[Greylist-users] Re: A Greylisting idea.

Evan Harris eharris at puremagic.com
Mon Jun 23 03:18:50 PDT 2003


> I think I failed to explain exactly what I was trying to address.  I
> wasn't referring to an exception so that list messages get to bypass the
> greylist altogether.  I was just thinking that if the module sees a
> message that has been accepted (in other words, it would have already had
>...

Ahh, I think I understand now.  That would probably work.

> The real downside of this is processing time.  Mail::ListDetector requires
> a Mail::Internet or MIME::Entity object.  The former is more lightweight,
> though I'm using the latter to parse MIME email so that my body rules only

I think I'd want to try to shortcut the overhead of those modules, since
you're only interested in one small bit of info.  The method David has
suggested may work sufficiently, though I'd have to look at the traffic and
see.

> Potentially twisted idea:  If this is in fact an issue, what you should be
> able to do is add a dummy address to the recipients list the first time
> that a RCPT TO: should be temp-failed and you haven't accepted any of the
> addresses, remove the dummy address if you accept an email address
> after adding it, and then if/when the data command is sent (sendmail won't
>...

You're right, that is a twisted idea.  But it would probably work.  I'll
have to think about integrating that.  I just don't know if it's worth it.

To tell the truth I haven't really worried about it.  I've only noticed one
definite system where this happens, and that's not enough datapoints to draw
a conclusion.  And since the sending mailer seems to be non-RFC compliant,
I'm almost willing to assume it will either be fixed or replaced and needs
no further consideration.

> The way I was thinking of greylisting was to only track from/to/ip addr
> until the second message, and then just whitelist the IP address for all
> email, on the assumption that if it passed the MTA IQ test for one
> transaction, it would pass it for all of them, have greylisting entries
> valid for 35-45 days, and renew them whenever an email matched them.

The main problem I see with that, is that it makes the problem very simple
to workaround by the spammers.  Here's how they could do it:

They would try to send a single email to an address at each domain, probably
with a purely random body (in case of razor or other hashing systems) which
gets tempfailed.  Then they retry the exact same list 2 hours later, and it
gets through.  Now their IP is whitelisted, and they can happily spam anyone
at your site senseless until they happen to get blacklisted, assuming that
your site uses a blacklist.

Since they only sent one email to each domain in the first pass, they
probably haven't raised enough ire to be blacklisted yet, so you've
effectively lost the 1-hour grace period that greylisting provides.

I think that's way too much of an opening to give them.

> important.  Right now, there's almost no text words that I'm looking for
> within an email, I'm mostly looking at things that no proper MUA would
> generate, or what appears to be deliberate attempts to hide.  Several

As a side note, if spamassassin doesn't already have a comperable equivalent
for all of your tests (see http://au2.spamassassin.org/tests.html) I'd hope
you would submit a description of the unique tests to them so they can add
it.  They put a lot of work into those kinds of heuristics, and I'm all for
reusing someone elses work, assuming it covers all the needed tests.

Evan



More information about the Greylist-users mailing list