Autor: Jim Roberts Data: A: exim-users Assumpte: [exim] An idea to kick around
Just had a thought, might be useful, might not be, but figured the experts
could tell which.
The concept is sort of like greylisting, but with a twist. Everytime a
message comes in (that passes basic SMTP-time checks, so might otherwise be
accepted, but before expensive spam scanning), track the sender IP/sender
address doublet (just like greylisting without the recipient). Instead of
rejecting it the first time, as in greylisting, try this:
If they are not in the greylist yet, put a delay into the SMTP transaction.
This will run off a lot of junk senders that can't be bothered to wait
around, or to retry, like a real mail server. If they continue with the
transaction, as a proper mail sever should, continue on with the rest of
your checks, such as Spam Assassin. If/when it's eventually accepted, enter
the doublet into the greylist. In this way, you effectively populate a
whitelist automatically, without a lot of impact to others. Mind you, I
don't mean a whitelist to bypass all checks, only a whitelist to bypass that
SMTP delay. After a single successful transaction, a given sender/IP pair
is no longer delayed.
One lovely side effect is, any spammer that keeps changing sender addresses
with each spam run, will simply run themselves into the same delays all over
again, even if they managed to sneak something through earlier.
You could also have a mechanism for de-listing a pair, if it starts spamming
(as detected by other checks) after a period of good behavior.
