[Greylist-users] Greylisting is great but...
Steven Grimm
koreth-greylist at midwinter.com
Wed Dec 1 11:45:09 PST 2004
Cami wrote:
> I already stated MTA, not triplet pair. By MTA, i refer to the
> connecting ip address is what gets whitelisted.
I was imprecise in my wording. I didn't mean most of that message to
refer to what you personally are doing in your current implementation,
but rather, to discuss what one might want to do in a greylisting
implementation in general. Sorry about that ambiguity.
> Whitelisting based on sender domain is not a wise idea, whitelisting
> *known* MTA's that have X number of authenticated triplets is a good
> idea.
Whitelisting known (to a human) MTAs is fine. But I think you need more
specificity than just the MTA if whitelisting is automatic, because of
the dynamic IP address problem.
For example, my home cable modem provider issues me a dynamic IP address
that changes infrequently (once every few months). Say I ran a mail
server there; my machine could easily send enough messages to a
greylist-enabled MTA to exceed the value of X, whatever that is. Now
what happens when my ISP gives my address to a spammer? If just my IP
address is whitelisted, that spammer gets to bypass the recipient's
greylist completely. But if instead the whitelist entry is the pair (my
IP address, my domain), the spammer will still be blocked unless he gets
my old address *and* forges mail from my domain. Still possible, but
less likely.
I agree that whitelisting a sender domain on its own, without the MTA
address, would not be a wise idea.
By the way, I'm still curious about what you (in your current
implementation) set X to, and how you arrived at that value.
-Steve
More information about the Greylist-users
mailing list