[Greylist-users] machine gun

Paul Venezia pvenezia at jpj.net
Sat Jan 21 18:24:58 PST 2006


On Jan 21, 2006, at 4:08 PM, William Blunn wrote:

> Paul Venezia wrote:
>
>> ...or take my approach. If > 10 tempfailed messages matching the  
>> same tuple are seen in 14 minutes, that server is blocked from  
>> accessing port 25 indefinitely.
>>
>> Works great, although I have an ipf rule with >30,000 lines at the  
>> moment.
>>
>
> If I ever try to send you a message, your server will inappropriately
> block my server and give me no means to get through to postmaster at
> your domain.

I appear to have missed a modifier and omitted a zero. Insert a 'not'  
between 'messages' and 'matching'. Also, the code checks against lack  
of retries over 140 minutes. So in pseudocode, "If you've sent me >  
10 unretried messages in the past few hours and are trying to send me  
more, you're blocked". Obviously, I was more on the ball when I wrote  
that code than I was when I wrote the above sentence ;-)

Basically, anything hitting that rule would be a spambot spewing  
email via a dictionary attack, which my domain has been subjected to  
for the past few years from several spambot nets. I estimate that I  
get > 50,000 unique SMTP connections from botnet zombies per day.,  
including doozies like this that wind up blocked:

26000       669       32112 reset tcp from 221.234.193.167 to any 25

That IP is from somewhere in the PRC. I have thousands of examples  
just like this. Writing and implementing the auto-shunning code was  
the single most noticeable improvement on the spam issues faced by my  
domain. I have only had one false blocking event in the year I've  
been running it.

> My Exim4 server is configured to retry every minute for the first 15
> minutes, specifically to get messages delivered through greylisting
> systems as quickly as possible.

...and email from you would be accepted.

Ciao

-Paul


More information about the Greylist-users mailing list