[Greylist-users] machine gun
Paul Venezia
pvenezia at jpj.net
Sat Jan 21 18:24:58 PST 2006
On Jan 21, 2006, at 4:08 PM, William Blunn wrote:
> Paul Venezia wrote:
>
>> ...or take my approach. If > 10 tempfailed messages matching the
>> same tuple are seen in 14 minutes, that server is blocked from
>> accessing port 25 indefinitely.
>>
>> Works great, although I have an ipf rule with >30,000 lines at the
>> moment.
>>
>
> If I ever try to send you a message, your server will inappropriately
> block my server and give me no means to get through to postmaster at
> your domain.
I appear to have missed a modifier and omitted a zero. Insert a 'not'
between 'messages' and 'matching'. Also, the code checks against lack
of retries over 140 minutes. So in pseudocode, "If you've sent me >
10 unretried messages in the past few hours and are trying to send me
more, you're blocked". Obviously, I was more on the ball when I wrote
that code than I was when I wrote the above sentence ;-)
Basically, anything hitting that rule would be a spambot spewing
email via a dictionary attack, which my domain has been subjected to
for the past few years from several spambot nets. I estimate that I
get > 50,000 unique SMTP connections from botnet zombies per day.,
including doozies like this that wind up blocked:
26000 669 32112 reset tcp from 221.234.193.167 to any 25
That IP is from somewhere in the PRC. I have thousands of examples
just like this. Writing and implementing the auto-shunning code was
the single most noticeable improvement on the spam issues faced by my
domain. I have only had one false blocking event in the year I've
been running it.
> My Exim4 server is configured to retry every minute for the first 15
> minutes, specifically to get messages delivered through greylisting
> systems as quickly as possible.
...and email from you would be accepted.
Ciao
-Paul
More information about the Greylist-users
mailing list