[Greylist-users] Greylisting is great but...

[Steven Grimm]

Cami wrote:

> Certain greylisting implementations provide automatic
> whitelisting of MTA's when they deliver more than X
> 'authenticated' triplets. (At least my implementation does,
> i got the idea from Wietse Venema). 

What is a good value for X? I'm having a hard time coming up with a 
scenario where you'd want it to be greater than 1, especially if you 
don't whitelist just the sender's IP address, but rather the (IP 
address, sender domain) pair.

The one arguable scenario is where the MTA is a dialup or other dynamic 
address -- but in that case a sufficiently well-informed attacker could 
bypass greylisting anyway, by spamming from a known good sender address. 
If you assume that the average spammer doesn't keep track of which other 
domains send from his dynamic address range, then IP+domain whitelisting 
is pretty much as good as IP+sender whitelisting, with the advantage 
that you don't block messages from other addresses in the same domain. 
And it's better than IP whitelisting alone, since you *do* most likely 
block spam from the next person who gets that address. (Obviously if you 
have some way of telling that an IP address is dynamic, then you 
probably shouldn't whitelist it in the first place, but it's not always 
possible to tell.)

Of course I'd only whitelist after a successful delivery based on 
IP+sender+recipient greylisting. It would be dumb to only look at the 
sender domain initially since lots of spammers attempt multiple messages 
with the same sender domain.

-Steve