On 1 November 2012 12:49, Jan Stary <h...@stare.cz> wrote: > Here is a typical host: > WHITE|2.139.201.210|||1351517497|1351518564|1354630766|2|1 > which is 210.red-2-139-201.staticip.rima-tde.net. > It tried to connect at Mon Oct 29 14:31:37 CET 2012, > and got WHITE at Mon Oct 29 14:49:24 CET 2012. > > It is obviously a spammer: > > Oct 29 15:19:26 biblio smtpd[26924]: b4f049e1: from=<@>, > relay=210.red-2-139-201.staticip.rima-tde.net [2.139.201.210], > stat=LocalError (530 5.0.0 Recipient rejected: 7e8a5...@stare.cz) > > Strangely, the only occurence of 2.139.201.210 in the last month's > maillog is just this; that's half an hour after it got WHITE. > What happend at Mon Oct 29 14:49:24 CET 2012 that made it WHITE?
The spammer must have successfully passed the greylisting with spamd on Mon Oct 29 14:49:24 CET 2012. The spamd setup requires at least two connections to spamd, prior to the connections being permitted to the real smtp server. This is different from the MTA-based greylisting, where mail can be delivered as soon as the second attempt. With spamd, at least three attempts are required for the initial delivery of mail, since spamd cannot hand-over an existing connection to the real smtp server when the greylisting requirements are satisfied. C.