Yahoo Groups archive

Milter-greylist

Index last updated: 2026-04-28 23:32 UTC

Message

Re: [milter-greylist] "Dark-grey"listing dynamic IP address

2006-04-05 by Matt Kettler

manu@... wrote:
>> I know that most spammers use now relays on dynamic IP addresses.
>> I know also that it is difficult to clearly identify dynamic IP addresses.
>> Even if we can identify these dynamic IP addresses, some of them can 
>> nevertheless host "legitimate" (i.e. not used for spamming) MTA engines.
>>
>> But we can make an assumption with a something like 95 - 99% certainty that
>> a given address is dynamic : for example by just looking at the digits
>> groups inside its reverse DNS name. I we can find four (maybe even only
>> three) different digits groups with any separators, and if none of them fall
>> outside the range 0 - 255, I think that there is a lot of chances that the
>> corresponding IP address is dynamic.
> 
> I just realized that the reverse DNS is something out of control of the
> botnet spammer. 
> 
> Filtering on reverse DNS name with three 0-255 numbers sounds therefore
> a good idea. The drawback is that you will catch power users that send
> from their home machines, and SME using SMTP appliances.
> 
> You could send a permanent error with an URL on which you'd tell that
> you are okay to whitelist the IP on request. You can even do it
> automatically by a web form with a challenge to check the visitor is not
> a bot.
> 
> That looks efficient. I'll try it.

I use a similar tactic, but with the twist that I ONLY greylist dynamic hosts,
and whitelist everything else. However, it would be nice to "deep grey" some
ranges and only "grey" others.

If you want to check them out, I have a LOT of regexes that check for hosts with
no RDNS and hosts with dynamic-looking RDNS, along with some other things.

Most of the rest of you could substitute deep-grey for most of my greylist
entries, and regular grey for my default whitelist entry.

A more-or-less full copy of my config is at:

http://www.evi-inc.com/greylist.conf.censored

I've xxx'ed out some data as it references business contacts, spamtrap
addresses, etc.

However, everything from the line:

## Greylisted hosts

Down should be useful and relevant to the deep-grey methodology.

Another feature that might be useful would be to deep-grey on various RBLs that
would be too over-zealous to use as blacklists. (spews level 2 comes to mind).

Attachments

  • No local attachments were found for this message.

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.