[Greylist-users] machine gun

John W. Baxter jwblist at loricamail.com
Fri Jan 20 14:16:32 PST 2006

On 1/20/06 1:08 PM, "Barb Dijker" <barb at netrack.net> wrote:

> We are starting to see more machine gun spammers.  For example,
> yesterday youngexplorerscatalog.net attempted to send a message to a
> single recipient once per second until greylisting allowed the message.
> I'm thinking about a hook to set a threshold for promoting a mail
> server to automatic temporary BL.  I've been doing this manually when
> we get hammered.  But it is happening too often anymore.  Has anyone
> done this already?  Suggestions?
> A quick peruse of the database shows a small handful of legitimate
> mail that appears to be using the machine gun approach, e.g.,  mail
> (really) from ebay that was blocked 80 or 90 times before being
> passed once.  Blackberry.com does it pretty regularly.  An att.net
> outgoing server hit almost once a second.  This sort of thing is
> killer to the server with just the connection overhead.  Our delay is
> only 4 minutes.  So if a triple has been blocked more than 48 times,
> it is trying more frequently than once ever 5 seconds.  That seems
> excessive.

First, you might as well whitelist large legitimate mail sources.  They're
going to pass greylisting eventually, so there's no point in having the
greylisting overhead on either your machine or theirs.  And, for that
matter, small neighbor ISPs, as a matter of courtesy.

We use our own code for greylisting and the necessary white listing (the
available code wasn't solid enough when we started), so I don't know about
detecting your machine-gun sites in the widely used Perl code.  Others will.


More information about the Greylist-users mailing list