[Greylist-users] Greylisting is great but...

[Cami]

Steven Grimm wrote:
> Cami wrote:
> 
>> Certain greylisting implementations provide automatic
>> whitelisting of MTA's when they deliver more than X
>> 'authenticated' triplets. (At least my implementation does,
>> i got the idea from Wietse Venema). 
> 
> 
> What is a good value for X? I'm having a hard time coming up with a 
> scenario where you'd want it to be greater than 1, especially if you 
> don't whitelist just the sender's IP address, but rather the (IP 
> address, sender domain) pair.

I already stated MTA, not triplet pair. By MTA, i refer to the
connecting ip address is what gets whitelisted.

> The one arguable scenario is where the MTA is a dialup or other dynamic 
> address -- but in that case a sufficiently well-informed attacker could 
> bypass greylisting anyway, by spamming from a known good sender address. 
> If you assume that the average spammer doesn't keep track of which other 
> domains send from his dynamic address range, then IP+domain whitelisting 
> is pretty much as good as IP+sender whitelisting, with the advantage 
> that you don't block messages from other addresses in the same domain. 
> And it's better than IP whitelisting alone, since you *do* most likely 
> block spam from the next person who gets that address. (Obviously if you 
> have some way of telling that an IP address is dynamic, then you 
> probably shouldn't whitelist it in the first place, but it's not always 
> possible to tell.)
> 
> Of course I'd only whitelist after a successful delivery based on 
> IP+sender+recipient greylisting. It would be dumb to only look at the 
> sender domain initially since lots of spammers attempt multiple messages 
> with the same sender domain.

Whitelisting based on sender domain is not a wise idea, whitelisting
*known* MTA's that have X number of authenticated triplets is a good
idea.

Cami