On 2012-08-09 at 22:04 -0400, Chris Knadle wrote:
> Realistically I'd like to find a way to implement "whole server whitelisting"
> which was brought up on this list recently. i.e. when an email is correctly
> retried, a whitelist entry is made for that server or that source IP address.
> Because for instance it's silly to greylist all of GMail, and doing so is just
> a waste of resources on both sides -- and same with any other legitimate mail
> server.
I encourage folks to take a look at two DNSxL whitelists:
* list.dnswl.org
-- the original one (AFAIK), fairly open
* swl.spamhaus.org
-- came out in 2010, invitation only presence, major players only
GMail's mailservers tend to make it into list.dnswl.org, I believe just
by community action, not through participation on Google's part (and
you're better off tracking reputation for Google's servers per-IP if
you're worried about the spam which does make it out).
Myself, I use something like:
accept !condition = WHITELIST_CACHE_LOOKUP
!dnslists = list.dnswl.org : swl.spamhaus.org
dnslists = zen.spamhaus.org
message = ....
where WHITELIST_CACHE_LOOKUP is an sqlite3 lookup against a DB populated
from server logs, so that known good senders stay whitelisted. (If
someone is actively whitelisted, that goes away much more rarely than a
temporary blacklist presence, rapidly fixed, so I aggressively cache,
since these lookups are in-path for much else).
That same !condition,!dnslists precedes a couple of other checks too, so
as to bypass things like greylisting.
-Phil
