Milter-greylist

bytemastr wrote:
> 
> I agree on the points that have come about in this thread.
> 
> What I am seeing, is, two phenomenon, usually working in conjunction:
> 
> * SPAM hosts are overcoming greylisting and sendmail's greet_pause by
> reconnecting every 30 seconds on up to a few minutes and waiting
> increasingly longer after connecting to port 25 before blasting SPAM.
> 
> Now, I have not thoroughly delved into the RFCs to see if what I
> propose would break standards, but it is my opinion that legitimate
> (non-spam) hosts would attempt to redeliver on the order of minutes
> (say 10 at the least, but I'd argue more like 15.)
> 
> So, what I would like to see is a configurable blacklist window in
> milter-greylist that, if a tuple shows up as attempting to redeliver
> mail within a window (say 3 times in less than 5 minutes), that the
> tuple be blacklisted.

Sounds very dangerous, for multiple reasons.

First, I've seen several legitimate hosts that retry every minute.

Usually this is a byproduct of a site that relays mail to an internal server and
the internal server is unreliable (ie: any kind of groupware). In order to
reduce the time to receive mail that got backed up while the groupware server
was down, the admin has retry interval set short. Yes, a smart admin would set
this up so only local mail gets retried quickly, but there's not nearly as many
smart admins out there as there should be.

Second, milter-greylist can only track the tuple. It doesn't know if the message
is the same message, or multiple different messages, say from a busy mailing
list you forgot to whitelist. Usually all the messages on a mailing list will
have the same tuple: return-path (the list manager), recipient (you) and source
IP (the list server). Usually the return-path doesn't match the From: header
unless the listserv is completely broken.

I know some mailing lists that easily break 3 messages every 5 mins, and if you
signed up for those lists you'd auto-blacklist your subscription.