On 09/24/2014 07:19 PM, Jason Haar wrote:
On 25/09/14 11:02, Corey Hickey wrote:
Hi,
Lately I have been getting lots of spam that passes through when
initially received, but which is detected as spam when I test it later.
I guess the blacklists catch up to the spammers' new IPs, etc.
We are sooo seeing this too. A lot of spam is getting through these
days, and re-checking only 15 minutes later shows tonnes of RBLs trigger
- but it's getting to us before it hits the RBLs
Greylisting would be the real solution to this situation, but our
commercial environment means we could not use that option. In fact,
greylisting even failed the "WAF test" on my home network: lasted two
days before I was forced to turn it off ;-)
What I've done is do greylist checks at the DATA phase and issue a defer
only if the source would be grey listed and score more then 1.0. Since
most valid senders will be at 1.0 or under. I also filter the source
through a /24 (IPv6) or /64 (IPv6) mask before handing to greylistd in
order to take care of the few places that send from pools of source
addresses and can end up in greylist loops.
The majority of those that defer are in the 20s or higher and would be
rejected otherwise, assuming they made it past greylisting deferrals.
For thew few low deferrals that did retry they eventually got over 5.0
after whitelisting due to the RBLs updating in the mean time.
--
-James
