[Greylist-users] Greylisting is great but...
camis at mweb.co.za
Wed Dec 1 11:13:42 PST 2004
Steven Grimm wrote:
> Cami wrote:
>> Certain greylisting implementations provide automatic
>> whitelisting of MTA's when they deliver more than X
>> 'authenticated' triplets. (At least my implementation does,
>> i got the idea from Wietse Venema).
> What is a good value for X? I'm having a hard time coming up with a
> scenario where you'd want it to be greater than 1, especially if you
> don't whitelist just the sender's IP address, but rather the (IP
> address, sender domain) pair.
I already stated MTA, not triplet pair. By MTA, i refer to the
connecting ip address is what gets whitelisted.
> The one arguable scenario is where the MTA is a dialup or other dynamic
> address -- but in that case a sufficiently well-informed attacker could
> bypass greylisting anyway, by spamming from a known good sender address.
> If you assume that the average spammer doesn't keep track of which other
> domains send from his dynamic address range, then IP+domain whitelisting
> is pretty much as good as IP+sender whitelisting, with the advantage
> that you don't block messages from other addresses in the same domain.
> And it's better than IP whitelisting alone, since you *do* most likely
> block spam from the next person who gets that address. (Obviously if you
> have some way of telling that an IP address is dynamic, then you
> probably shouldn't whitelist it in the first place, but it's not always
> possible to tell.)
> Of course I'd only whitelist after a successful delivery based on
> IP+sender+recipient greylisting. It would be dumb to only look at the
> sender domain initially since lots of spammers attempt multiple messages
> with the same sender domain.
Whitelisting based on sender domain is not a wise idea, whitelisting
*known* MTA's that have X number of authenticated triplets is a good
More information about the Greylist-users