dccifd / greylisting problems

John Rudd jrudd at UCSC.EDU
Sun Aug 1 01:45:59 IST 2004 

<x-flowed>
On Jul 31, 2004, at 4:05 PM, Ugo Bellavance wrote:

> Matthew Henkler wrote:
>
>> I was hoping someone would be able to enlighten me as to if
>> MailScanner with
>> SpamAssassin and DCC are able to work with the greylisting features
>> provided
>> with DCC.
>
> I've seen a few mentions of the concept of greylist while going through
> DCC's list archive, but never really got time to investigate this
> topic.
>
> If you could tell us briefly what it does and how it is configured, we
> might be of help, and Julian could decide or not to implement a change
> to support this feature.
>

I could be wrong, but my concept of greylisting is this:

When you receive a message from a source you haven't before (for some
period of time that is at least a few hours, but probably at least a
couple days and not more than a few weeks), you reject it, and then
record the source (which is the combination of _BOTH_ IP address and
sender's email address, though I don't know if you use the envelope or
header address, or both) in your "greylist".

What happens is: if it's a legitimate sender, they'll try again 30
minutes to 3 hours, usually.  Or at least a couple more times in the
next 3-5 days (unless they're prodigy, who says they retry but often
don't), so the second time around that IP address/sender will be in
your greylist, and you'll accept the message.  If it's someone you talk
to a lot, then they'll always be in your greylist, and you shouldn't
end up rejecting them that often (you also record them when a message
is successful, IIRC).

If it's a spam-bot, it will probably take the rejection and throw the
message away (they don't tend to keep big queues of messages), and you
wont hear from them again.  As long as that exact combination of IP
address and sender doesn't come through again in less than your
greylist timeout period, you wont ever accept messages from that
spam-bot.


It's not perfect.  You need to come up with a timeout for entries that
it long enough such that legit sites can come back and get through, but
not so long that you might get the same spam-bot trying again.  Plus,
there is a way that I can think of for spammers to adapt to it (that I
wont go into here), but it also leads to them coming up with a good
retry period, which leads to receivers adjusting their timeouts, and so
on.  But, it is apparently a good tool.

But I think it's more of a sendmail milter type thing than a
mailscanner thing.  By the time mailscanner sees the message, it's too
late to reject it for the sender to try again later.

(meanwhile, I haven't had any spam get through my system at home since
I adopted sendmail 8.13.0, with greet delay, SBL, XBL, and connection
control; and my logs show I'm rejecting a fair share every day)

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html
</x-flowed>

More information about the MailScanner mailing list