Boudewijn Dijkstra wrote:
> Op Tue, 29 Nov 2011 21:54:37 +0100 schreef Han Boetes
> <[email protected]> :
> > At the moment all spamd greylisting cares about is, "does it retry
> > connecting?" Unfortunately a lot of spammers do a spamrun and
> > simply try sending a spam message or 10 and then move on to the
> > next smtp server on their list and that get's them white listed in
> > a matter of seconds.
>
> No it doesn't. Your passtime is too short (default is 25 minutes).
Yes I thought that was weird too.
This is how I start spamd:
sudo /usr/libexec/spamd -G 25:4:864 -v
-G passtime:greyexp:whiteexp
Adjust the three time parameters for greylisting. passtime defaults to
25 (minutes), greyexp to 4 (hours), and whiteexp to 864 (hours,
approximately 36 days).
So for some reason passtime is ignored on my machine. I've tested
this with telnet quite extensively. And after 3,4,5 attempts in a
minute or so the address is whitelisted.
> > I don't make it up, it's that simple.
> >
> > Anyway. Wouldn't it be nice if spamd would do the checks that
> > postfix does so the mailserver protecting code can be separated
> > from the real functionality?
> >
> > So spamd would use the stuttering time to figure out if the ip is
> > not on an rbl, if the dnsname is reverse resolvable, if the helo
> > is valid, if the sender is not matching silly pattern, etc etc
>
> A few years ago I started work on a Java application that remotely
> tabulates, sorts and correlates the data, looks up DNS information
> and verifies recipients with a Postfix server. Via right-click menus
> I can manipulate the database. Have been using it daily ever since
> it became slightly usable, but there is still a lot of work to do...
Doesn't postfix do al that stuff already?
The advantage of my idea is that other mail servers won't have to
implement it and that it can be used without depending on a very
fancy firewall to sort the traffic. It would work on any POSIX
system. The daemon would know how to handle the traffic, stutter
it forever or welcome it like a long lost friend.
> > # Kick spammerts who got through back to the blacklist
> > for i in $(awk '/NOQUEUE/ {print $10}' /var/log/maillog|sed -e
> > 's|.*\[\(.*\)].*|\1|'|sort|uniq); do
> > if grep -q "WHITE|$i|" $SPAMDB; then
> > Trap $i
> > echo "$(date) $i got through! Gotcha bastard!!" > > /var/log/greytoblack
> > fi
> > done
>
> If I read this correctly, this is actually dangerous, as it could
> trap people who make typos. Or mailers that use old addresses.
Yes it could. It's a bit blunt indeed.
# Han
