Author: David Woodhouse Date: To: Chris Wilson CC: exim-users, Grant Peel Subject: Re: [exim] Greylisting again.
On Sun, 2008-04-27 at 20:08 +0100, Chris Wilson wrote: > > You don't seem to be bypassing the greylist for hosts which are known to
> > resend mail. So you're delaying a lot of mail for no benefit. Once a
> > given host is observed to queue and retry, you know that there's no
> > point in greylisting mail from that host again.
>
> That's the point of the GREYLIST_TEST, does it not work? There should be
> an entry in the database for each host which passed greylisting (i.e.
> retried the message more that 10 minutes after first contact) which lasts
> for 28 days.
Sorry, yes. I missed that. It does look reasonable, now I look again.
> Also, I think there can be a point in delaying some mail from a public IP
> which has been seen to pass greylisting, if the source domain is
> different, as the machine may suddenly start to relay spam or another
> internal server with the same public IP may suddenly become a spam source.
This is true -- and is actually why I started using a tuple of
$sender_helo_name and $sender_host_address for the resenders database,
instead of just $sender_host_address.
> > You seem to defer the message in the case where MySQL goes AWOL, rather
> > than accepting it. That's an interesting decision, since it will quite
> > possibly lead to messages being deferred for ever.
>
> OK, I'll fix that, thanks. (It hasn't caused a problem for me yet, but
> better safe than sorry).
Yeah, I don't think it ever bit me either, but it's worth thinking
about.
> > You also seem to be greylisting mail even when it isn't at all
> > suspicious. Some prefer only to greylist mail which looks dodgy, rather
> > than just a blanket delay on _everything_. Obviously, you do it in the
> > DATA ACL for that, so you can actually see the message.
>
> At the moment I don't have any system-wide spam filter that I could run in
> the data ACL. And spammers have a habit of changing their messages to get
> around such filters.
Filters for 'suspicious mail worth greylisting' can be a _lot_ wider
than filters for rejecting or filing into a spam folder. For example,
criteria I use to trigger greylisting include "Is HTML",
"Re: in Subject: header but no References:", "Host with no rDNS", etc.
I also use 'has more than 0.0 SpamAssassin points".
> In my case, the number of new domains and hosts seen
> sending mail is quite small, so it works for me (on a small domain).
>
> > (Also, rejecting for SPF fail is particularly 'brave'. I'd recommend
> > googling for 'sender address forgery' and reading the first link that
> > Google shows up.)
>
> Surely I can't be the only person rejecting messages where the sender has
> explicitly put "-all" in their SPF record, and the SPF check fails? At
> least it's useful for allowing people to say that certain domains never
> send mail, or that their users don't use mailing lists or forwarders? (if
> nothing else)
If the record is _just_ "-all" then that's fair enough -- and that can
be done with a dnsdb lookup. But unless I misread your ACL, you'll alco
be rejecting mail based on even the idiotic SPF records which list a few
'genuine' hosts followed by -all, with the fundamental misunderstanding
of SMTP that that entails.