Jeff Rife wrote: > I'm starting down the "roll my own" greylisting track, and I'm curious > what other people use for a netmask in comparing IP addresses in the > list.
I use /24. > Also, it's not hard to store the IP/from/to tuple for each connection > in a database, but all the ideas I have for storing whitelist > information in the database seem a bit dodgy, as all the sources of > whitelist data use netmasks. Storing this isn't really the > issue...it's the fact that you > can't use this to directly query the database, and so performance can > be poor. You could do what "cidrexpand" does and expand the netmask-based whitelists to lots of individual entries. If your IP field is indexed, it shouldn't hurt to have lots (millions, even) of entries. Our implementation matches on (ip/24, sender, recipient) where ip/24 is the first three octets of the sending relay. Once a sending relay makes it pass greylisting, we add the full IP address to a "hosts_known_to_retry" table and we don't greylist hosts in that table for 40 days. Once a host retries, it'll probably keep retrying in future, so it's wasteful to greylist it. We do our greylisting post-DATA for a number of reasons, and I was actually thinking of adding the Subject: header into the mix. I used to see spam zombies that tried 5 times, every 5 minutes, from the same IP address. They'd keep the same sender and recipient, but mutate the subject. However, I haven't seen that lately, so I guess spam technology has evolved (unlike spammers...) -- David. _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
