Re: greylisting on debian.org?
On Sun, 09 Jul 2006, Thomas Bushnell BSG wrote:
> It assumes, for example, that the remote MTA will use the same IP
> address each time it sends the message. If the remote MTA is a big
The earlier *implementations* of greylisting did that, true. They were
simple-minded at best.
> server farm, with a lot of different hosts that could be processing
> the mail, what is your strategy for preventing essentially infinite
You can, for example, use dynamic IP supersets to do the greylisting
"triplet" match. Now the problem is a matter of creating the supersets in a
way to not break incoming email from outgoing-SMTP clusters.
You can also only graylist sites which match a set of conditions that flag
them as suspicious. Depending on what conditions you set, you do not have
the risk of blocking any server farms we would want to talk SMTP to.
> So far, all I have seen in response to this particular problem is to
> say that "properly configured" includes an exactly accurate hardcoded
> list of all such sites on the internet.
Then you are hearing differently now.
> Another problem is with hosts that do not accept a message from an MTA
> unless that MTA is willing to accept replies. This is a common spam
> prevention measure. The graylisting host cannot then send mail to
> such sites until they've been whitelisted, because when they try the
> reverse connection out, it always gets a 4xx error. I've been bitten
Why will the host implementing incoming graylisting *always* get a 4xx error
on his outgoing message? I am curious.
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot