On Tue, 25 Sep 2007 09:38:10 +0100, Craig Skinner wrote:
>Greylisting is of no use whatsoever because the servers sending the >bounces to you are actual smtp boxes (sendmail, extrange, ....), not >malware, so they will quickly bypass spamd. Spamd greytraps will help a >great deal, but you say that the addresses are random. > > I've snipped all the content (which I largely agree with) above and below this paragraph to recount my experience which started about a fortnight ago and ran for about a week. Log analysis showed that there were two classes of incoming unwanted crap. One was bounced mail that should have been rejected as "invalid recipient" mail at the original target. That included an mx at aph.gov.au, the Australian Federal Parliamnet House. Yep, the pollies who want ISPs to block websites on request and who spent $84mil on a kiddie-filter that some 10-year old bypassed in ten minutes, The others were from bots as far as I could tell but they were not being sent by MTAs which had received them. My defence was to write a couple of scripts. One parsed the output of spamdb looking for GREY with sender <> and then tested the intended recipient against the postfix valid mailbox database. If it failed then the sender IP was added to a pf table that was outright blacklisted for 24 hours. The other script did housekeeping and added sender IPs to the TRAPPED category in case they retried later. The blacklist grew rapidly to over 1200 unique addresses but then petered out after a few days and I turned off the cron jobs running the scripts at day nine. So greylisting/spamd did a hell of a good job for me. I would not have been able to block traffic from all those crappily configured boxes (MTAs mostly qmail or windows) unless I had a greylist database to scan every few minutes. Peter H and Beck@ know what they are doing alright and do good papers on it. Thanks. R/ Me...a skeptic? I trust you have proof.
