Milter-greylist

I've been using milter-greylist for a couple of years, with a huge
reduction in spam.

the past week or so I've had a huge increase, and looking at
/var/log/maillog I can see that one of the main culprits is being
auto-whitelisted! Also:

grep qq.com `locate greylist.db` | sort -k4
115.226.150.123	<2282748699@...>	<fredex@...>	1540995534 # 2018-10-31 10:18:54
124.6.159.130	<2846047090@...>	<fredex@...>	1541107270 # 2018-11-01 17:21:10
122.241.3.11	<2282748699@...>	<fredex@...>	1541164427 # 2018-11-02 09:13:47
115.230.76.104	<2282748699@...>	<fredex@...>	1541236666 # 2018-11-03 05:17:46
1.199.184.250	<1973524543@...>	<fredex@...>	1541243473 # 2018-11-03 07:11:13
124.6.159.130	<1982824309@...>	<fredex@...>	1541259038 # 2018-11-03 11:30:38
124.6.159.130	<1972695338@...>	<fredex@...>	1541266446 # 2018-11-03 13:34:06
124.6.159.130	<1963489674@...>	<fredex@...>	1541295470 # 2018-11-03 21:37:50
124.6.159.130	<2263814933@...>	<fredex@...>	1541302976 # 2018-11-03 23:42:56
124.6.159.130	<2276596163@...>	<fredex@...>	1541376051 AUTO # 2018-11-04 19:00:51
183.151.39.5	<2263814933@...>	<fredex@...>	1541402367 AUTO # 2018-11-05 02:19:27
222.189.144.75	<2282748699@...>	<fredex@...>	1541448054 AUTO # 2018-11-05 15:00:54

sorted into date/time order.

qq.com is probably a fake domain, as you can see many different addresses
listed for it.  In /var/log/maillog most messages are either rejected
outright, or are greylisted and never accepted, but as you can see, once
in a while one of them sneaks back in with a valid-apapearing response
and so gets whitelisted, then a bunch of their messages are accepted.

I tried to do a blacklist of qq.com, but apparently blacklisting requires
an IP address. Since they appear to be using random/invalid IP addresses,
I'm not sure that just blindly blacklisting every address it appears
under is either a good idea, or would be adequate to get rid of them.

I've re-read my way through all the milter-greylist doc I could find,
and to be frank there is a lot of it I don't understand.

So, I'm wondering if any of you can offer suggestions on any ways other
than directly blacklisting qq.com to stomp on this site's spam?

all advice will be appreciated, thanks in advance!

Here's my current milter-greylist.conf (with comments stripped):


	socket "/run/milter-greylist/milter-greylist.sock"
	dumpfile "/var/lib/milter-greylist/db/greylist.db" 600
	geoipdb "/usr/share/GeoIP/GeoIP.dat"
	dumpfreq 10m
	user "grmilter"
	greylist 10m
	extendedregex
	timeout 5d
	logexpired
	report all	# always add X-greylist mail header

	stat "|logger -p local7.info" \
	      "%T{%Y/%m/%d %T} %d [%i] %f -> %r %S (ACL %A) %Xc %Xe %Xm %Xh"

	quiet

	list "my network" addr { 127.0.0.1/8 192.168.2.0/24 }
	list "outlook.com" domain { outlook.com }
	list "mutt.org" domain { mutt.org }

	list "broken mta" addr {   \
		12.5.136.141/32    \ # Southwest Airlines (unique sender)
		12.5.136.142/32    \ # Southwest Airlines
		12.5.136.143/32    \ # Southwest Airlines
		12.5.136.144/32    \ # Southwest Airlines
		12.107.209.244/32  \ # kernel.org (unique sender)
		12.107.209.250/32  \ # sourceware.org (unique sender)
		63.82.37.110/32    \ # SLmail
		63.169.44.143/32   \ # Southwest Airlines
		63.169.44.144/32   \ # Southwest Airlines
		64.7.153.18/32     \ # sentex.ca (common pool)
		64.12.136.0/24     \ # AOL (common pool)
		64.12.137.0/24     \ # AOL
		64.12.138.0/24     \ # AOL
		64.124.204.39      \ # moveon.org (unique sender)
		64.125.132.254/32  \ # collab.net (unique sender)
		64.233.160.0/19    \ # Google
		66.94.237.16/28    \ # Yahoo Groups servers (common pool)
		66.94.237.32/28    \ # Yahoo Groups servers (common pool)
		66.94.237.48/30    \ # Yahoo Groups servers (common pool)
		66.100.210.82/32   \ # Groupwise?
		66.135.192.0/19    \ # Ebay
		66.162.216.166/32  \ # Groupwise?
		66.206.22.82/32    \ # Plexor
		66.206.22.83/32    \ # Plexor
		66.206.22.84/32    \ # Plexor
		66.206.22.85/32    \ # Plexor
		66.218.66.0/23     \ # Yahoo Groups servers (common pool)
		66.218.67.0/23     \ # Yahoo Groups servers (common pool)
		66.218.68.0/23     \ # Yahoo Groups servers (common pool)
		66.218.69.0/23     \ # Yahoo Groups servers (common pool)
		66.27.51.218/32    \ # ljbtc.com (Groupwise)
		66.102.0.0/20      \ # Google
		66.249.80.0/20     \ # Google
		72.14.192.0/18     \ # Google
		74.125.0.0/16	   \ # Google
		152.163.225.0/24   \ # AOL
		194.245.101.88/32  \ # Joker.com
		195.235.39.19/32   \ # Tid InfoMail Exchanger v2.20
		195.238.2.0/24     \ # skynet.be (wierd retry pattern, common pool)
		195.238.3.0/24     \ # skynet.be
		195.46.220.208/32  \ # mgn.net
		195.46.220.209/32  \ # mgn.net
		195.46.220.210/32  \ # mgn.net
		195.46.220.211/32  \ # mgn.net
		195.46.220.221/32  \ # mgn.net
		195.46.220.222/32  \ # mgn.net
		195.238.2.0/24     \ # skynet.be (wierd retry pattern)
		195.238.3.0/24     \ # skynet.be
		204.107.120.10/32  \ # Ameritrade (no retry)
		205.188.0.0/16     \ # AOL
		205.206.231.0/24   \ # SecurityFocus.com (unique sender)
		207.115.63.0/24    \ # Prodigy - retries continually
		207.171.168.0/24   \ # Amazon.com
		207.171.180.0/24   \ # Amazon.com
		207.171.187.0/24   \ # Amazon.com
		207.171.188.0/24   \ # Amazon.com
		207.171.190.0/24   \ # Amazon.com
		209.132.176.174/32 \ # sourceware.org mailing lists (unique sender)
		209.85.128.0/17    \ # Google
		211.29.132.0/24    \ # optusnet.com.au (wierd retry pattern)
		213.136.52.31/32   \ # Mysql.com (unique sender)
		216.33.244.0/24    \ # Ebay
		216.239.32.0/19    \ # Google
		217.158.50.178/32  \ # AXKit mailing list (unique sender)
	}

	list "grey users" rcpt {  \
		user1@... \
		user2@... \
		user3@... \
	}

	racl "My Network" whitelist list "my network"
	racl "Broken MTA" whitelist list "broken mta"
	racl "outlook.com" whitelist list "outlook.com" 
	racl "NoMoRobo" whitelist domain nomorobo.zendesk.com flushaddr
	racl "ZBS Foundation" whitelist domain zbs.org flushaddr
	racl "Linux Counter" whitelist domain linuxcounter.net flushaddr
	racl "Faith Church" whitelist domain faithchurchac.org flushaddr

	racl "spammers-4" blacklist domain qq.com flushaddr


-- 
---- Fred Smith -- fredex@... -----------------------------
  "For him who is able to keep you from falling and to present you before his 
 glorious presence without fault and with great joy--to the only God our Savior
 be glory, majesty, power and authority, through Jesus Christ our Lord, before
                     all ages, now and forevermore! Amen."
----------------------------- Jude 1:24,25 (niv) -----------------------------

I checked my spam archive and over the last 4 years I have also received spam where qq.com was used.

It seems like qq.com was used in From: and Reply-To: header lines, so you should be able to block the sender with:

dacl blacklist header /Reply-To:.*qq.com/
dacl blacklist header /From:.*qq.com/

maybe even

dacl blacklist header /Subject:.*qq.com/

On my mail server the mails were all caught by Spamassassin. I use a score of 4.3 to classify spam.

Best

John

On Sun, 4 Nov 2018, Fred Smith fredex@... [milter-greylist] wrote:

> I've been using milter-greylist for a couple of years, with a huge
> reduction in spam.
>
> the past week or so I've had a huge increase, and looking at
> /var/log/maillog I can see that one of the main culprits is being
> auto-whitelisted! Also:

Recently I have found it necessary to explicitly blacklist blocks of 
IP addresses which are used by spam factories and use mailers which 
just don't give up so they are eventually white-listed.  For some 
reason these IP addresses have not found their way into DNS 
blacklists.  After I blacklisted the blocks of IP addresses, the 
amount of spam getting through dropped dramatically.

By sorting greylist.db, I see that many more blocks of IP addresses 
now need to be added to the blacklist.

Bob
-- 
Bob Friesenhahn
bfriesen@..., http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/

On Sun, Nov 04, 2018 at 11:49:01PM +0100, John Damm S�rensen john@... [milter-greylist] wrote:
>    I checked my spam archive and over the last 4 years I have also
>    received spam where qq.com was used.
> 
>    It seems like qq.com was used in From: and Reply-To: header lines, so
>    you should be able to block the sender with:
> 
>    dacl blacklist header /Reply-To:.*qq.com/
>    dacl blacklist header /From:.*qq.com/
> 
>    maybe even
> 
>    dacl blacklist header /Subject:.*qq.com/
> 
>    On my mail server the mails were all caught by Spamassassin. I use a
>    score of 4.3 to classify spam.
> 
>    Best
> 
>    John

Ah. thanks for the hint. I added:

dacl blacklist header /From:.*qq.com/ flushaddr
dacl blacklist header /From.*qq.com/ flushaddr
dacl blacklist header /Return-Path:.*qq.com/ flushaddr
dacl blacklist header /Disposition-Notification-To:.*qq.com/ flushaddr

in hopes that'll block them and flush them out of the database.

In addition to greylisting, I also use a fairly-well trained spambayes,
and since spambayes catches nearly everything, these things bother me
more on the principle of the thing than on the fact that they pollute
my inbox (since they don't). I see 'em when I examine the "trained-spam"
folder, and since I have been getting anywhere from 0 to 3 or 4 a day
for quite some time, when suddenly 10-20 show up I get upset.

thanks again for the hints.

Fred
> 
>    Den 04-11-2018 kl. 23:20 skrev Fred Smith
>    [1]fredex@... [milter-greylist]:
> 
> 
>    I've been using milter-greylist for a couple of years, with a huge
>    reduction in spam.
>    the past week or so I've had a huge increase, and looking at
>    /var/log/maillog I can see that one of the main culprits is being
>    auto-whitelisted! Also:
>    grep qq.com `locate greylist.db` | sort -k4
>    115.226.150.123 [2]<2282748699@...>
>    [3]<fredex@...> 1540995534 # 2018-10-31 10:18:54
>    124.6.159.130 [4]<2846047090@...> [5]<fredex@...>
>    1541107270 # 2018-11-01 17:21:10
>    122.241.3.11 [6]<2282748699@...> [7]<fredex@...>
>    1541164427 # 2018-11-02 09:13:47
>    115.230.76.104 [8]<2282748699@...>
>    [9]<fredex@...> 1541236666 # 2018-11-03 05:17:46
>    1.199.184.250 [10]<1973524543@...>
>    [11]<fredex@...> 1541243473 # 2018-11-03 07:11:13
>    124.6.159.130 [12]<1982824309@...>
>    [13]<fredex@...> 1541259038 # 2018-11-03 11:30:38
>    124.6.159.130 [14]<1972695338@...>
>    [15]<fredex@...> 1541266446 # 2018-11-03 13:34:06
>    124.6.159.130 [16]<1963489674@...>
>    [17]<fredex@...> 1541295470 # 2018-11-03 21:37:50
>    124.6.159.130 [18]<2263814933@...>
>    [19]<fredex@...> 1541302976 # 2018-11-03 23:42:56
>    124.6.159.130 [20]<2276596163@...>
>    [21]<fredex@...> 1541376051 AUTO # 2018-11-04
>    19:00:51
>    183.151.39.5 [22]<2263814933@...>
>    [23]<fredex@...> 1541402367 AUTO # 2018-11-05
>    02:19:27
>    222.189.144.75 [24]<2282748699@...>
>    [25]<fredex@...> 1541448054 AUTO # 2018-11-05
>    15:00:54
>    sorted into date/time order.
>    qq.com is probably a fake domain, as you can see many different
>    addresses
>    listed for it. In /var/log/maillog most messages are either rejected
>    outright, or are greylisted and never accepted, but as you can see,
>    once
>    in a while one of them sneaks back in with a valid-apapearing response
>    and so gets whitelisted, then a bunch of their messages are accepted.
>    I tried to do a blacklist of qq.com, but apparently blacklisting
>    requires
>    an IP address. Since they appear to be using random/invalid IP
>    addresses,
>    I'm not sure that just blindly blacklisting every address it appears
>    under is either a good idea, or would be adequate to get rid of them.
>    I've re-read my way through all the milter-greylist doc I could find,
>    and to be frank there is a lot of it I don't understand.
>    So, I'm wondering if any of you can offer suggestions on any ways other
>    than directly blacklisting qq.com to stomp on this site's spam?
>    all advice will be appreciated, thanks in advance!
>    Here's my current milter-greylist.conf (with comments stripped):
>    socket "/run/milter-greylist/milter-greylist.sock"
>    dumpfile "/var/lib/milter-greylist/db/greylist.db" 600
>    geoipdb "/usr/share/GeoIP/GeoIP.dat"
>    dumpfreq 10m
>    user "grmilter"
>    greylist 10m
>    extendedregex
>    timeout 5d
>    logexpired
>    report all # always add X-greylist mail header
>    stat "|logger -p local7.info" \
>    "%T{%Y/%m/%d %T} %d [%i] %f -> %r %S (ACL %A) %Xc %Xe %Xm %Xh"
>    quiet
>    list "my network" addr { 127.0.0.1/8 192.168.2.0/24 }
>    list "outlook.com" domain { outlook.com }
>    list "mutt.org" domain { mutt.org }
>    list "broken mta" addr { \
>    12.5.136.141/32 \ # Southwest Airlines (unique sender)
>    12.5.136.142/32 \ # Southwest Airlines
>    12.5.136.143/32 \ # Southwest Airlines
>    12.5.136.144/32 \ # Southwest Airlines
>    12.107.209.244/32 \ # kernel.org (unique sender)
>    12.107.209.250/32 \ # sourceware.org (unique sender)
>    63.82.37.110/32 \ # SLmail
>    63.169.44.143/32 \ # Southwest Airlines
>    63.169.44.144/32 \ # Southwest Airlines
>    64.7.153.18/32 \ # sentex.ca (common pool)
>    64.12.136.0/24 \ # AOL (common pool)
>    64.12.137.0/24 \ # AOL
>    64.12.138.0/24 \ # AOL
>    64.124.204.39 \ # moveon.org (unique sender)
>    64.125.132.254/32 \ # collab.net (unique sender)
>    64.233.160.0/19 \ # Google
>    66.94.237.16/28 \ # Yahoo Groups servers (common pool)
>    66.94.237.32/28 \ # Yahoo Groups servers (common pool)
>    66.94.237.48/30 \ # Yahoo Groups servers (common pool)
>    66.100.210.82/32 \ # Groupwise?
>    66.135.192.0/19 \ # Ebay
>    66.162.216.166/32 \ # Groupwise?
>    66.206.22.82/32 \ # Plexor
>    66.206.22.83/32 \ # Plexor
>    66.206.22.84/32 \ # Plexor
>    66.206.22.85/32 \ # Plexor
>    66.218.66.0/23 \ # Yahoo Groups servers (common pool)
>    66.218.67.0/23 \ # Yahoo Groups servers (common pool)
>    66.218.68.0/23 \ # Yahoo Groups servers (common pool)
>    66.218.69.0/23 \ # Yahoo Groups servers (common pool)
>    66.27.51.218/32 \ # ljbtc.com (Groupwise)
>    66.102.0.0/20 \ # Google
>    66.249.80.0/20 \ # Google
>    72.14.192.0/18 \ # Google
>    74.125.0.0/16 \ # Google
>    152.163.225.0/24 \ # AOL
>    194.245.101.88/32 \ # Joker.com
>    195.235.39.19/32 \ # Tid InfoMail Exchanger v2.20
>    195.238.2.0/24 \ # skynet.be (wierd retry pattern, common pool)
>    195.238.3.0/24 \ # skynet.be
>    195.46.220.208/32 \ # mgn.net
>    195.46.220.209/32 \ # mgn.net
>    195.46.220.210/32 \ # mgn.net
>    195.46.220.211/32 \ # mgn.net
>    195.46.220.221/32 \ # mgn.net
>    195.46.220.222/32 \ # mgn.net
>    195.238.2.0/24 \ # skynet.be (wierd retry pattern)
>    195.238.3.0/24 \ # skynet.be
>    204.107.120.10/32 \ # Ameritrade (no retry)
>    205.188.0.0/16 \ # AOL
>    205.206.231.0/24 \ # SecurityFocus.com (unique sender)
>    207.115.63.0/24 \ # Prodigy - retries continually
>    207.171.168.0/24 \ # Amazon.com
>    207.171.180.0/24 \ # Amazon.com
>    207.171.187.0/24 \ # Amazon.com
>    207.171.188.0/24 \ # Amazon.com
>    207.171.190.0/24 \ # Amazon.com
>    209.132.176.174/32 \ # sourceware.org mailing lists (unique sender)
>    209.85.128.0/17 \ # Google
>    211.29.132.0/24 \ # optusnet.com.au (wierd retry pattern)
>    213.136.52.31/32 \ # Mysql.com (unique sender)
>    216.33.244.0/24 \ # Ebay
>    216.239.32.0/19 \ # Google
>    217.158.50.178/32 \ # AXKit mailing list (unique sender)
>    }
>    list "grey users" rcpt { \
>    [26]user1@... \
>    [27]user2@... \
>    [28]user3@... \
>    }
>    racl "My Network" whitelist list "my network"
>    racl "Broken MTA" whitelist list "broken mta"
>    racl "outlook.com" whitelist list "outlook.com"
>    racl "NoMoRobo" whitelist domain nomorobo.zendesk.com flushaddr
>    racl "ZBS Foundation" whitelist domain zbs.org flushaddr
>    racl "Linux Counter" whitelist domain linuxcounter.net flushaddr
>    racl "Faith Church" whitelist domain faithchurchac.org flushaddr
>    racl "spammers-4" blacklist domain qq.com flushaddr
>    --
>    ---- Fred Smith -- [29]fredex@...
>    -----------------------------
>    "For him who is able to keep you from falling and to present you before
>    his
>    glorious presence without fault and with great joy--to the only God our
>    Savior
>    be glory, majesty, power and authority, through Jesus Christ our Lord,
>    before
>    all ages, now and forevermore! Amen."
>    ----------------------------- Jude 1:24,25 (niv)
>    -----------------------------
> 
>    Virusfri. [30]www.avast.com
> 
>    
> 
> References
> 
>    Visible links
>    1. mailto:fredex@...
>    2. mailto:2282748699@...
>    3. mailto:fredex@...
>    4. mailto:2846047090@...
>    5. mailto:fredex@...
>    6. mailto:2282748699@...
>    7. mailto:fredex@...
>    8. mailto:2282748699@...
>    9. mailto:fredex@...
>   10. mailto:1973524543@...
>   11. mailto:fredex@...
>   12. mailto:1982824309@...
>   13. mailto:fredex@...
>   14. mailto:1972695338@...
>   15. mailto:fredex@...
>   16. mailto:1963489674@...
>   17. mailto:fredex@...
>   18. mailto:2263814933@...
>   19. mailto:fredex@...
>   20. mailto:2276596163@...
>   21. mailto:fredex@...
>   22. mailto:2263814933@...
>   23. mailto:fredex@...
>   24. mailto:2282748699@...
>   25. mailto:fredex@...
>   26. mailto:user1@...
>   27. mailto:user2@...
>   28. mailto:user3@...
>   29. mailto:fredex@...
>   30. https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient
>   31. https://groups.yahoo.com/neo/groups/milter-greylist/info;_ylc=X3oDMTJmbHByMnI3BF9TAzk3MzU5NzE0BGdycElkAzEyNzYzNTQ2BGdycHNwSWQDMTcwNzI4MTk0MgRzZWMDdnRsBHNsawN2Z2hwBHN0aW1lAzE1NDEzNzE3Njg-
>   32. https://groups.yahoo.com/neo;_ylc=X3oDMTJlajdzODU3BF9TAzk3NDc2NTkwBGdycElkAzEyNzYzNTQ2BGdycHNwSWQDMTcwNzI4MTk0MgRzZWMDZnRyBHNsawNnZnAEc3RpbWUDMTU0MTM3MTc2OA--
>   33. https://info.yahoo.com/privacy/us/yahoo/groups/details.html
>   34. mailto:milter-greylist-unsubscribe@yahoogroups.com?subject=Unsubscribe
>   35. https://info.yahoo.com/legal/us/yahoo/utos/terms/
> 
>    Hidden links:
>   37. https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient
>   38. file://localhost/var/tmp/mutt.html#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2

-- 
---- Fred Smith -- fredex@... -----------------------------
    "Not everyone who says to me, 'Lord, Lord,' will enter the kingdom of
     heaven, but only he who does the will of my Father who is in heaven."
------------------------------ Matthew 7:21 (niv) -----------------------------

On Sun, Nov 04, 2018 at 05:09:41PM -0600, Bob Friesenhahn bfriesen@... [milter-greylist] wrote:
> On Sun, 4 Nov 2018, Fred Smith fredex@... [milter-greylist] wrote:
> 
> > I've been using milter-greylist for a couple of years, with a huge
> > reduction in spam.
> >
> > the past week or so I've had a huge increase, and looking at
> > /var/log/maillog I can see that one of the main culprits is being
> > auto-whitelisted! Also:
> 
> Recently I have found it necessary to explicitly blacklist blocks of 
> IP addresses which are used by spam factories and use mailers which 
> just don't give up so they are eventually white-listed.  For some 
> reason these IP addresses have not found their way into DNS 
> blacklists.  After I blacklisted the blocks of IP addresses, the 
> amount of spam getting through dropped dramatically.
> 
> By sorting greylist.db, I see that many more blocks of IP addresses 
> now need to be added to the blacklist.

might they be forged/spoofed addresses, such that the mail is not actually
from those addresses? If so blacklisting blocks of them may be blocking
innocent bystanders. So to speak.

Fred
-- 
---- Fred Smith -- fredex@... -----------------------------
                    The Lord detests the way of the wicked 
                  but he loves those who pursue righteousness.
----------------------------- Proverbs 15:9 (niv) -----------------------------

Sometimes I have been able to determine that the sender IP was from a cloud provider or similar in which case I added a firewall rule blocking the whole IP range. That helped in the way that the spammer even isn't allowed to talk to my mail server and thus could not be added to the spammers list of confirmed mail servers.

/john

Fred Smith fredex@... [milter-greylist]
<milter-greylist@yahoogroups.com> wrote:

> grep qq.com `locate greylist.db` | sort -k4

I note qq.com publishes SPF records, and none of the source IP addresses
in your case match it. You can probably filter the spam and still accept
legitimate mail from qq.com by using SPF:

racl blacklist spf fail

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

On Sun, 4 Nov 2018, Fred Smith fredex@... [milter-greylist] wrote:
>>
>> By sorting greylist.db, I see that many more blocks of IP addresses
>> now need to be added to the blacklist.
>
> might they be forged/spoofed addresses, such that the mail is not actually
> from those addresses? If so blacklisting blocks of them may be blocking
> innocent bystanders. So to speak.

Since SMTP is based on connection-oriented TCP, it is not possible to 
spoof the origin IP address.  The origin IP address needs to at least 
be stable during the session.  It is of course possible for some sort 
of proxy to be used, but the IP address of the proxy needs to be 
stable.

What I see is that entire Class C subnets are used for the spam 
function.  It may be that just a few actual hosts are involved, using 
many source IP addresses.

Bob
-- 
Bob Friesenhahn
bfriesen@..., http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/

On Mon, 5 Nov 2018, manu@... [milter-greylist] wrote:

> Fred Smith fredex@... [milter-greylist]
> <milter-greylist@yahoogroups.com> wrote:
>
>> grep qq.com `locate greylist.db` | sort -k4
>
> I note qq.com publishes SPF records, and none of the source IP addresses
> in your case match it. You can probably filter the spam and still accept
> legitimate mail from qq.com by using SPF:
>
> racl blacklist spf fail

I see that my own spf rules (based on ideas from Jim Klimov) are 
perhaps excessively permissive:

   racl greylist spf softfail delay 120m

   racl greylist spf self delay 120m

It seems that

   racl greylist spf self fail

should be reasonably safe to use, and help block spammers who use 
properly-functioning DNS and mail delivery systems.

Bob
-- 
Bob Friesenhahn
bfriesen@..., http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/

> I tried to do a blacklist of qq.com, but apparently blacklisting requires
> an IP address. Since they appear to be using random/invalid IP addresses,
> I'm not sure that just blindly blacklisting every address it appears
> under is either a good idea, or would be adequate to get rid of them.
 
> So, I'm wondering if any of you can offer suggestions on any ways other
> than directly blacklisting qq.com to stomp on this site's spam?
> 
> all advice will be appreciated, thanks in advance!

Dear Fred,

Those IP addresses were appropriately listed by IP based blacklist(s).
I suggest you to try the DNSBL provider cbl.abuseat.org.
Here is my statistics from the time range of 1st of November till
4th of November of spam e-email delivery attempts filtered by the
IP list you provided:

     83	124.6.159.130
      2	115.230.76.104
      1	1.199.184.250
      1	122.241.3.11
      1	222.189.144.75

The number of spams from these IP addresses which got through the filtering: 0.

Take care.

Best,
Attila