* on the Tue, Jan 23, 2007 at 06:10:49PM +0800, David Woodhouse wrote:
>> Some hosts acts as gateways with NAT and mail relaying. The mail relay
>> will probably retry each time. But infected windows zombies behind the
>> gateway won't all the time. I find it pretty useful to greylist for each
>> triplet (IP/from/to) as it has proven to block zombies behind gateways,
>> and not the legitimate mails.
> Hm, that's an interesting point. I should probably use (IP,HELO) instead
> of just the IP. Using from/to addresses wouldn't be my choice.
That was a very good idea. I modified my Greylisting system yesterday to
behave that way and it works well. It's interesting how some spamming
software changes the HELO. Eg:
mysql> SELECT ctime, CONCAT(sender_local_part,'@',sender_domain) AS
sender, passed, helo FROM mail_greylist WHERE remote_addr =
INET_ATON('60.51.121.230');
+---------------------+--------------------------+--------+------------------------------+
| ctime | sender | passed | helo
|
+---------------------+--------------------------+--------+------------------------------+
| 2007-01-24 04:05:18 | [EMAIL PROTECTED] | 0 | HITAM.esevv.com
|
| 2007-01-24 04:05:41 | [EMAIL PROTECTED] | 0 | HITAM
|
| 2007-01-24 04:06:04 | [EMAIL PROTECTED] | 0 |
k5qx4vh.ai60zig0.comcast.net |
| 2007-01-24 04:06:25 | [EMAIL PROTECTED] | 0 | HITAM
|
| 2007-01-24 04:06:52 | [EMAIL PROTECTED] | 0 | HITAM
|
| 2007-01-24 04:07:09 | [EMAIL PROTECTED] | 0 | HITAM.0uoe2p.org
|
| 2007-01-24 04:07:41 | [EMAIL PROTECTED] | 0 | jeyua.5zdx2.verizon.net
|
| 2007-01-24 04:07:56 | [EMAIL PROTECTED] | 0 | HITAM.428u0o.org
|
| 2007-01-24 04:08:11 | [EMAIL PROTECTED] | 0 | HITAM
|
| 2007-01-24 04:08:29 | [EMAIL PROTECTED] | 0 | HITAM.wsiwrioe.com
|
+---------------------+--------------------------+--------+------------------------------+
10 rows in set (0.00 sec)
Mike
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
