[Greylist-users] Greylisting is great but...

Steven Grimm koreth-greylist at midwinter.com
Wed Dec 1 11:45:09 PST 2004

Cami wrote:

> I already stated MTA, not triplet pair. By MTA, i refer to the
> connecting ip address is what gets whitelisted.

I was imprecise in my wording. I didn't mean most of that message to 
refer to what you personally are doing in your current implementation, 
but rather, to discuss what one might want to do in a greylisting 
implementation in general. Sorry about that ambiguity.

> Whitelisting based on sender domain is not a wise idea, whitelisting
> *known* MTA's that have X number of authenticated triplets is a good
> idea.

Whitelisting known (to a human) MTAs is fine. But I think you need more 
specificity than just the MTA if whitelisting is automatic, because of 
the dynamic IP address problem.

For example, my home cable modem provider issues me a dynamic IP address 
that changes infrequently (once every few months). Say I ran a mail 
server there; my machine could easily send enough messages to a 
greylist-enabled MTA to exceed the value of X, whatever that is. Now 
what happens when my ISP gives my address to a spammer? If just my IP 
address is whitelisted, that spammer gets to bypass the recipient's 
greylist completely. But if instead the whitelist entry is the pair (my 
IP address, my domain), the spammer will still be blocked unless he gets 
my old address *and* forges mail from my domain. Still possible, but 
less likely.

I agree that whitelisting a sender domain on its own, without the MTA 
address, would not be a wise idea.

By the way, I'm still curious about what you (in your current 
implementation) set X to, and how you arrived at that value.


More information about the Greylist-users mailing list