11 Oct
2017
11 Oct
'17
3:33 a.m.
The problem is that the large email purveyors like
AOL, Yahoo, Microsoft, etc,
use large server farms that balance the load between multiple hosts, so
when the mail retries it comes from different IP addresses on every retry.
Microsoft, for example, lists thousands of IP addresses as part of their
email service.
Greylisting by IP address hasn't got a chance of
working in that
environment.
When I ran my own mailserver I had greylisting that only worked by sender mail address.
Additionally, it did the usual SPF checking etc.
This did not cause the abovementioned problem, but I'm not sure it added much spam
prevention.
I had other methods to detect trojaned PCs with bad SMTP senders (e.g. doing PIPELINING
without
having negotiated it) and that was much more effective.
Rob
11 Oct
11 Oct
4:35 a.m.
New subject: greylisting on mailman (this list)
Yes, the ones that pipeline commands when they've not requested it are
typical of spammers.
I have sendmail's 'greetdelay' function enabled, which delays sending
the initial greeting herald by 5 seconds after the connection opens,
and flushes any mail where commands arrive before that time has elapsed.
This pre-greeting-flush catches one or two senders a day, presumably
spammers because they don't come back.
There are also those that connect and disconnect because they don't get
the greeting fast enough for them. The RFCs suggest that the sender
client should wait up to 3 minutes for the greeting herald but these
senders are impatient with 5 seconds.
Watching the mail logs is tedious but informative.
- Brian
On Wed, Oct 11, 2017 at 09:33:22AM +0200, Rob Janssen wrote:
When I ran my own mailserver I had greylisting that
only worked by sender mail address.
Additionally, it did the usual SPF checking etc.
This did not cause the abovementioned problem, but I'm not sure it added much spam
prevention.
I had other methods to detect trojaned PCs with bad SMTP senders (e.g. doing PIPELINING
without
having negotiated it) and that was much more effective.
Rob
2598
days inactive
2598
days old
1 comments
2 participants
participants (2)
-
Brian Kantor -
Rob Janssen