Re: [exim] greylisting

Top Page
Delete this message
Reply to this message
Author: W B Hacker
Date:  
To: exim users
Subject: Re: [exim] greylisting
Terry wrote:
> I have grey listing running and it seems to work well stopping the bulk
> of spam. But I had one chap complaining last week that some one was
> emailing him and it was failing to get through.
> A quick log check showed
>
> 2009-06-04 12:29:10 [76405] H=vscano-b2.ucl.ac.uk [128.40.105.157]:47833
> I=[94.76.221.176]:25 F=<Egyptian@???> temporarily
> rejected RCPT <Christine@???>: greylisted host
> 128.40.105.157
>
> 2009-06-04 12:29:10 [76405] H=vscano-b2.ucl.ac.uk [128.40.105.157]:47833
> I=[94.76.221.176]:25 incomplete transaction (QUIT) from
> <Egyptian@???>
>
> 2009-06-05 16:19:50 [48875] H=vscano-a2.ucl.ac.uk [144.82.100.153]:64384
> I=[94.76.221.176]:25 F=<Egyptian@???> temporarily
> rejected RCPT <Christine@???>: greylisted host
> 144.82.100.153
>
> 2009-06-05 16:19:50 [48875] H=vscano-a2.ucl.ac.uk [144.82.100.153]:64384
> I=[94.76.221.176]:25 incomplete transaction (QUIT) from
> <Egyptian@???>
>
> So I guess there server just never retried after being grey listed at
> least not from the same host.


There is the key.

A SWAG says it looks as if they make two back-to-back attempts, then drop any
failures onto a backup host for delayed retry, and that it also does two
back-to-back then hard fail. .. Where 'back to back' may mean a RST and go again
on the same connection. Your logs can show that if made more verbose.

Hard to fault their approach, BTW.

Compared to typical retry configurations it will make far queue-manips, fewer
*total* retries, gives the opportunity of avoiding IP or route-specific
problems, and lets the sender know much earlier that there *is* a problem.

OTOH - greylisting-friendly it is not...

> Other than not greylisting I take it
> theres no way of avoiding the odd incident like this


You could do - if you choose to ignore the source IP and go only on the
envelope-from and recpt-to coupling.

OTOH, unless you have ALSO pre-qualified the source IP (reverse_host_lookup)
ignoring the IP might make GL far less effective for OTHER arrivals.

...it will also make GL trigger less often, 'coz zombots rarely pass rDNS
checks. Enough 'less often' that we were able to scrap GL altogether.. YMMV.

> There email got returned with a 550 unable to relay error. I am no
> expert at this but I do try and get things right and avoid causing other
> people problems.
> I have since whitelisted them ( using postgrey by the way ) .
>
> Thanks
> Terry
>


So long as your user-base doesn't go berserk while discovering the hard way what
*needs* WL, you probably won't have to WL more than a dozen or so (ever), as the
above multi-IP pattern WITH a mere 4 total tries is not all that common.



Bill