Chambers, Phil wrote: > The greylisting scheme I have implemented works at the DATA phase. It > uses the sender IP address (top 24 bits only), the sender e-mail address > and header date field to form the key for the message. Once a message > has passed the greylist test the original sender IP address (full 32 > bits) is placed in a whitelist.
That's very similar to what we do, except we use the following tuple: (top_24_bits_of_ip_address, sender_address, recipient_addresses, hash_of_subject) We also whitelist the (32-bit) sender IP address once it gets through, but only for 40 days. We include the subject in the grelisting tuple because we have seen instances of spammers mutating subject lines while keeping the other information constant. Regards, David. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
