Re: [Exim] Greylisting + multiple MX hosts -> multiple attem…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Dean Brooks
Date:  
À: exim-users
Sujet: Re: [Exim] Greylisting + multiple MX hosts -> multiple attempts
On Tue, Mar 23, 2004 at 10:22:04AM -0600, Edgar Lovecraft wrote:

> so why do the Greylisting Docs suggest such a long period of time before
> the accept??
> Ah well, greylisting is a nice idea, I have just not figured out what a
> good balance for its use would be yet, and I do not think that all email
> should be greylisted "just because".
> Not that I am trying to pick a fight by the way ;)


The longer delay is more to prevent a spammer who sends multiple
identical messages in a 20 minute period from triggering an automatic
whitelisting. It's not perfect by any means, but a properly
configured server should hopefully continue to retry even after the
initial hour, and the hour delay will prevent multiple messages in a
short period from being whitelisted inadvertantly.

We implemented Greylisting for some of our administrative aliases,
and it works fairly well, but from a couple of months of observations,
I've found the following:

  1.  Dont use it on mailboxes that are mission critical.  There are some
      mail servers out there that have their retry rules screwed up and
      may not retry often enough or long enough.


  2.  Be prepared to deal with delays on incoming mail from new sources.
      For example, if you went to a website you forgot the password to
      and ask them to email it to you, it will take an hour to get it
      at a minimum.


  3.  Some spam will still get through, either because they retry or
      because they send another message to you an hour or so later.


  4.  Be careful in the implementation so that your mail server isn't
      vulnerable to the state of your MySQL database.  Doing queries
      to a remote database in a high-volume mail environment isn't ideal.


All in all, Greylisting is a good last resort, but it's really a
desparate hack that works somewhat well if you dont mind the downsides.

--
Dean Brooks
dean@???