0433. 22:56:42 CEST, "Mauricio Teixeira mauricio.teixeira@... [milter-greylist]" <milter-greylist@yahoogroups.com> \u043f\u0438\u0448\u0435\u0442:
>I agree with you guys that the sender should be doing the right thing,
>but
>they're not, and this is only one example of a dozen I have. My only
>workaround so far has been to add them to the broken MTA white list,
>but
>that's a horrible solution. I would like something to accept those
>cases,
>specially because some of them are business related, and my customers
>are
>not happy about having their email being delayed. Thank you.
>
>Mauricio Teixeira
>(sent from mobile, sorry for my brevity)
>
>On Sep 7, 2016 17:37, "Bill Levering yidbill@...
>[milter-greylist]" <
>milter-greylist@yahoogroups.com> wrote:
>
>>
>>
>> I also agree, this is the proper result.
>>
>> Legit institutions that send mail should have their act together.
>> (properly configured dns)
>>
>> Also, if someone is running a mail server off a residential line,
>then
>> they should be ashamed and or not trusted to begin with.
>>
>> Bill
>>
>> > On Sep 7, 2016, at 12:32 PM, Marcus Schopen
>> lists-yahoogroups@... [milter-greylist] <
>> milter-greylist@yahoogroups.com> wrote:
>> >
>> > Hi,
>> >
>> > On 2016-09-06 20:41, Mauricio Teixeira mauricio.teixeira@...
>> > [milter-greylist] wrote:
>> >>>>> # Greylisting Hosts Without Reverse DNS
>> >>>>> racl greylist domain
>> >>>>> /^\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]$/ delay 1h
>> >>>
>> >>> In my rulesets this adds a big score malus to delay longer in
>> >>> greylists, and by the time this mail might be accepted sender may
>be
>> >>> already in DNSBL.
>> >>
>> >> I find it interesting that this topic just happened while I was
>> >> scratching my head on a similar situation.
>> >>
>> >> I've seen cases where the reverse does not match the forward, and
>> >> milter-greylist is filtering them anyway. Example:
>> >>
>> >> milter-reject: RCPT from unknown[203.235.210.192]: 451 4.7.1
>> >> Greylisting in action, please come back in 00:13:18; bad reverse
>DNS;
>> >> from=<blah@...> to=<blah@...> proto=ESMTP
>> >> helo=<mymail.skcc.com [1]>
>> >>
>> >> This is my rule:
>> >> racl greylist domain
>> >> /^\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]$/ delay 120m
>msg
>> >> "Greylisting in action, please come back in %R; bad reverse DNS"
>> >>
>> >> 203.235.210.192 resolves to mymail.skcc.com [1]
>> >>
>> >> but
>> >> mymail.skcc.com [1] resolves to 203.235.210.190
>> >>
>> >> So it seems like milter-greylist is getting confused, and thinks
>the
>> >> fact that the reverse does not match the forward means there is no
>> >> reverse.
>> >>
>> >> How can I tell milter-greylist to just accept those cases when
>there
>> >> is a reverse, even if it doesn't match the forward?
>> >
>> > Am Dienstag, den 06.09.2016, 15:41 -0300 schrieb Mauricio Teixeira
>> > mauricio.teixeira@... [milter-greylist]:
>> >>
>> >> How can I tell milter-greylist to just accept those cases when
>there
>> >> is a reverse, even if it doesn't match the forward?
>> >
>> >
>> > I'm not sure if there is an RFC, which says forward DNS and rDNS
>must
>> > match, but it's common practise for a well maintained sending host
>that
>> > a lookup should be forward confirmed in result. If not you might
>tagged
>> > as spam. Milter-greylist's result for your example IP
>203.235.210.192 is
>> > right to my mind, because 203.235.210.192 -> mymail.skcc.com ->
>> > 203.235.210.190 which doesn't match, even though there is a rDNS.
>> >
>> > Ciao!
>> >
>> >
>> >
>> > ------------------------------------
>> > Posted by: Marcus Schopen <lists-yahoogroups@...>
>> > ------------------------------------
>> >
>> >
>> > ------------------------------------
>> >
>> > Yahoo Groups Links
>> >
>> >
>> >
>> 
>>

Well then, you have to somehow maintain a whitelist of counteragents you trust. 

I thought of having milter-greylist (or some other milter) sit on the outgoing mail and auto-whitelist in advance mail from systems to which my users send. This would help both against lags while sending to smtp-verification systems (when they try to post back and so verify the sender exists) and when getting back expected replies.

So far this did not go anywhere (lack of time) but sounds like a neat idea ;)

The best we did until now is a cvs-based management of relay configs so static whitelist of "friend" domains is kept. 

Similar things might be done dynamically with milter-greylist curl (http, ldap) interface and some other system to manage the friends (e.g. a small web-php script for your users to register who they talk to and want greylists skipped).

Jim
--
Typos courtesy of K-9 Mail on my Samsung Android

Mauricio,

Have you tried contacting skcc.com ? say… abuse@ or postmaster@

It is also strange that the mail is from mymail.skcc.com when the MX for skcc.com points to spmail.skcc.com.

This makes me think that whoever is sending you mail is using a ‘dial-up’ provided email address or relaying from a residential connection.

In this case (if they are not running a business), you might let them know that there is a problem with their provider and they will undoubtedly have issues sending to many other mail servers… and they should get a gmail account.

If they are running a business, then shame on them for trying to relay thru a server not for commercial use.

I’ve had some of my emails come back as ‘oh… we didn’t know any better’ and others that say ‘yeah, we don’t care’. If they don’t care… then they deserve to loose business.

And yes, I’ve had to whitelist broken servers for customers, but I also try to contact the origin. In one case I found out the client was in fact trying to avoid some restriction the provider had in place. 

Bill

> On Sep 7, 2016, at 1:56 PM, Mauricio Teixeira mauricio.teixeira@... [milter-greylist] <milter-greylist@yahoogroups.com> wrote:
> 
> 
> I agree with you guys that the sender should be doing the right thing, but they're not, and this is only one example of a dozen I have. My only workaround so far has been to add them to the broken MTA white list, but that's a horrible solution. I would like something to accept those cases, specially because some of them are business related, and my customers are not happy about having their email being delayed. Thank you.
> 
> Mauricio Teixeira
> (sent from mobile, sorry for my brevity)
> 
> 
> On Sep 7, 2016 17:37, "Bill Levering yidbill@planx.com [milter-greylist]" <milter-greylist@yahoogroups.com> wrote:
>  
> I also agree, this is the proper result.
> 
> Legit institutions that send mail should have their act together. (properly configured dns)
> 
> Also, if someone is running a mail server off a residential line, then they should be ashamed and or not trusted to begin with.
> 
> Bill
> 
> > On Sep 7, 2016, at 12:32 PM, Marcus Schopen lists-yahoogroups@... [milter-greylist] <milter-greylist@yahoogroups.com> wrote:
> > 
> > Hi,
> > 
> > On 2016-09-06 20:41, Mauricio Teixeira mauricio.teixeira@... 
> > [milter-greylist] wrote:
> >>>>> # Greylisting Hosts Without Reverse DNS
> >>>>> racl greylist domain
> >>>>> /^\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]$/ delay 1h
> >>> 
> >>> In my rulesets this adds a big score malus to delay longer in
> >>> greylists, and by the time this mail might be accepted sender may be
> >>> already in DNSBL.
> >> 
> >> I find it interesting that this topic just happened while I was
> >> scratching my head on a similar situation.
> >> 
> >> I've seen cases where the reverse does not match the forward, and
> >> milter-greylist is filtering them anyway. Example:
> >> 
> >> milter-reject: RCPT from unknown[203.235.210.192]: 451 4.7.1
> >> Greylisting in action, please come back in 00:13:18; bad reverse DNS;
> >> from=<blah@...> to=<blah@...> proto=ESMTP
> >> helo=<mymail.skcc.com [1]>
> >> 
> >> This is my rule:
> >> racl greylist domain
> >> /^\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]$/ delay 120m msg
> >> "Greylisting in action, please come back in %R; bad reverse DNS"
> >> 
> >> 203.235.210.192 resolves to mymail.skcc.com [1]
> >> 
> >> but
> >> mymail.skcc.com [1] resolves to 203.235.210.190
> >> 
> >> So it seems like milter-greylist is getting confused, and thinks the
> >> fact that the reverse does not match the forward means there is no
> >> reverse.
> >> 
> >> How can I tell milter-greylist to just accept those cases when there
> >> is a reverse, even if it doesn't match the forward?
> > 
> > Am Dienstag, den 06.09.2016, 15:41 -0300 schrieb Mauricio Teixeira
> > mauricio.teixeira@... [milter-greylist]:
> >> 
> >> How can I tell milter-greylist to just accept those cases when there
> >> is a reverse, even if it doesn't match the forward?
> > 
> > 
> > I'm not sure if there is an RFC, which says forward DNS and rDNS must
> > match, but it's common practise for a well maintained sending host that
> > a lookup should be forward confirmed in result. If not you might tagged
> > as spam. Milter-greylist's result for your example IP 203.235.210.192 is
> > right to my mind, because 203.235.210.192 -> mymail.skcc.com ->
> > 203.235.210.190 which doesn't match, even though there is a rDNS.
> > 
> > Ciao!
> > 
> > 
> > 
> > ------------------------------------
> > Posted by: Marcus Schopen <lists-yahoogroups@...>
> > ------------------------------------
> > 
> > 
> > ------------------------------------
> > 
> > Yahoo Groups Links
> > 
> > 
> > 
> 
> 
>

I have contacted them, but that's no the point. They';re not the first and won't be the last, and I am tired of managing an exception list. I want things more automated. But at the same time I don9;t want to have to remove the reverse DNS check, because that also blocks real issues.

Mauricio Teixeira
(sent from mobile, sorry for my brevity)

Hi Mauricio,

On 2016-09-08 00:48, Mauricio Teixeira mauricio.teixeira@... 
[milter-greylist] wrote:
> I have contacted them, but that's no the point. They're not the first
> and won't be the last, and I am tired of managing an exception list. I
> want things more automated. But at the same time I don't want to have
> to remove the reverse DNS check, because that also blocks real issues.

Beside the technical problem I'm asking myself what is the benefit of an 
extra acl for not matching rDNS, especially with a longer delay than 
that for standard greylisting? If the sending host is "valid" it has 
spooling and will break through greylisting even after your 120 minutes, 
as well a sending spambot with spooling. A fire and forget sender will 
be caught by standard greylisting. So why setting a longer delay for 
misconfigured forward confirmed DNS? Which brings me to the question, 
what is a good value for delaying at all?

Ciao!
Marcus