Re: [exim] Issues with greylisting - NEW IMPLEMENTATION

Top Page
Delete this message
Reply to this message
Author: 資策會_金志誠
Date:  
To: Exim-users
Subject: Re: [exim] Issues with greylisting - NEW IMPLEMENTATION
On 2010-01-28 17:30, Alain Williams wrote:
> On Thu, Jan 28, 2010 at 08:59:01AM -0800, Todd Lyons wrote:

[snip]
> > it looks solid (untested). Puts all the work in the database, and
> > makes a very small exim function call. Nice. I also agree with
> > MIke's post that your cleanup should be part of the query.
>
> Hmmm: I can see people just taking this and blindly implementing it, in
> which case
> what is a suitable number in:
>
>     RAND() < 0.01

>
> 0.01 will compare 1 in 100. My home machine gets some 50,000 connections a
> day, so that
> will result in a tidy operation 500 times/day -- far too many.
> Choose a different number and it might not be suitable on a less busy
> machine.
>
> That is why I suggest putting it in cron - at least you know that it will
> happen
> once/day (or whatever).
>
> However: opinions will differ. I will add something to the ''Discussion &
> config changes''
> section that talks about this. I'll wait for more opinion before doing so.

[snip]

Cleanup periodically with cron is better, unless the bulk delete operation
locks the
database for so long that greylisting could not proceed, but which should
only happen
on mail server with very large mail volume.

May I suggest an enhancement to your greylisting? As we all know, expired
greylisted
entries are very likely to be compromised computers. Could you optionally
output these
entries while cleaning up the database? One day, when the world decides to
act together
to mitigate the botnets, the list of expired greylisted entries will be very
useful for botnet
detection.

In fact, I wish that every greylisting could implement this feature.

--
Chih-Cherng Chin

Botnet Detection with Greylisting:
http://botnet-tracker.blogspot.com/2009/11/greylisting-botnet-detection-honeypot.html