After cleaning my spamdb on the first of last month,
I see that there are 572 WHITE hosts now.
Only a handfull of those are legitimate (my mailserver
is very low traffic, basically just mail for my family).
Looking at the logs, I see that most of them got themselves
whitelisted by actually resending within greyexp.
Here is a typical host:
WHITE|2.139.201.210|||1351517497|1351518564|1354630766|2|1
which is 210.red-2-139-201.staticip.rima-tde.net.
It tried to connect at Mon Oct 29 14:31:37 CET 2012,
and got WHITE at Mon Oct 29 14:49:24 CET 2012.
It is obviously a spammer:
Oct 29 15:19:26 biblio smtpd[26924]: b4f049e1: from=<@>,
relay=210.red-2-139-201.staticip.rima-tde.net [2.139.201.210],
stat=LocalError (530 5.0.0 Recipient rejected: 7e8a5...@stare.cz)
Strangely, the only occurence of 2.139.201.210 in the last month's
maillog is just this; that's half an hour after it got WHITE.
What happend at Mon Oct 29 14:49:24 CET 2012 that made it WHITE?
Anyway, it seems (some) spambots got less demented and actually do
resend, getting themselves whitelisted - thus working themselves
around the whole premise of greylisting.
Are people seeing something similar?
Jan
