On 2010-03-30 13:31, Kai Schaetzl wrote:
Jonas Eckerman wrote on Tue, 30 Mar 2010 00:41:01 +0200:
Unless the greylisting is done *after* receiving the body. Of course,
this will spank innocent senders as well.
Ooops? It spanks *yourself*.
Not really. It does force us to accept the mail before rejecting it, but
it still rejects a lot of stuff that would otherwise have been scanned
by ClamAV and SpamAssassin before being rejected.
So, while it does not save as much bandwidth and work as greylisting
after RCPT would, it still saves compared to no greylisting. And the
filter does some more stuff. For example:
We also greylist with *one* temporary failure at connect for each host
the first the gateway sees it. This stops more that I irst expecteded
when I tried it.
Once a mail from an MTA has passed the greylist test, that IP is excempt
from the greylist.
We keep tracks of behaviour we don't like. Uknown RCPTs, spam, too many
retries before the greylist period (3 minutes) has passed, etc, etc, and
tempfails hosts at connect based in thsoe counters.
We also make exceptions from the greylist based on DNS whitelists, RDNS
etc so that most mail from real outgoing MTAs pass right through it.
> Good strategy.
My filter works for us.
Most spam is stopped without the gateway having to scan it with
SpamAssassin.
Most ham is passed through without beeing subjected to the greylist or
beeing scanned by SpamAssassin.
And if there still are any stupid MTAs that can't handle tempfails
correctly at earlier stages trying to send mail to us, we have a good
chance of receiving it.
When I first implemented greylisting I did the tempfailing after RCPT,
but some stupid Novell MTA and a security appliance (I think it was
from Syamantec) saw no difference between tamporary failures and
permanen rejects of RCPT TO. And of course one of them they discarded
the response it got from our server when bouncing the mai back to the
sender. Even worse, some other idiotic piece of crap (I forgot what)
reacted to temporary failures at RCPT by simply deleting the mail from
it's queue without notifying anyone.
So, we lost some incoming mail from organizations that for different
reasons didn't just throw out or fix their junk, and I moved the
greylist to after receiving the message data.
Hopefully I could now move it to RCPT, but I actually like beeing able
to log message-id and subject from greylisted mail and I know it works
the way it is now.
Rgards
/Jonas
--
Jonas Eckerman
Fruktträdet & Förbundet Sveriges Dövblinda
http://www.fsdb.org/
http://www.frukt.org/
http://whatever.frukt.org/
