Milter-greylist

On Wed, May 26, 2004 at 01:27:31PM +0200, Jacques Beigbeder wrote:
> Here 600 is a big number, but VERY OFTEN I have 20-30 connections in 
> 2 minutes for a SINGLE destination, but from 20-30 differents IP
> and differents From:.
(snip)
> So there are 2 denies of service:
> . large amount of SMTP connections in a short time (= fork with sendmail);
> . large amount of data collected in the greylist database.

Surely this is a DDOS, but it is not especially aimed at greylisting. 
With greylisting, it eats your memory, and if you use SpamAssassin, it will
compeltely crush your machine under CPU load (good point: once the system
resources are exhausted, you crash and the attack is stopped)

Even if you don't filter anything, it can fill your spool, so it's just some
malicious attack not really related to mail filtering. 

The day spammers will want to defeat greylisting, they'll just have to 
upgrade the spam relay on virus-compromished hosts so that they correctly
handle temporary failures by retrying later.

But I have the hope we can win the next battle by using distributed honeypot
addresses networks. Speaking about this, I've already wrote some code, but I'm 
looking for testers.

-- 
Emmanuel Dreyfus
manu@...