Mike, > I recently started using greylisting within Mimedefang on our relays. > When TEMPFAIL'ed a spammer resends the same piece of mail every few > seconds using a different IP and sender address. This continues until a > permanent error is sent (User unknown). How do others deal with this > tactic?
I have multiple approaches: 1. Ignore it - greylisting is doing what I intended, and when they do finally come back, I reject at the RCPT TO: stage via filter_recipient which works out that they're trying to send to a non-existent user. 2. Firewall persistent greylist attempts which never retry the message but reconnect using a different sender/recipient pair, or systems which claim to be localhost, or which send to more than one non-existent user in a single message, or which hard fail SPF checks. I scan my logs for new greylist entries, and then also for successful connections from that sender/mailhost pair. If there are no successes within 2 days, I firewall the mailhost. I've seen a rash of systems which try 48-50 sender/recipient pairs (all different), and never come back, plus some incidents where I see 50 different hosts connect and all failing greylisting around the same time. These are fairly clearly spambot networks. 3. I refuse connections from any host which has its IP address in its reverse IP name (e.g. i219-164-64-114.s02.a018.ap.plala.or.jp = 219.164.64.114), or where the name contains a good indication of an end-user host (e.g. it contains one or more of the terms "cable", "dsl", "hsd", "dynamic", "static", "pool", etc). Basically, this is either a badly managed mail host which has a useless reverse IP entry, or a broadband host which probably shouldn't have a mail daemon running on it. This is of course fraught with issues, but since I'm doing it on a home network with 2 users, I'm fairly happy to deal with issues as they arise. Also, note that if a system is going to retry, it will probably retry immediately and then every 5 minutes for a while. Setting your greylist timeout to 30 minutes is probably too extreme, and will penalise legitimate mail so badly that you're bound to get complaints. I have mine set for 30 seconds, which does the job on mass mailers which never retry, and allows 99.9% of mail through within a minute. I've been tempted to take it down to 2 seconds to see what happens, since legitimate mailers do sometimes retry every second for 10 seconds before they back off. Best Wishes, Paul. -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.15.10/263 - Release Date: 16/02/2006 _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
