better blocking at MTA level (off-topic)

[Koopmann, Jan-Peter]

On Saturday, May 26, 2007 10:17 AM "Koopmann, Jan-Peter"
<jan-peter at koopmann.eu> wrote: 

> The problem with greylisting as we found when we enabled it was that
> some MTA's treat a temporary reject code (450) as a permanent reject
> code (550) and our customer was complaining that they weren't getting
> email. 

I fully agree. As someone else mentioned a 451 might give better
results.

> source getting blocked and not getting through to them. Until we can
> resolve the problem without telling our customer to tell anyone
> emailing them with problems to get their MTA fixed it unfortunately
> has to be off... 

Just the same problem as I am having enforcing all the other rules.
Again: I feel with you.

> It did vastly reduce the load on our server whilst
> greylisting was active though.

Still seems to be quite effective but I suppose more and more botnets
will circumvent greylisting. Some already are.

> The hit of the first email being delayed for the 5 minutes we
> initially chose was insignificant and no-one would really notice...

Attention: Just because you choose 5 minutes does not mean there will be
a 5 minute delay. Most MTAs I know (at least old Exchange installations
and yes there are dumb people out there using Exchange as the only MTA!)
use a 15 minute retry cycle. This results in at least 15 minutes delay
if not more. And we have several clients not liking that idea. :-(