Re: Spamd - whitelist of mis-behaving SMTP server POOLS

Fri, 20 Oct 2006 06:51:50 -0700 

Steve Williams wrote:

Hi,
I have been running spamdb greylisting only for several years as my only line of defense at home. At work I have managed to sneak in a Sparc64 Sunfire 120 (OpenBSD 3.9) as a caching web proxy & default gateway.
Today, we had a fairly agressive attack on our email system, 6000+ emails in a relatively short period of time. I took the opportunity to deploy greylisting on the OpenBSD box (which is our first line of defense... first of many).
It's performed well, and is up to about 300 email servers whitelisted. I know from personal experience that Bell in Ontario (at the minimum) and a few other ISP's have server pools that do not cooperate nicely with greylisting. They do not guarantee the same server will retry sending the email when it's blocked by spamdb (451 temporary failure).
On my computer at home, I notice these entries when I do a spamdb | more and see something like:
GREY|205.152.59.48|<[EMAIL PROTECTED]>|<[EMAIL PROTECTED]>|1161299154|1161313554|1161313554|1|0 GREY|205.152.59.51|<[EMAIL PROTECTED]>|<[EMAIL PROTECTED]>|1161296098|1161310498|1161310498|1|0 GREY|205.152.59.65|<[EMAIL PROTECTED]>|<[EMAIL PROTECTED]>|1161300604|1161315004|1161315004|1|0 GREY|205.152.59.66|<[EMAIL PROTECTED]>|<[EMAIL PROTECTED]>|1161302039|1161316439|1161316439|1|0 GREY|205.152.59.67|<[EMAIL PROTECTED]>|<[EMAIL PROTECTED]>|1161294517|1161308917|1161308917|1|0 GREY|205.152.59.68|<[EMAIL PROTECTED]>|<[EMAIL PROTECTED]>|1161292315|1161306715|1161306715|1|0 GREY|205.152.59.72|<[EMAIL PROTECTED]>|<[EMAIL PROTECTED]>|1161297659|1161312059|1161312059|1|0
On my personal email server, it happens VERY seldom. On our work server, it only took a couple of hours for this to show up. It looks like Yahoo might be the same way.
I am 99% sure that I have seen on the internet SOMEWHERE a "whitelist" of servers that are like this. I thought Bob Beck had forwarded one at one point in time, but I can only find his post regarding the tarfile he maintains for the "zombie" hosts.
Bob, if you are listening, what do you do at the U of A to handle these mis-behaving server pools? Anyone else?? 

Thanks,
Steve Williams
I've found that some servers retry too quickly, such as Yahoo. Spamd ignores retries that come too quickly, so I ended up lowering the passtime parameter from the default of 25 minutes to 5 minutes because I saw yahoo servers retrying a few times every 7 minutes. I have no idea how wise this is, but it works for me so far.

Reply via email to