Building an IP whitelist based on the graylist filter would be problematic. As you noted, server pools wouldn't be handled correctly. Proxies and NAT firewalls would also be an issue -- imagine one server behind a proxy passes the graylist, so the proxy is added to the whitelist. Then another server behind the proxy starts sending spam. The whitelist would let it all through. Also, an automatic whitelist like this would be easy to defeat if a spammer just sent a message to a known-good address before starting a spam run.
Regarding the second question about the IP whitelist allowing all mail from the whitelisted server, Davide is correct. Once an IP has been whitelisted, spamdyke will allow it to send anything -- it bypasses all filters and authentication is not required. That's why whitelisting IP addresses should only be done sparingly, when the remote server can be trusted. Caveat: In version 4.0, the "smtp-auth-level" and "filter-level" options are not affected by whitelists. -- Sam Clippinger Eric Shubert wrote: > I think I can field this one. ;) > > Davide D'AMICO wrote: > >> Hi, >> I'm using spamdyke and I like it a lot. >> I encountered two problems: >> 1) Isn't more useful to graylist senders using their ip address rather >> than only its >> email address, like this: >> /var/db/spamdyke/graylist/domain/rcpt/sender/ip_sender ? >> > > Some large (think yahoo, gmail) mailers use server pools. Retries might be > sent from a different server, causing a message to be graylisted many times. > > Personally, I think it'd be ok to use IPs for a type of whitelist after the > IP has passed graylisting. After all, once an IP has passed for one > domain/sender, wouldn't it pass for all other domain/senders too? However, > this adds another level of complexity (a pre- and a passed- gray list, > sometimes referred to as a dual key). If this proved to be a good method, a > global whitelist service based on the post-key (simply IP address), sort of > like RBLSs but RWLs, could be implemented. I don't know if anyone's pursued > such a thing or not. Seems feasible to me though. > > >> 2) if I include an ip address in a whitelist, I become a relay for >> that ip address because >> that ip address bypass ALL other filters? >> > > No, because authentication is still required for non-local domains. Spamdyke > filters are only bypassed if/when the sender authenticates. > > >> Thanks in advance, >> Davide >> > > _______________________________________________ spamdyke-users mailing list [email protected] http://www.spamdyke.org/mailman/listinfo/spamdyke-users
