spamd handling multiple sending servers
Hi all, New user to spamd, love it. In getting our low traffic email server running, the first thing I noticed while following the logs that sites like gmail et al will retry a message from a different host. Sometimes gmail will send once, try again very soon again from the same host and then queue it, but the queued email might be sent by a different server. I understand that spamd is tracking messages based on sender, receiver and IP address, and then this can cause the problem. Has anyone looked at using the message ID in deciding to whitelist a host? ie, track the hosts by IP address, but if a previously greylisted host has sent message id 1234 and another host tries to redeliver 1234 within the passtime requirements, whitelist both? Obviously it would be an optional flag, but it seems the likely hood of some spam bot being able to guess the message id and who has just sent you a message to bypass this would be low. Open to ideas and if it is already on the cards great, if not, willing to look into the source myself. Mikel
Re: spamd handling multiple sending servers
Hi, On Mon, 2009-03-23 at 18:59 +1100, Mikel Lindsaar wrote: I understand that spamd is tracking messages based on sender, receiver and IP address, and then this can cause the problem. Spamd doesn't 'track messages'. All it does is to store a tupal of sender, recipient and IP address and quits the smtp dialog as soon as the sender enters the DATA phase. No time for reading anything like the message ID or other stuff of the email since the connection is aborted ways earlier. Cheers, Stephan -- --- StarTek - secure by design Tel ++41 44 500 111-0 Postfach 19 Fax ++41 44 500 111-2 CH-8118 Pfaffhausen/ZH Web http://startek.ch RSA public key for email: http://startek.ch/people/star/key ---
Re: spamd handling multiple sending servers
On 2009-03-23, Mikel Lindsaar raasd...@gmail.com wrote: In getting our low traffic email server running, the first thing I noticed while following the logs that sites like gmail et al will retry a message from a different host. Sometimes gmail will send once, try again very soon again from the same host and then queue it, but the queued email might be sent by a different server. I sometimes find this a problem when running spamd at low-to-medium volume sites. (I use postgrey instead for those, which only looks at the first 24 bits of the sender's IP address by default). Has anyone looked at using the message ID in deciding to whitelist a host? ie, track the hosts by IP address, but if a previously greylisted host has sent message id 1234 and another host tries to redeliver 1234 within the passtime requirements, whitelist both? Obviously it would be an optional flag, but it seems the likely hood of some spam bot being able to guess the message id and who has just sent you a message to bypass this would be low. Far too easily defeated. People would just base the message-id on the HELO/from/to addresses...
Re: spamd handling multiple sending servers
--- Mikel Lindsaar [Mon, Mar 23, 2009 at 06:59:03PM +1100]: --- Hi all, New user to spamd, love it. In getting our low traffic email server running, the first thing I noticed while following the logs that sites like gmail et al will retry a message from a different host. Sometimes gmail will send once, try again very soon again from the same host and then queue it, but the queued email might be sent by a different server. check greylisting.org. there's a list of ``misbehaving mailers'' you can consider starting with. you'll need to create whitelists for these addresses to shunt them around spamd. note that this list calls it's contents ``misbehaving mailers''. some of these addresses may be just that, while others may be ranges that use pools of ip addresses for sending mail. there was once a script that was posted here that basically takes the output of a site's SPF records and creates pf tables to be used as a whitelist: dig TXT _spf.google.com. +short for example. now anytime i see a domain i know i've heard from before, i suspect a round-robining smtp send pool and just query that SPF record to create a whitelist entry for it.
Re: spamd handling multiple sending servers
On 2009-03-23, jmc j...@cosmicnetworks.net wrote: In getting our low traffic email server running, the first thing I noticed while following the logs that sites like gmail et al will retry a message from a different host. Sometimes gmail will send once, try again very soon again from the same host and then queue it, but the queued email might be sent by a different server. check greylisting.org. it's useless. it doesn't list common pool senders from a block of /24 or less (i.e. most of them) and it's not updated regularly. dnswl.org is better but it's a damn big list and if you load it into a PF table, even if you aggregate the addresses, it uses a huge chunk of kernel memory.
Re: spamd handling multiple sending servers
I sometimes find this a problem when running spamd at low-to-medium volume sites. (I use postgrey instead for those, which only looks at the first 24 bits of the sender's IP address by default). Sounds like an interesing option for spamd, too, doesn't it? Could be called 'sloppy' mode ;) -- Stephan A. Rickauer --- Institute of Neuroinformatics Tel +41 44 635 30 50 University / ETH Zurich Sec +41 44 635 30 52 Winterthurerstrasse 190 Fax +41 44 635 30 53 CH-8057 ZurichWebwww.ini.uzh.ch