On 2007-01-19 13:42:52 -0700, JT Moree wrote: > recently we tried out greylisting with qpsmtpd. We had too many > returned messages to keep it on so I came up with some ideas to improve > the process. > > I posted them at > http://www.pcxperience.org/jt/greenlisting.html [...] > any feedback is appreciated.
Greylisting uses three pieces of information: The sender IP address, the
sender email address and the recipient email address. Your proposal does
whitelisting based on the sender email address.
Greylisting as a method tries to determine whether the sender's MTA is a
"real" MTA or some sort of malware. This is a property which is strongly
linked to the IP address (real MTAs usually have a static IP address and
are rarely infested with malware), and only very weakly linked with the
sender's email address (the sending MTA can write anything into it).
Therefore I think it is generally better to whitelist based on the
sender's IP address than on the sender's email address. We've been doing
that for about 3 years now and it requires very little maintenance (we
had to add a lot of IP addresses during the first few months, but that
quickly tapered off and now we add a new IP address every two months or
so (for about 250 recipient addresses which have greylisting activated).
But back to your idea of using the mail logs of the outgoing MTA to
whitelist sender email adresses:
People often have several email addresses, and when you send a mail to
one of them, you may get an answer from a different address (even from a
different domain). But since you then just fall back to normal
greylisting, it doesn't matter if this isn't foolproof.
You may also want to be careful with autoreplies: If you have some
addresses which send automatic replies and which don't have greylisting
enabled, an automatic reply to a spam or virus mail may whitelist the
spammer for all recipients.
I don't understand the last paragraph in your proposal: If you whitelist
sender addresses, why do you need the sender IP address? Or do you want
to determine the sending MTA for a domain and whitelist that? That would
make sense but it doesn't follow from the rest of the proposal and I
don't think it is practical: The only reliable way to do this is with
SPF, which isn't widely deployed, and heuristics like "the sending MTA
is probably in the same /24 as the MX" have probably a lot of both false
positives and false negatives.
hp
--
_ | Peter J. Holzer | I know I'd be respectful of a pirate
|_|_) | Sysadmin WSR | with an emu on his shoulder.
| | | [EMAIL PROTECTED] |
__/ | http://www.hjp.at/ | -- Sam in "Freefall"
signature.asc
Description: Digital signature
