[Greylist-users] greylist lib in C? + several Q's

[Graham Toal]

> Check out Martin Dempsey's implementation for qmail:
> http://www.digitaleveryware.com/projects/greylisting/

Thanks.  Now, I have some more questions!  Bear with me please,
I'm still catching up...

1) what is the correct behaviour when you have multiple
"RCPT TO"s before the DATA command?  My feeling is you should
create a separate triplet for every user, independent of each
other.  Is that correct?  But what if some of the recipients
are already greylisted and others are not?  Do you decide
to either pass the mail or not, for all users, or do you
reject all recipients except one and cause the sender to
send individual copies to each person so you can make the
decision on a per user basis?  On the other hand unless
this is coming from a relay, isn't it likely to always be
good mail anyway?

2) Is there any danger in *always* doing the temporary
reject after the DATA command is complete?  I know that the
whitepaper suggests doing this only for MAIL FROM:<>
(with some hacks for broken mailers) but for my purposes
I'd rather like to do it that way all the time.  One
reason being I want to store the mail, for QA purposes,
so we can be sure that good mail has not been rejected;
another is that I'm considering greylisting *only* if it
fails a spam test - otherwise it is accepted.  This ought
to cut down the risk of delays to legitimate mail, which
appears to be a concern here.  If we do store the mail
for a certain time, waiting to see if it is resent, would
a simple hash function allow me to recognise the same
mail the next time round or does mail change in small
ways when it is resent?  (We need to recognise resent
mail in order to take it out the store, so that any
remaining mail after the retry expiry delay must be
the spams that we rejected)

3) Has anyone documented all the special cases and little
tweaks that different greylisting implementations have
aquired, in one place, or does everyone reinvent the wheel?!

4) What is the longest observed delay between first attempt
and the retry, for a legitimate sender?

5) What is the shortest?

6) How common is it that spammers send to the same people
from the same IP over an extended period?  (eg 'spam-friendly'
ISPs, rather than hacked machines)

7) Has anyone put together any sort of test harness for
QA testing a greylisting implementation?  (I'm considering doing
this too - the library will allow an arbitrary arrival time to
be entered, rather than just 'now()' - so that a long period
of activity can be simulated in seconds)

8) The whitepaper suggests storing the arrival and expiry times.
Is there a reason for storing anything other than the arrival
time?  The expiry time is calculated by a simple addition of a
constant, but if you change your policy, wouldn't you want it
to apply retroactively to all entries in your database rather than
just new ones being added?


thanks

G