Re: spamd and google smtp ips
On 11/4/2018 3:06 PM, Mik J wrote: Thank you Peter for this opinion. Misc User, these gmail, live, yahoo spams you're talking about are really comming from IP addresses that belong to them ? Because on my side it seems it's not the case. In my greylist right now I have rosaronald70s...@gmail.com but if I check the IP that originated the spam it's from China Unicom Henan province network. I check a second one and it's also from that ISP. On the other hand if spam is coming from gmail, live, outlook we can blame them for not filtering out these spams and high volume sent mails. With google you cannot send mails to more than 500 people within 24h Le dimanche 4 novembre 2018 à 23:49:47 UTC+1, Misc User a écrit : On 11/4/2018 2:25 PM, Mik J wrote: Hello Peter, Thank you for this article. Do you know why, and particularly Microsoft, use very random IPs to send mails. In that way, they make greylisting not as reliable as it should be. We could all use greylisting if google or microsoft would use the same 4 or 5 IPs to retry sending the mails. Google and Microsoft don't help to fight against spam. In my experience Google and Microsoft are the source of most of my spam. About 80% of it comes from a hijacked gmail, live.com, or outlook.com accounts. The rest from yahoo and gmx.com addresses with a sprinkling of one-off spam domains making up the last percentage points. Yep, coming from legitimate servers. All the mail I look after goes through a filter that does both a reverse-lookup of the IP address as well as a lookup of the owner for the AS number that that IP belongs to and will flag up any differences (I have a table that it uses to list what domains are owned by what corporate entities assembled from whois lookups against the domain and recording the entity). This also goes into a set of filters to flag email from domains registered within the last 30 days. I work for an MSSP that does virtual SOC work for a lot of high profile clients where a successful piece of spam has a high chance of a massive return. I've noticed that a lot of spam will cycle through a bunch of different accounts with the accounts never being used twice for the same destination (I presume to avoid wasting time hitting personal spam filters) and will only send a few messages to the same destination domain (Probably to avoid company-wide filters). The sending account seems to also only be used to send 100 messages per day before the next account is used (At least this is what I've seen when looking at data across all clients), probably to avoid the mail providers sending limit.
Re: spamd and google smtp ips
On Sun, Nov 04, 2018 at 02:49:44PM -0800, Misc User wrote: > On 11/4/2018 2:25 PM, Mik J wrote: > > Hello Peter, > > > > Thank you for this article. > > Do you know why, and particularly Microsoft, use very random IPs to send > > mails. > > In that way, they make greylisting not as reliable as it should be. We > > could all use greylisting if google or microsoft would use the same 4 or 5 > > IPs to retry sending the mails. > > Google and Microsoft don't help to fight against spam. > > > > In my experience Google and Microsoft are the source of most of my spam. > About 80% of it comes from a hijacked gmail, live.com, or outlook.com > accounts. The rest from yahoo and gmx.com addresses with a sprinkling > of one-off spam domains making up the last percentage points. I recently learned of the Email Blocklist project, https://msbl.org/ebl.html It's a DNSBL for drop boxes at GMail, etc. You query the RBL using the hash of the canonicalized sender address (e.g. Reply-To). I haven't tried it yet; am curious about false positive rate.
Re: spamd and google smtp ips
Thank you Peter for this opinion. Misc User, these gmail, live, yahoo spams you're talking about are really comming from IP addresses that belong to them ? Because on my side it seems it's not the case. In my greylist right now I have rosaronald70s...@gmail.com but if I check the IP that originated the spam it's from China Unicom Henan province network. I check a second one and it's also from that ISP. On the other hand if spam is coming from gmail, live, outlook we can blame them for not filtering out these spams and high volume sent mails. With google you cannot send mails to more than 500 people within 24h Le dimanche 4 novembre 2018 à 23:49:47 UTC+1, Misc User a écrit : On 11/4/2018 2:25 PM, Mik J wrote: > Hello Peter, > > Thank you for this article. > Do you know why, and particularly Microsoft, use very random IPs to send > mails. > In that way, they make greylisting not as reliable as it should be. We could > all use greylisting if google or microsoft would use the same 4 or 5 IPs to > retry sending the mails. > Google and Microsoft don't help to fight against spam. > In my experience Google and Microsoft are the source of most of my spam. About 80% of it comes from a hijacked gmail, live.com, or outlook.com accounts. The rest from yahoo and gmx.com addresses with a sprinkling of one-off spam domains making up the last percentage points.
Re: spamd and google smtp ips
On 11/4/2018 2:25 PM, Mik J wrote: Hello Peter, Thank you for this article. Do you know why, and particularly Microsoft, use very random IPs to send mails. In that way, they make greylisting not as reliable as it should be. We could all use greylisting if google or microsoft would use the same 4 or 5 IPs to retry sending the mails. Google and Microsoft don't help to fight against spam. In my experience Google and Microsoft are the source of most of my spam. About 80% of it comes from a hijacked gmail, live.com, or outlook.com accounts. The rest from yahoo and gmx.com addresses with a sprinkling of one-off spam domains making up the last percentage points.
Re: spamd and google smtp ips
On 11/4/18 11:25 PM, Mik J wrote: > Do you know why, and particularly Microsoft, use very random IPs to send > mails. > In that way, they make greylisting not as reliable as it should be. We could > all use greylisting if google or microsoft would use the same 4 or 5 IPs to > retry sending the mails. > Google and Microsoft don't help to fight against spam. The larger providers such as the ones you mention seem to have concluded that they need to send their mail from a large number of different IP addresses. As long as they actually use only addresses they have published as valid senders via their SPF info, we can let them bypass greylisting as described in the article (or referenced material) and determining whether any given message was spam becomes the task of other software such as your favorite content filtering. I would personally have preferred a clarification of the retry requirement to specify 'retry from the same IP address', which would have made greylisting *a lot* easier, but unfortunately that did not happen (cf https://bsdly.blogspot.com/2008/10/ietf-failed-to-account-for-greylisting.html). Cheers, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: spamd and google smtp ips
Hello Peter, Thank you for this article. Do you know why, and particularly Microsoft, use very random IPs to send mails. In that way, they make greylisting not as reliable as it should be. We could all use greylisting if google or microsoft would use the same 4 or 5 IPs to retry sending the mails. Google and Microsoft don't help to fight against spam. Le dimanche 4 novembre 2018 à 21:56:35 UTC+1, Peter N. M. Hansteen a écrit : A final followup on this issue - I wrote a (relatively) short piece on greylisting vs domains with multiple outbound SMTP servers, which includes the little script I use to create a nospamd from a list of domains, of course by feeding to 'smtpctl spf walk'. You can find the article at https://bsdly.blogspot.com/2018/11/goodness-enumerated-by-robots-or.html - TL;DR: don't download *my* nospamd, use smtpctl to generate your own :) All the best, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: spamd and google smtp ips
A final followup on this issue - I wrote a (relatively) short piece on greylisting vs domains with multiple outbound SMTP servers, which includes the little script I use to create a nospamd from a list of domains, of course by feeding to 'smtpctl spf walk'. You can find the article at https://bsdly.blogspot.com/2018/11/goodness-enumerated-by-robots-or.html - TL;DR: don't download *my* nospamd, use smtpctl to generate your own :) All the best, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: spamd and google smtp ips
On 10/30/18 8:46 PM, Chris Narkiewicz wrote: > W dniu 30/10/2018 o 19:31, Peter N. M. Hansteen pisze: >> yes, a well-known problem, and it's what nospamd (hinted at in the spamd >> man pages) is for. >> >> To some extent it helps to whitelist IP addresses and networks that >> domains list in their SPF info. > > Yeah, I hoped there are some reputable sources of validated mail > sources based on SPF and DKIM. > > I'll give a try to your compiled list, but the fact you maintain > it manually is a bit discouraging. I've replaced the manually maintained list with a generated one - basically what you'll find at that URL now is the result of running 'smtpctl spf walk' over a list of interesting domains. I run this now at quasi-random intervals at bsdly.net. I took a look at the old list over last few days and did find some odd sediments such as addresses that no longer had a reverse lookup. I've preserved the old sedimentary collection at https://www.bsdly.net/~peter/nospamd.preserved_20181103.txt for reference. The file at https://www.bsdly.net/~peter/nospamd is now the generated version, without those artifacts. The script that generates the new version provides information about the domains in a more consistent fashion. The script is as you can imagine truly trivial (you should be able to recreate it from just reading the output), but I might put it somewhere accessible if there's interest (or if I can make a writeup that I can make interesting enough to accompany it). -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: spamd and google smtp ips
W dniu 30/10/2018 o 23:39, Stuart Henderson pisze: I haven't run spamd myself for years, I got fed up with delayed and lost mails. Thanks. That was probably the tipping comment for me - I decided to search for alternative spam protection. It's the lost e-mails bing the the thing I cannot afford and in absence of *reliable* whitelist, I decided not to go this route. Best regards, Chris
Re: spamd and google smtp ips
On 31.10.2018 17:09, Kevin Chadwick wrote: On 10/30/18 8:05 PM, Mario Theodoridis wrote: I ran into this problem as well. I ended up writing a script that parses the SPF entries out of the greylist and if reasonable, whitelists those ranges and removes the grey list entries. It runs every 15 minutes. smtpctl now has an spf walk function that may shorten your script? Thanks Kevin. That'd be one less wheel to invent. -- Mit freundlichen Grüßen/Best regards Mario Theodoridis
Re: spamd and google smtp ips
On 10/30/18 8:05 PM, Mario Theodoridis wrote: > I ran into this problem as well. > I ended up writing a script that parses the SPF entries out of the greylist > and > if reasonable, whitelists those ranges and removes the grey > list entries. It runs every 15 minutes. smtpctl now has an spf walk function that may shorten your script?
Re: spamd and google smtp ips
On 30.10.2018 20:46, Chris Narkiewicz wrote: W dniu 30/10/2018 o 19:31, Peter N. M. Hansteen pisze: yes, a well-known problem, and it's what nospamd (hinted at in the spamd man pages) is for. To some extent it helps to whitelist IP addresses and networks that domains list in their SPF info. Yeah, I hoped there are some reputable sources of validated mail sources based on SPF and DKIM. I'll give a try to your compiled list, but the fact you maintain it manually is a bit discouraging. I ran into this problem as well. I ended up writing a script that parses the SPF entries out of the greylist and if reasonable, whitelists those ranges and removes the grey list entries. It runs every 15 minutes. This works with the following rules pass in quick on $extIf proto tcp from to $pubIp port smtp \ rdr-to $mailsrv pass in quick on $extIf proto tcp from ! to $pubIp port smtp \ rdr-to 127.0.0.1 port $spamdPort The trapping function when it goes to the wrong recipient works for me and probably does not scale. The spamdb -Gd calls to remove the greylist entries are something i patched into spamd, but it seems that functionality has somehow made it into the regular binary. The script is fairly debugged and has run for me over a year with good results, but seriously lacks tests of any kind. Your mileage may vary. -- Mit freundlichen Grüßen/Best regards Mario Theodoridis #!/usr/bin/env python2.7 import subprocess, traceback, os, re, sys, time import dns.resolver, dns.name, dns.exception import socket,struct def doLog(msg, caller=2): debugLog = '/var/log/scanSpam.log' stk = traceback.extract_stack() orig = '' for i in range(0, len(stk)-caller): if stk[i][3] == None: orig += '__main__:' else: orig += stk[i][3] + ':' x = stk[-caller][1] out = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime()) + ' ' + msg \ + ' STACK[' + orig + str(x) + ']\n' wh = open(debugLog, 'a') wh.write(out) wh.close() def run(command, caller=3): """ run(command) -> (returncode, stdout, stderr) Runs the given command in the shell and returns the output and return code """ proc = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) (out, err) = proc.communicate() doLog("COM:[" + command + "] RC:[" + str(proc.returncode) + "185 OUT:[" \ + out.strip() + "] ERR:[" + err.strip() + "]", caller) return (proc.returncode, out, err) def makeMask(n): "return a mask of n bits as a long integer" return (2L< 1: try: mask = int(pcs[1]) except ValueError: mask = 32 else: mask = 32 return (ip, mask) def addressInNet(ip, net_n_bits): ipaddr = struct.unpack('>L', socket.inet_aton(ip))[0] net, bits = getIpNetMask(net_n_bits) netaddr = struct.unpack('>L', socket.inet_aton(net))[0] netmask = (1 << 32) - (1 << 32 - bits) return ipaddr & netmask == netaddr & netmask def getIplist(dName, ipl, isRecursive=False): global recursions, hosts domain = dName.to_text() if hosts.has_key(domain): doLog("Ignoring duplicate domain {0:s}".format(domain)) return hosts[domain] = True recursions += 1 if recursions > 50: doLog("Over {0:d} recursions, quitting".format(recursions)) return try: answers = dns.resolver.query(dName, 'TXT') except dns.exception.DNSException: if len(dName.labels) > 3: p = dName.parent() getIplist(p, ipl) return for data in answers: for txt in data.strings: doLog("recursion {0:d} queried [{1:s}]".format(recursions, txt)) f = txt.split(' ') if re.match('v=spf1', f[0].strip()): parseSpf(f[1:], ipl, dName) def getARecord(dName, ipl, subnet=''): try: answers = dns.resolver.query(dName, 'A') except dns.exception.DNSException: return for data in answers: ipl.append(data.address+subnet) def getMxRecord(dName, ipl, subnet=''): try: answers = dns.resolver.query(dName, 'MX') except dns.exception.DNSException: return for data in answers: mx = data.exchange.to_text() if re.match('^[\d\.]{7,15}$', mx): ipl.append(mx+subnet) continue getARecord(mx, ipl, subnet) def parseSpf(fields, ipl, dName): for fld in fields: doLog('parsing [{0:s}]'.format(fld)) kv = fld.split(':') key = kv[0].strip() m = re.search('^(a|mx)(/|:|$)', key) if m: type = m.group(1) if type == 'a': getter = getARecord else: getter = getMxRecord cdr = key.split('/') if len(cdr) == 2: # a/24 getter(dName, ipl, '/'+cdr[1])
Re: spamd and google smtp ips
* Stuart Henderson le [30-10-2018 23:39:23 +]: > On 2018-10-30, Chris Narkiewicz wrote: > > Hi, > > > > I'm configuring spamd and I noticed that when I send an e-mail from > > GMail, each time the e-mail is submitted by a different IP address. > > > > Here is spamdb output after sending a test email to myself: > > > > GREY|209.85.219.182|mail-yb1-f182.google.com|... > > GREY|209.85.219.177|mail-yb1-f177.google.com|... > > GREY|209.85.219.176|mail-yb1-f176.google.com|... > > GREY|209.85.219.172|mail-yb1-f172.google.com|... > > GREY|209.85.219.180|mail-yb1-f180.google.com|... > > GREY|209.85.219.175|mail-yb1-f175.google.com|... > > GREY|209.85.219.173|mail-yb1-f173.google.com|... > > GREY|209.85.219.179|mail-yb1-f179.google.com|... > > GREY|209.85.208.46|mail-ed1-f46.google.com|... > > GREY|209.85.161.52|mail-yw1-f52.google.com|... > > ... snip ... > > > > Of course they are not whitelisted, as each submission > > attempt is done by a different node and I guess google has A LOT of > > them. I see 2 issues with that: > > > > 1) e-mail delivery takes a lot of time (as google uses exponential > > backoff and stops frequent retries after few failures) > > > > 2) whitelisted IPs are more likely being expired, as my server is > > not getting a lot of gmail traffic > > > > I suppose different big e-mail providers will > > have similar issues. > > > > I'm also running BGP server to download a whitelist, > > but it does not contain google servers. > > > > Are there any solutions get around this problem? Ideally I'd like > > to just whitelist reputable mail providers as I see little chance > > that any spammer will outsmart Google/Yahoo/Microsoft/etc. To solve this problem, I use two methods : ## whitelist from bsdly.net (thaniks again peter : ) In /etc/pf.conf table persist file "/etc/mail/nospamd" pass in on egress proto tcp from to any port smtp /in /etc/weekly.local : echo "update nospamd file" ftp -o /etc/mail/nospamd http://www.bsdly.net/~peter/nospamd ## whitelist from spf walk : In /etc/mail/spamd.conf : all:\ :nixspam:bgp-spamd:bsdlyblack:whitelist: ... whitelist:\ :white:\ :method=file:\ :file=/etc/mail/whitelist.txt In /etc/weekly.local : /usr/local/bin/domain-white-spamd In /usr/local/bin/domain-white-spamd, adjust with domins you need : TMP=$(mktemp) WHITELIST=/etc/mail/whitelist.txt DOMAINS='outlook.com gmail.com google.com hotmail.com yahoo.com yahoo.fr live.fr mail-out.ovh.net mxb.ovh.net gandi.net laposte.net github.com protonmail.com ' for d in $DOMAINS; do echo "$d" | smtpctl spf walk >> "$TMP" done mv "$TMP" "$WHITELIST" exit 0 -- thuban
Re: spamd and google smtp ips
On Tue, 30 Oct 2018 18:54:43 + Chris Narkiewicz wrote: > Are there any solutions get around this problem? Ideally I'd like > to just whitelist reputable mail providers ... Yes Chris, see: http://web.Britvault.Co.UK/products/ungrey-robins/ Cheers, -- Craig Skinner | http://linkd.in/yGqkv7
Re: spamd and google smtp ips
On 2018-10-30, Chris Narkiewicz wrote: > Hi, > > I'm configuring spamd and I noticed that when I send an e-mail from > GMail, each time the e-mail is submitted by a different IP address. > > Here is spamdb output after sending a test email to myself: > > GREY|209.85.219.182|mail-yb1-f182.google.com|... > GREY|209.85.219.177|mail-yb1-f177.google.com|... > GREY|209.85.219.176|mail-yb1-f176.google.com|... > GREY|209.85.219.172|mail-yb1-f172.google.com|... > GREY|209.85.219.180|mail-yb1-f180.google.com|... > GREY|209.85.219.175|mail-yb1-f175.google.com|... > GREY|209.85.219.173|mail-yb1-f173.google.com|... > GREY|209.85.219.179|mail-yb1-f179.google.com|... > GREY|209.85.208.46|mail-ed1-f46.google.com|... > GREY|209.85.161.52|mail-yw1-f52.google.com|... > ... snip ... > > Of course they are not whitelisted, as each submission > attempt is done by a different node and I guess google has A LOT of > them. I see 2 issues with that: > > 1) e-mail delivery takes a lot of time (as google uses exponential > backoff and stops frequent retries after few failures) > > 2) whitelisted IPs are more likely being expired, as my server is > not getting a lot of gmail traffic > > I suppose different big e-mail providers will > have similar issues. > > I'm also running BGP server to download a whitelist, > but it does not contain google servers. > > Are there any solutions get around this problem? Ideally I'd like > to just whitelist reputable mail providers as I see little chance > that any spammer will outsmart Google/Yahoo/Microsoft/etc. Opinions definitely vary, but my 2p: I haven't run spamd myself for years, I got fed up with delayed and lost mails. My opinion is that unless you have a really busy mail system behind spamd you're unlikely to get a good set of hosts kept in the whitelist without a bunch of work. It's not just office365 and gmail (which are a pain but can be mostly dealt with by iterating through SPF records and figuring out the addresses of the outgoing mail servers), it's also "transactional" email. Password resets, email address verification, information about orders, tickets, etc. In the past I've particularly noticed this as a problem on mail sent directly from webservers which are often quite poorly setup, sometimes they haven't retried at all, sometimes they've been on a VERY slow retry schedule. Funnily enough the majority of spam that makes it to my inbox is received forwarded from a box that *is* running spamd. Maybe spamd would stop some junk but I get the impression it's likely to be junk that would be fairly easily blockable by other methods anyway and the pain isn't worth it for me.
Re: spamd and google smtp ips
On 30.10.2018 13:59, Peter N. M. Hansteen wrote: > On 10/30/18 8:46 PM, Chris Narkiewicz wrote: W dniu 30/10/2018 o 19:31, Peter > N. M. Hansteen pisze: yes, a well-known problem, and it's what nospamd > (hinted at in the spamd > man pages) is for. > > To some extent it helps to whitelist IP addresses and networks that > domains list in their SPF info. > Yeah, I hoped there are some reputable sources of validated mail > sources based on SPF and DKIM. > > I'll give a try to your compiled list, but the fact you maintain > it manually is a bit discouraging. Fortunately MX records and by extension SPF info per domain changes infrequently enough that a semi-manually maintained list will be mostly right, most of the time. But you're right in principle -- I *should* really take the time out to recreate the list of domains that went into it and just re-generate with smtpctl spf walk something like once per day or once per week. All the best, Peter I regenerate once an hour at least and still get burned by some major domains changing SPF IP's constantly. It's pretty frustrating, but once you get an update process in place it settles down and doesn't require much handholding. Thanks Scott
Re: spamd and google smtp ips
On Tue, Oct 30, 2018 at 08:59:07PM +0100, Peter N. M. Hansteen wrote: > On 10/30/18 8:46 PM, Chris Narkiewicz wrote: > > W dniu 30/10/2018 o??19:31, Peter N. M. Hansteen pisze: > >> yes, a well-known problem, and it's what nospamd (hinted at in the spamd > >> man pages) is for. > >> > >> To some extent it helps to whitelist IP addresses and networks that > >> domains list in their SPF info. > > > > Yeah, I hoped there are some reputable sources of validated mail > > sources based on SPF and DKIM. > > > > I'll give a try to your compiled list, but the fact you maintain > > it manually is a bit discouraging. > > Fortunately MX records and by extension SPF info per domain changes > infrequently enough that a semi-manually maintained list will be mostly > right, most of the time. > > But you're right in principle -- I *should* really take the time out to > recreate the list of domains that went into it and just re-generate with > smtpctl spf walk something like once per day or once per week. > Like this ? https://github.com/Mailbrix/lists :-) -- Gilles Chehade https://www.poolp.org @poolpOrg
Re: spamd and google smtp ips
On 10/30/18 8:46 PM, Chris Narkiewicz wrote: > W dniu 30/10/2018 o 19:31, Peter N. M. Hansteen pisze: >> yes, a well-known problem, and it's what nospamd (hinted at in the spamd >> man pages) is for. >> >> To some extent it helps to whitelist IP addresses and networks that >> domains list in their SPF info. > > Yeah, I hoped there are some reputable sources of validated mail > sources based on SPF and DKIM. > > I'll give a try to your compiled list, but the fact you maintain > it manually is a bit discouraging. Fortunately MX records and by extension SPF info per domain changes infrequently enough that a semi-manually maintained list will be mostly right, most of the time. But you're right in principle -- I *should* really take the time out to recreate the list of domains that went into it and just re-generate with smtpctl spf walk something like once per day or once per week. All the best, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: spamd and google smtp ips
W dniu 30/10/2018 o 19:31, Peter N. M. Hansteen pisze: yes, a well-known problem, and it's what nospamd (hinted at in the spamd man pages) is for. To some extent it helps to whitelist IP addresses and networks that domains list in their SPF info. Yeah, I hoped there are some reputable sources of validated mail sources based on SPF and DKIM. I'll give a try to your compiled list, but the fact you maintain it manually is a bit discouraging. Best regards, Chris
Re: spamd and google smtp ips
On 10/30/18 7:54 PM, Chris Narkiewicz wrote: > Hi, > > I'm configuring spamd and I noticed that when I send an e-mail from > GMail, each time the e-mail is submitted by a different IP address. yes, a well-known problem, and it's what nospamd (hinted at in the spamd man pages) is for. To some extent it helps to whitelist IP addresses and networks that domains list in their SPF info. feeding interesting domains into smtpctl spf walk is good for keeping an up to date list to be fed into your nospamd table. If you trust me to keep the list up to date, you're of course welcome to fetch my hand maintained one at https://home.nuug.no/~peter/nospamd (later parts generated by echo $domain | smtpctl spf walk, older parts by host -ttxt $domain). - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
spamd and google smtp ips
Hi, I'm configuring spamd and I noticed that when I send an e-mail from GMail, each time the e-mail is submitted by a different IP address. Here is spamdb output after sending a test email to myself: GREY|209.85.219.182|mail-yb1-f182.google.com|... GREY|209.85.219.177|mail-yb1-f177.google.com|... GREY|209.85.219.176|mail-yb1-f176.google.com|... GREY|209.85.219.172|mail-yb1-f172.google.com|... GREY|209.85.219.180|mail-yb1-f180.google.com|... GREY|209.85.219.175|mail-yb1-f175.google.com|... GREY|209.85.219.173|mail-yb1-f173.google.com|... GREY|209.85.219.179|mail-yb1-f179.google.com|... GREY|209.85.208.46|mail-ed1-f46.google.com|... GREY|209.85.161.52|mail-yw1-f52.google.com|... ... snip ... Of course they are not whitelisted, as each submission attempt is done by a different node and I guess google has A LOT of them. I see 2 issues with that: 1) e-mail delivery takes a lot of time (as google uses exponential backoff and stops frequent retries after few failures) 2) whitelisted IPs are more likely being expired, as my server is not getting a lot of gmail traffic I suppose different big e-mail providers will have similar issues. I'm also running BGP server to download a whitelist, but it does not contain google servers. Are there any solutions get around this problem? Ideally I'd like to just whitelist reputable mail providers as I see little chance that any spammer will outsmart Google/Yahoo/Microsoft/etc.