On Fri, 29 Jul 2016 08:35:46 -0700 (PDT) John Hardin <jhar...@impsec.org> wrote:
> Greylisting means *you don't see the content at all during the > delay*. You tell the sending MTA to try again later when they first > connect and send the MAIL FROM and RCPT TO. If you implement the > delay *after* you've already received the content, then you're > totally missing the point of greylisting. Yes, that's what naive people think. :) We do post-DATA greylisting for two reasons: 1) If our customer has whitelisted a sender, but the whitelisted sender is in the From: header and not the envelope, we want the ability to skip greylisting in that case. Yes, I wouldn't choose to do that, but... the customer is always right. (*snicker*) 2) Spammers sometimes send from the same (IP, MAIL From, RCPT To) triplet but mutate the message subject. If you mix the message subject into the greylisting criterion, it makes greylisting even more powerful. A third reason which we don't yet implement because it's a bit of a research topic at this point: It might be handy to feed greylisted messages into Bayes if they never pass the greylisting hurdle after a certain time period. The downside, of course, is more CPU and bandwidth consumption. So some might be unwilling to make that tradeoff. Regards, Dianne.
