On Sat, 25 Feb 2023, hg user wrote:
The last time I was hit by a not-recognized phishing campaign, no Ips nor
domains were present in RBL. When I took action one hour later I found that
several of them were listed.
So my idea is; is it possible to replay the queries one/two hours later?
Another more common approach to this situation is "greylisting", where the
first attempt to submit a message from an unrecognized source is
tempfailed for some period of time. The mailer will retry and the
submission will be accepted after the greylisting period has expired,
which may give RBLs time to list the IPs/domains/hashes/etc.
This also theoretically blocks fire-and-forget mass spammers who only try
submission once, but I don't know how common that model is these days.
https://duckduckgo.com/?q=milter-greylist
There are scenarios where this delay is unwelcome, for example commercial
accounts where you don't want a delay in receiving communications from
customers or potential customers. There are ways to tune it that may
mitigate these concerns somewhat.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
The Constitution is not a suicide pact, it is a restraining order
against government. And government, like any abusive person,
does not respect or obey restraining orders. -- Anonymous
-----------------------------------------------------------------------
1,001 days since the first private commercial manned orbital mission (SpaceX)
