Milter-greylist

On 2/24/2011 1:38 AM, Steger Wolfgang wrote:
>
>  > I am running sendmail/MimeDefang and recently added milter-greylist as
>  > an additional spam check. The domains in question are regularly hit with
>  > dictionary-attack type spam where most of the target users don't exist.
>  > Sendmail is very quick at rejecting local addresses that are not in
>  > the aliases or virtuser tables so that is normally not a problem, but
>  > when milter-greylist is active it wants to greylist even the
>  > undeliverable addresses. For the moment I am working around it by
>  > tracking the 'real' users, including them in the milter-greylist config,
>  > and restricting greylisting to the specified addresses. However, it
>  > would be nicer if this could be handled automatically by letting
>  > sendmail reject addresses it can't deliver first. Is there any way to
>  > do that?
>
>  > Also, the extra log line about 'skipping greylist because this is the
>  > default action' for the unprocessed addresses is filling my disks up to
>  > the point that I had to change the log rotation. Is there any way to
>  > turn that off? When it doesn't do anything, I don't need to know
> about it.
>
> Ok., it's a week since you asked, but here are some ideas
> about the way greylisting works. Hopefully I did not get
> it all wrong.
>
> If you run greylisting *before* user check, it won't make any
> difference, as the trick is, that the same combination of
> sender IP, sender & recipient address "never" comes again in
> a SPAM message.

The difference is that the server has to check a db entry, write a db 
entry that will have to be cleaned up later, and write another log line 
or two.  At many such messages per second, I'd prefer that the server 
didn't do the extra work.  Sendmail's virtuser/alias lookups are very 
fast and less of a problem.

> Also, if you are sending out non-deliverable-messages for
> nonexistant recipients: on SPAM they will either be bounced
> (because the sender does not exist) or reach somebody innocent.

No, this is a rejection at the SMTP level (which might make the sending 
server generate a bounce if it is a real mail server but doesn't do it 
directly).  But in case anyone is interested, I believe that the reason 
these domains are targeted with what appears to be continual dictionary 
attacks is that they were once handled by a qmail setup that accepted 
everything, then tried to generate bounces.  Apparently that got the 
accepted addresses into a database that is widely used to target spam.

> So I believe it is better to block SPAM with greylisting before
> checking valid users. The only "problem" may be you are blowing
> up the greylisting database.

Yes, that and the log files.  Why do that extra work when you know it 
can't possibly be delivered?

-- 
   Les Mikesell
    lesmikesell@...