greylisting

[William Burns]

Garry Glendown wrote:

> shrek-m at gmx.de wrote:
>
>> hi,
>>
>> http://www.net-security.org/news.php?id=4756
>> http://projects.puremagic.com/greylisting/
>>
>> comments ?
>
>
Wow. That's a really useful link. I'm going to think about setting it up.
But... I've got 3 mail servers for my domain, w/ balanced MX records so
unless there's a shared database between the machines, it'll end up
giving out up to 3 tempfails for a single triplet. (and a shared
database might be a single-point-of-failure in an environment where
redundancy is key)

> Interesting approach - only problem is it only catches spam sent
> directly to an MX by the spammer - I asume most spammers use open relay
> servers which in turn will re-try later ... :(

Good point.
But.. If Mailscanner pulls data from the greylist database, it could use
that info to figure out what machines are sending it many new triplets,
and give servers a "noisy" value which could then be assigned a weight
in a spamassasin score.

That way, to keep a low "noise" value, a single spammer would have to
hijack a large number of "zombie" mail relays and conduct a "DDOS" style
SPAM operation. On top of that, the SPAM would have to be formatted to
get a low (pre-noise-value) score in spamassasin. This will become
difficult for the average spammer.

The network in one of my locations has a mail gateway that gives me a
different issue w/ this solution:
My mail server is hiding behind a McAfee e500 antivirus gateway. The
e500 MTA intercepts mail sent to the IP address of my mail server, and
"proxies" the "mail from" and "rcpt to" commands to my mail server (and
waits for success) before accepting the DATA command from a remote mail
server. So... my mail server always sees the IP address of the e500 MTA,
as opposed to the IP address of the remote MTA.
This same problem will occur whenever there's a mail gateway ahead of a
greylist-capable mail server.

-Bill