Re: [exim] Penalty Box Greylisting

Top Page
Delete this message
Reply to this message
Author: Marc Perkel
Date:  
To: exim-users
Subject: Re: [exim] Penalty Box Greylisting


Jan-Peter Koopmann wrote:

>Hi Marc,
>
>
>
>>So what I'm doing is after I get a spam from an email address
>>I add that email address to a text file and for the next hour
>>I return temporary errors for any mail coming from that email
>>address.
>>
>>
>
>I can see how this might help a bit but that's not greylisting is it? Greylisting should prevent the initial spam coming in. Your method depends on letting spam come through, identifiy/tag it and then deny further e-mails from that address for the next hour. Personally I rarely see spam coming in from the same e-mail or IP addresses. Does this really help?
>
>

I see spams comming from the same place a lot. Sometimes they
continuously hammer me with dictionary attacks. That's what I'm trying
to eliminate.

>
>
>>that file. I also greylist from addresses that fail the
>>sender verify test (using the exim snapshot to do this
>>accurately) so that if I'm being hammered by a spammer - I
>>don't have to do continous sender verification of the same
>>spammer.
>>
>>
>
>I thought exim is caching callouts and sender verification in which case being hammered by a single spammer would not bother you in that respect.
>
>

Unless I'm doing something wrong - there doesn't seem to be any caching
of callouts. At least not on a global basis. This essentially creates
caching of sender verify callouts.

>
>
>>So after I have an email address that fails to
>>verify I add that to the list. The next time they try the are
>>in the list and get a temp error.
>>
>>
>
>Are we talking sender verify or callout?
>
>

Yes - sender verify callout. I fugure that if a sender verify fails -
with will probably fail again 15 seconds later. I'm trying to avoid
pissing off innocent hosts with a stream of sender verify callouts. If
the sender verify fails - it is remembered for up to an hour.

>
>
>>I'm just experimenting with this now - but the good part is
>>that if it makes a mistake - it only delays the message for
>>up to an hour. Every hour all lists are cleared. And - it
>>gets rid of the spammers who are hammering my server.
>>
>>
>
>I do not like using greylisting for all mails since it takes too long for the initial mail to come through. If a stupid postmaster only retries every 30 or 60 minutes, the first message of a new customer etc. takes more than one hour to reach me. Currently we are delaying the SMTP protocol if something is fishy about the mail (like sender callout, HELO checks, IP in one of the usual blacklists). This and enforcing SMTP sync helps a lot. I am thinking about adding greylisting in its classical form but only for those fishy mails and only for 10-14 minutes (assuming most MTAs are defaulting to 15 minute retrys).
>

I agree - that's why I'm inventing this new name "penality boxing"
because it assums all new email is innocent - but if you sin then you
get put in the "penalty box" for up to one hour. This is mostly to
prevent hosts that hammer me and to prevent repeated callouts for the
same sender.

--
Marc Perkel - marc@???

Spam Filter: http://www.junkemailfilter.com
    My Blog: http://marc.perkel.com
My Religion: http://www.churchofreality.org
~ "If it's real - we believe in it!" ~