[Greylist-users] Adelphia vs greylisting

Tony Bunce tonyb at go-concepts.com
Mon Oct 10 23:19:04 PDT 2005 

What we have done here is modify the graylisting milter so that it only
graylist if one of two conditions is met:
1: the reverse DNS hits a regular expression that is designed to match
common dynamic ip pools
2: the ip is listed in any one of several RBLs

The RBLs that we use are:
'sbl-xbl.spamhaus.org'
'combined.njabl.org'
'unconfirmed.dsbl.org'
'bl.spamcop.net'
'dnsbl.sorbs.net'
'blackholes.five-ten-sg.com'

And the regular expression is (all one line):
't-ipconnect\.de$|tisdip\.tiscali\.de$|ipt\.aol\.com$|vie\.surfer\.at$|c
hello|bluewin\.ch$
|comcast\.net$|ameritech\.net$|pacbell\.net$|attbi\.com$|swbell\.net$
|optonline\.net$|charter\.com$|hinet\.net$|\.rr\.com$|dial|dsl|cable|dyn
|ppp
|pool|client|dhcp|(([0-9]{1,3}[-\.])+){3}[0-9]{1,3}|[0-9]{6,12}|\.arpa$|
\.it$|\.jp$|\.tw$|\.ru$|\.br$|\.hk$|^user|^host'

This prevents most of legitimate email from getting delayed and still
stops a large volume of spam.

I'm sure that more spam gets past graylisting because of this but
SpamAssassin generally catches it at that point.

If your using relaydelay.pl I can send the modified script that used the
regexp and RBLs if you want me to.

-TonyB

-----Original Message-----
From: greylist-users-bounces at lists.puremagic.com
[mailto:greylist-users-bounces at lists.puremagic.com] On Behalf Of Allan
E. Johannesen
Sent: Tuesday, October 04, 2005 3:25 PM
To: Greylisting Users and Developers Discussion
Subject: Re: [Greylist-users] Adelphia vs greylisting

>>>>> "maillist" == Dave Warren <maillist at devilsplayground.net> writes:

maillist> Allan E. Johannesen wrote:
>> Is there a list of broken MX of otherwise legitimate ISPs?  Do we all
>> discover those IPs intependently?
>> 
>> 
maillist> greylisting.org has one at
http://greylisting.org/whitelisting.shtml

Ok.  I grabbed that list.  However, I've run into this:

Email sent from an ebay.com email address from sending MX
smfcamppool##.emailebay.com, for ## of 01 through 20, will be tried
twice at
one sending MX, and twice at a second sending MX, all at 5 second
intervals
(i.e. an entire 20 seconds of 4 attempts).

Have people whitelisted these IPs?

I've noticed this:

Sep 29 14:52:15 GreyList: 209.104.63.178
ntf-9542_2-49378869-xxxx_=_alum.wpi.edu at reply.ticketmaster.com
xxxx at alum.wpi.edu first 
Sep 29 14:53:23 GreyList: 209.104.63.198
ntf-9542_2-49378869-xxxx_=_alum.wpi.edu at reply.ticketmaster.com
xxxx at alum.wpi.edu first 
Sep 29 14:55:58 GreyList: 209.104.63.182
ntf-9542_2-49378869-xxxx_=_alum.wpi.edu at reply.ticketmaster.com
xxxx at alum.wpi.edu first 
Sep 29 15:03:45 GreyList: 209.104.63.191
ntf-9542_2-49378869-xxxx_=_alum.wpi.edu at reply.ticketmaster.com
xxxx at alum.wpi.edu first 
Sep 29 15:27:04 GreyList: 209.104.63.198
ntf-9542_2-49378869-xxxx_=_alum.wpi.edu at reply.ticketmaster.com
xxxx at alum.wpi.edu sending 
Sep 30 02:30:38 GreyList: 209.104.63.196
ntf-9517_11-49378869-xxxx_=_alum.wpi.edu at reply.ticketmaster.com
xxxx at alum.wpi.edu first 
Sep 30 02:33:02 GreyList: 209.104.63.196
ntf-9517_11-49378869-xxxx_=_alum.wpi.edu at reply.ticketmaster.com
xxxx at alum.wpi.edu delaying 
Sep 30 02:40:14 GreyList: 209.104.63.183
ntf-9517_11-49378869-xxxx_=_alum.wpi.edu at reply.ticketmaster.com
xxxx at alum.wpi.edu first 
Sep 30 03:01:48 GreyList: 209.104.63.177
ntf-9517_11-49378869-xxxx_=_alum.wpi.edu at reply.ticketmaster.com
xxxx at alum.wpi.edu first 
Sep 30 04:01:55 GreyList: 209.104.63.196
ntf-9517_11-49378869-xxxx_=_alum.wpi.edu at reply.ticketmaster.com
xxxx at alum.wpi.edu sending 

Does anyone know the range of ticketmaster MX senders?  This seems
pretty
sketchy as to whether the email will make it through or not.  It depends
on the
random IP of the retry ending up matching a prior random IP, within the
acceptable greylist interval.

More information about the Greylist-users mailing list