* on the Tue, Jan 23, 2007 at 06:10:49PM +0800, David Woodhouse wrote:
>> Some hosts acts as gateways with NAT and mail relaying. The mail relay
>> will probably retry each time. But infected windows zombies behind the
>> gateway won't all the time. I find it pretty useful to greylist for each
>> triplet (IP/from/to) as it has proven to block zombies behind gateways,
>> and not the legitimate mails.
> Hm, that's an interesting point. I should probably use (IP,HELO) instead
> of just the IP. Using from/to addresses wouldn't be my choice.
That was a very good idea. I modified my Greylisting system yesterday to
behave that way and it works well. It's interesting how some spamming
software changes the HELO. Eg:
mysql> SELECT ctime, CONCAT(sender_local_part,'@',sender_domain) AS
sender, passed, helo FROM mail_greylist WHERE remote_addr =
INET_ATON('60.51.121.230');
+---------------------+--------------------------+--------+------------------------------+
| ctime | sender | passed | helo |
+---------------------+--------------------------+--------+------------------------------+
| 2007-01-24 04:05:18 | 672mel@??? | 0 | HITAM.esevv.com |
| 2007-01-24 04:05:41 | 134goran@??? | 0 | HITAM |
| 2007-01-24 04:06:04 | 214standford@??? | 0 | k5qx4vh.ai60zig0.comcast.net |
| 2007-01-24 04:06:25 | 332etienne@??? | 0 | HITAM |
| 2007-01-24 04:06:52 | 132willi@??? | 0 | HITAM |
| 2007-01-24 04:07:09 | 246reese@??? | 0 | HITAM.0uoe2p.org |
| 2007-01-24 04:07:41 | 620nefen@??? | 0 | jeyua.5zdx2.verizon.net |
| 2007-01-24 04:07:56 | 229horatius@??? | 0 | HITAM.428u0o.org |
| 2007-01-24 04:08:11 | 927byrom@??? | 0 | HITAM |
| 2007-01-24 04:08:29 | 819giles@??? | 0 | HITAM.wsiwrioe.com |
+---------------------+--------------------------+--------+------------------------------+
10 rows in set (0.00 sec)
Mike
