Milter-greylist

--- In milter-greylist@yahoogroups.com, Benoit Panizzon
<panizzon@w...> wrote:
> Hi Manu
> 
> > > I see more and more spamtools that are greylist aware.  They retry
> > > sending that email after a few minutes. So greylisting does not
avoid
> > > them.
> >
> > For how long do you greylist? A long enough delay should do the
trick...
> 
> (10minutes)
> 
> Not realy. As example, our favourite swiss spamer is ordering a new
bullet 
> proof server in china for allmost every spamrun. He does not just run a 
> 'spambot' on them, but a real mailserver. So just greylisting has
become 
> useless.
> Better would be what I suggested: blacklist tuples (or their IP)
which had a 
> positive hit in spamassassin. But I understand this is not trivial :-)
> 
> Btw, I have whitelisted all known Mailservers from the list in:
> 
> http://antispam.imp.ch/swinog-dnsrbl-whitelist
> 
> others might find this list usefull too as it eliminates delays from
servers 
> which would resend that email anyway.
> 
> -Benoit-

I agree on the points that have come about in this thread.

What I am seeing, is, two phenomenon, usually working in conjunction:

* SPAM hosts are overcoming greylisting and sendmail's greet_pause by
reconnecting every 30 seconds on up to a few minutes and waiting
increasingly longer after connecting to port 25 before blasting SPAM.

Now, I have not thoroughly delved into the RFCs to see if what I
propose would break standards, but it is my opinion that legitimate
(non-spam) hosts would attempt to redeliver on the order of minutes
(say 10 at the least, but I'd argue more like 15.)

So, what I would like to see is a configurable blacklist window in
milter-greylist that, if a tuple shows up as attempting to redeliver
mail within a window (say 3 times in less than 5 minutes), that the
tuple be blacklisted.
 
I was curious to get some comment on this idea from the author of
milter-greylist and/or other mail system administrators as to the
viability (at least in terms of not breaking the mail RFC).

Thanks much.