[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: greylisting on debian.org?

On Sun, 09 Jul 2006, Thomas Bushnell BSG wrote:
> It assumes, for example, that the remote MTA will use the same IP
> address each time it sends the message. If the remote MTA is a big

The earlier *implementations* of greylisting did that, true.  They were
simple-minded at best.

> server farm, with a lot of different hosts that could be processing
> the mail, what is your strategy for preventing essentially infinite
> delay?

You can, for example, use dynamic IP supersets to do the greylisting
"triplet" match.  Now the problem is a matter of creating the supersets in a
way to not break incoming email from outgoing-SMTP clusters.

You can also only graylist sites which match a set of conditions that flag
them as suspicious.  Depending on what conditions you set, you do not have
the risk of blocking any server farms we would want to talk SMTP to.

> So far, all I have seen in response to this particular problem is to
> say that "properly configured" includes an exactly accurate hardcoded
> list of all such sites on the internet.

Then you are hearing differently now.

> Another problem is with hosts that do not accept a message from an MTA
> unless that MTA is willing to accept replies.  This is a common spam
> prevention measure.  The graylisting host cannot then send mail to
> such sites until they've been whitelisted, because when they try the
> reverse connection out, it always gets a 4xx error.  I've been bitten

Why will the host implementing incoming graylisting *always* get a 4xx error
on his outgoing message?  I am curious.

  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to: