> What about just 'kill' listing IPs that fail 10 attempts?
Some of the addresses may only appear six or seven times in a day, or even in an hour. I'm very nervous about setting the trigger too low, thus risking blocking mailing lists in the case of a customer who has changed email addresses without letting the listserver know.
greylisting is ideal for this kind of defense against low-volume msgs from a wide range of IPs.
Since these IPs are very probably compromised "subscriber" IPs (cable, dialup, dsl), they are not real MTAs but mass mailing worms, and have no facilities for defer/queue/retry (and I'm observing that some spam farms don't retry, either).
Greylisting EVERY single inbound msg kills this kind of traffic dead.
Here's the greylist report for fairly busy IMGate machine in front of IMail:
the greylisted IPs through about 11 AM Monday:
# wc -l /var/tmp/postgrey.rpt 46551 /var/tmp/postgrey.rpt
totay greylist rejects for same period:
# egrep -ic "Temporary failure of recipient account" /var/log/maillog 62853
The 16K difference is msgs that were re-tried after the greylist period and therefore were accepted, ie, real MTAs.
What do some IP look like for the 46K? ah, our old friends on subscriber nets, world-wide:
4.3.7.80 atlnga1-ar3-4-3-007-080.atlnga1.dsl-verizon.net
4.3.88.84 lsanca2-ar39-4-3-088-084.lsanca2.dsl-verizon.net
4.3.88.84 lsanca2-ar39-4-3-088-084.lsanca2.dsl-verizon.net
4.3.88.84 lsanca2-ar39-4-3-088-084.lsanca2.dsl-verizon.net
4.3.124.18 lsanca2-ar30-4-3-124-018.lsanca2.dsl-verizon.net
4.3.124.110 lsanca2-ar30-4-3-124-110.lsanca2.dsl-verizon.net
4.3.124.110 lsanca2-ar30-4-3-124-110.lsanca2.dsl-verizon.net
4.3.129.184 evrtwa1-ar12-4-3-129-184.evrtwa1.dsl-verizon.net
4.3.160.229 lsanca1-ar1-4-3-160-229.lsanca1.dsl-verizon.net
4.4.18.191 wbar1.sjo1-4-4-018-191.sjo1.dsl-verizon.net
4.4.19.218 wbar1.sjo1-4-4-019-218.sjo1.dsl-verizon.net
4.4.19.218 wbar1.sjo1-4-4-019-218.sjo1.dsl-verizon.net
4.4.22.157 wbar1.sjo1-4-4-022-157.sjo1.dsl-verizon.net
4.4.38.186 wbar2.sjo1-4-4-038-186.sjo1.dsl-verizon.net 4.229.207.125 dialup-4.229.207.125.Dial1.Detroit1.Level3.net
4.229.207.125 dialup-4.229.207.125.Dial1.Detroit1.Level3.net
4.229.207.132 dialup-4.229.207.132.Dial1.Detroit1.Level3.net
4.229.207.151 dialup-4.229.207.151.Dial1.Detroit1.Level3.net
4.229.207.151 dialup-4.229.207.151.Dial1.Detroit1.Level3.net
4.229.207.151 dialup-4.229.207.151.Dial1.Detroit1.Level3.net
4.229.207.151 dialup-4.229.207.151.Dial1.Detroit1.Level3.net
4.229.207.156 dialup-4.229.207.156.Dial1.Detroit1.Level3.net
4.229.207.162 dialup-4.229.207.162.Dial1.Detroit1.Level3.net
4.229.207.162 dialup-4.229.207.162.Dial1.Detroit1.Level3.net
4.229.207.162 dialup-4.229.207.162.Dial1.Detroit1.Level3.net
4.229.207.175 dialup-4.229.207.175.Dial1.Detroit1.Level3.net
4.229.207.175 dialup-4.229.207.175.Dial1.Detroit1.Level3.net
4.229.207.175 dialup-4.229.207.175.Dial1.Detroit1.Level3.net
4.229.207.175 dialup-4.229.207.175.Dial1.Detroit1.Level3.net
4.229.207.175 dialup-4.229.207.175.Dial1.Detroit1.Level3.net 12.99.218.116 116.muca.phnx.sndgcau2.dsl.att.net
12.99.218.116 116.muca.phnx.sndgcau2.dsl.att.net
12.99.218.116 116.muca.phnx.sndgcau2.dsl.att.net
12.99.218.116 116.muca.phnx.sndgcau2.dsl.att.net
12.99.218.116 116.muca.phnx.sndgcau2.dsl.att.net
12.99.218.116 116.muca.phnx.sndgcau2.dsl.att.net
12.99.218.116 116.muca.phnx.sndgcau2.dsl.att.net
12.101.44.253 253.muma.balt.washdctt.dsl.att.net
12.101.44.253 253.muma.balt.washdctt.dsl.att.net 12.214.53.187 12-214-53-187.client.mchsi.com
12.214.53.187 12-214-53-187.client.mchsi.com
12.214.53.187 12-214-53-187.client.mchsi.com
12.214.53.187 12-214-53-187.client.mchsi.com
12.214.53.187 12-214-53-187.client.mchsi.com
12.214.54.254 12-214-54-254.client.mchsi.com
12.214.70.198 12-214-70-198.client.mchsi.com
12.214.83.79 12-214-83-79.client.mchsi.com
12.214.83.79 12-214-83-79.client.mchsi.com
12.214.83.79 12-214-83-79.client.mchsi.com
12.214.83.79 12-214-83-79.client.mchsi.com
12.214.83.79 12-214-83-79.client.mchsi.com 12.220.235.67 12-220-235-67.client.insightBB.com
12.220.252.205 12-220-252-205.client.insightBB.com
12.220.252.205 12-220-252-205.client.insightBB.com
12.220.252.205 12-220-252-205.client.insightBB.com
12.220.252.205 12-220-252-205.client.insightBB.com
12.221.29.43 12-221-29-43.client.insightBB.com
12.221.47.84 12-221-47-84.client.insightBB.com
12.222.38.59 12-222-38-59.client.insightBB.com
12.222.38.59 12-222-38-59.client.insightBB.com
12.222.38.59 12-222-38-59.client.insightBB.com
12.222.76.50 12-222-76-50.client.insightBB.com
12.222.103.52 12-222-103-52.client.insightBB.com
12.222.158.117 12-222-158-117.client.insightBB.com
12.222.158.117 12-222-158-117.client.insightBB.com
12.222.158.117 12-222-158-117.client.insightBB.com 24.0.4.129 c-24-0-4-129.client.comcast.net
24.0.4.129 c-24-0-4-129.client.comcast.net
24.0.4.129 c-24-0-4-129.client.comcast.net
24.0.4.129 c-24-0-4-129.client.comcast.net
24.0.4.129 c-24-0-4-129.client.comcast.net
24.0.4.129 c-24-0-4-129.client.comcast.net
24.0.17.204 c-24-0-17-204.client.comcast.net
24.0.17.204 c-24-0-17-204.client.comcast.net
24.0.17.204 c-24-0-17-204.client.comcast.net 24.30.41.247 c-24-30-41-247.mw.client2.attbi.com
24.30.41.247 c-24-30-41-247.mw.client2.attbi.com
24.30.41.247 c-24-30-41-247.mw.client2.attbi.com
24.30.41.247 c-24-30-41-247.mw.client2.attbi.com
24.30.41.247 c-24-30-41-247.mw.client2.attbi.com
24.30.41.247 c-24-30-41-247.mw.client2.attbi.com
24.30.41.247 c-24-30-41-247.mw.client2.attbi.com
24.30.66.19 c-24-30-66-19.mw.client2.attbi.com
24.30.66.19 c-24-30-66-19.mw.client2.attbi.com
24.30.66.19 c-24-30-66-19.mw.client2.attbi.com
24.30.66.19 c-24-30-66-19.mw.client2.attbi.com24.37.14.125 modemcable125.14-37-24.mc.videotron.ca
24.37.83.126 modemcable126.83-37-24.mc.videotron.ca
24.37.89.245 modemcable245.89-37-24.mc.videotron.ca
24.42.74.110 CPE0008020e85af-CM014300011457.cpe.net.cable.rogers.com
24.42.74.110 CPE0008020e85af-CM014300011457.cpe.net.cable.rogers.com
24.42.74.110 CPE0008020e85af-CM014300011457.cpe.net.cable.rogers.com
24.42.74.110 CPE0008020e85af-CM014300011457.cpe.net.cable.rogers.com
24.46.90.207 ool-182e5acf.dyn.optonline.net
24.46.91.187 ool-182e5bbb.dyn.optonline.net
24.46.101.131 ool-182e6583.dyn.optonline.net
24.46.120.243 ool-182e78f3.dyn.optonline.net
24.46.120.243 ool-182e78f3.dyn.optonline.net
24.46.120.243 ool-182e78f3.dyn.optonline.net
24.46.120.243 ool-182e78f3.dyn.optonline.net
24.46.120.243 ool-182e78f3.dyn.optonline.net
24.46.120.243 ool-182e78f3.dyn.optonline.net
24.46.141.119 ool-182e8d77.dyn.optonline.net
24.46.141.119 ool-182e8d77.dyn.optonline.net 24.53.246.220 pa-adamscyl-cmts1c-220.pittpa.adelphia.net
24.53.246.220 pa-adamscyl-cmts1c-220.pittpa.adelphia.net
24.53.246.220 pa-adamscyl-cmts1c-220.pittpa.adelphia.net
24.53.246.220 pa-adamscyl-cmts1c-220.pittpa.adelphia.net
24.53.246.220 pa-adamscyl-cmts1c-220.pittpa.adelphia.net
24.54.22.145 me-buxton7a-145.agstme.adelphia.net
24.54.22.145 me-buxton7a-145.agstme.adelphia.net
24.54.22.145 me-buxton7a-145.agstme.adelphia.net
24.54.22.145 me-buxton7a-145.agstme.adelphia.net 24.56.67.51 rrcs-ma-24-56-67-51.biz.rr.com
24.56.67.51 rrcs-ma-24-56-67-51.biz.rr.com
24.56.67.51 rrcs-ma-24-56-67-51.biz.rr.com
24.56.67.51 rrcs-ma-24-56-67-51.biz.rr.com
24.56.130.7 mail.warpdriveonline.com
24.56.158.157 24-56-158-157.sc.warpdriveonline.com
24.56.158.157 24-56-158-157.sc.warpdriveonline.com
24.56.158.157 24-56-158-157.sc.warpdriveonline.com
24.56.169.168 24-56-169-168.mn.warpdriveonline.com
24.56.169.168 24-56-169-168.mn.warpdriveonline.com
24.56.169.168 24-56-169-168.mn.warpdriveonline.com
24.56.169.168 24-56-169-168.mn.warpdriveonline.com
24.57.14.23 d57-14-23.home.cgocable.net
24.57.14.23 d57-14-23.home.cgocable.net
24.57.148.248 d57-148-248.home.cgocable.net
24.57.148.248 d57-148-248.home.cgocable.net
24.57.152.244 d57-152-244.home.cgocable.net
24.57.152.244 d57-152-244.home.cgocable.net
24.57.152.244 d57-152-244.home.cgocable.net
24.58.22.13 syr-24-58-22-13.twcny.rr.com
24.58.22.13 syr-24-58-22-13.twcny.rr.com
24.58.22.13 syr-24-58-22-13.twcny.rr.com
24.70.160.36 S010600402b614007.ok.shawcable.net 24.70.160.36 S010600402b614007.ok.shawcable.net 24.70.160.36 S010600402b614007.ok.shawcable.net 24.70.163.5 S010600e0294c881a.ok.shawcable.net 24.70.163.5 S010600e0294c881a.ok.shawcable.net 24.70.239.146 S010600402b690c7b.ok.shawcable.net 24.71.34.111 S0106000c6e418f5f.ok.shawcable.net 24.71.41.255 S0106000c6e9589c3.ok.shawcable.net 24.71.49.124 S010600079517661c.ok.shawcable.net 24.71.49.124 S010600079517661c.ok.shawcable.net 24.71.140.230 S01060040055052dd.ok.shawcable.net
221.169.3.231 221-169-3-231.adsl.static.seed.net.tw
221.169.7.207 221-169-7-207.adsl.static.seed.net.tw
221.169.7.207 221-169-7-207.adsl.static.seed.net.tw
221.169.160.22 221-169-160-22.adsl.static.seed.net.tw
221.169.160.22 221-169-160-22.adsl.static.seed.net.tw
221.169.160.22 221-169-160-22.adsl.static.seed.net.tw
221.169.164.121 221-169-164-121.adsl.static.seed.net.tw
221.185.162.126 p3126-ipad05kamokounan.kagoshima.ocn.ne.jp
221.185.162.126 p3126-ipad05kamokounan.kagoshima.ocn.ne.jp
221.185.162.126 p3126-ipad05kamokounan.kagoshima.ocn.ne.jp
221.185.162.126 p3126-ipad05kamokounan.kagoshima.ocn.ne.jp
221.185.188.145 p1145-ipad04okidate.aomori.ocn.ne.jp220.139.147.69 220-139-147-69.dynamic.hinet.net 220.139.167.40 220-139-167-40.dynamic.hinet.net 220.139.167.40 220-139-167-40.dynamic.hinet.net 220.139.167.40 220-139-167-40.dynamic.hinet.net 220.139.167.40 220-139-167-40.dynamic.hinet.net 220.140.89.106 220-140-89-106.dynamic.hinet.net 220.140.155.247 220-140-155-247.dynamic.hinet.net 220.140.159.13 220-140-159-13.dynamic.hinet.net 220.140.218.66 220-140-218-66.dynamic.hinet.net 220.140.218.66 220-140-218-66.dynamic.hinet.net 220.140.218.66 220-140-218-66.dynamic.hinet.net
219.169.68.14 YahooBB219169068014.bbtec.net
219.170.228.157 YahooBB219170228157.bbtec.net
219.172.163.20 YahooBB219172163020.bbtec.net
219.174.244.1 YahooBB219174244001.bbtec.net
219.174.244.1 YahooBB219174244001.bbtec.net
219.175.124.2 YahooBB219175124002.bbtec.net
219.176.178.25 YahooBB219176178025.bbtec.net 218.255.13.38 cm218-255-13-38.hkcable.com.hk
218.255.14.63 cm218-255-14-63.hkcable.com.hk
218.255.14.63 cm218-255-14-63.hkcable.com.hk
218.255.32.123 cm218-255-32-123.hkcable.com.hk
218.255.33.245 cm218-255-33-245.hkcable.com.hk
218.255.34.78 cm218-255-34-78.hkcable.com.hk
218.255.34.78 cm218-255-34-78.hkcable.com.hk
218.255.34.78 cm218-255-34-78.hkcable.com.hk
218.255.34.78 cm218-255-34-78.hkcable.com.hk
218.255.34.78 cm218-255-34-78.hkcable.com.hk
218.255.34.102 cm218-255-34-102.hkcable.com.hk 62.234.186.108 hz-9a6c.adsl.wanadoo.nl
62.234.186.108 hz-9a6c.adsl.wanadoo.nl
62.234.186.108 hz-9a6c.adsl.wanadoo.nl
62.234.186.108 hz-9a6c.adsl.wanadoo.nl
62.234.186.108 hz-9a6c.adsl.wanadoo.nl
62.234.186.108 hz-9a6c.adsl.wanadoo.nl
62.234.186.108 hz-9a6c.adsl.wanadoo.nl
62.234.186.108 hz-9a6c.adsl.wanadoo.nl
62.234.186.108 hz-9a6c.adsl.wanadoo.nl
62.235.101.85 ppp-62-235-101-85.tiscali.be
62.235.101.240 ppp-62-235-101-240.tiscali.be
62.235.241.85 ppp-62-235-241-85.tiscali.be
62.235.241.85 ppp-62-235-241-85.tiscali.be
62.237.213.224 oja224.lanworldfinland.fi
62.237.213.224 oja224.lanworldfinland.fi
62.238.50.11 kbl-tnz4583.zeelandnet.nl
62.238.168.42 kbl-tnz10202.zeelandnet.nletc, etc, etc for 46K lines, which includes 17293 greylist rejects from IPs with no PTR.
So that 46K msgs that Imail never even sniffed. Figure about 100K greylist rejects for 24 hours. The Imail/declude machine is running MUCH better now. :))
As I predicted months ago, the amount of crap coming from subscriber IPs has been increasing to the point that I bet 99+% of all msgs from subscriber PTRs is abuse.
Len
_____________________________________________________________________ http://MenAndMice.com/DNS-training : Denver; NYC; San Jose http://IMGate.MEIway.com : free anti-spam gateway, runs on 1000's of sites
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
