Milter-greylist

Jacques Beigbeder <jacques.beigbeder@...> writes:

> Here 600 is a big number, but VERY OFTEN I have 20-30 connections in 
> 2 minutes for a SINGLE destination, but from 20-30 differents IP
> and differents From:.
>
> My interpretation: a spammer wants to send something to <yyyyyy@...>,
> it fails from 200.53.248.142 / <libpcap@...>, and so he retries
> from another PC within a pool of "relays", and so on.
>
> So there are 2 denies of service:
> . large amount of SMTP connections in a short time (= fork with sendmail);

This can be controlled by fixing the max number of childs and combined with
connection refuse on high LA values you can dramaticaly mitigate any risk
of sendmail DoS, except a constant flood of port knocking at 25/TCP.

> . large amount of data collected in the greylist database.

No precise idea about this but imho the real persistent data is the whitelist,
anything else can be wiped on a regular basis or even lost without any severe
impact milter-greylist behaviour.

> Question: isn't that the perfect tool to destroy the idea of greylisting?

I believe that under flood conditions a spmmer would be able to DoS your
box but how would his crap be received by our MTA then ?
Is that his real goal ?