On Thu, Oct 19, 2006 at 06:23:20PM -0600, Steve Williams wrote: > Hi, > > I have been running spamdb greylisting only for several years as my only > line of defense at home. At work I have managed to sneak in a Sparc64 > Sunfire 120 (OpenBSD 3.9) as a caching web proxy & default gateway. > > Today, we had a fairly agressive attack on our email system, 6000+ > emails in a relatively short period of time. I took the opportunity to > deploy greylisting on the OpenBSD box (which is our first line of > defense... first of many). > > It's performed well, and is up to about 300 email servers whitelisted. > I know from personal experience that Bell in Ontario (at the minimum) > and a few other ISP's have server pools that do not cooperate nicely > with greylisting. They do not guarantee the same server will retry > sending the email when it's blocked by spamdb (451 temporary failure). > > On my computer at home, I notice these entries when I do a spamdb | more > and see something like: > > GREY|205.152.59.48|<[EMAIL PROTECTED]>|<[EMAIL > PROTECTED]>|1161299154|1161313554|1161313554|1|0 > GREY|205.152.59.51|<[EMAIL PROTECTED]>|<[EMAIL > PROTECTED]>|1161296098|1161310498|1161310498|1|0 > GREY|205.152.59.65|<[EMAIL PROTECTED]>|<[EMAIL > PROTECTED]>|1161300604|1161315004|1161315004|1|0 > GREY|205.152.59.66|<[EMAIL PROTECTED]>|<[EMAIL > PROTECTED]>|1161302039|1161316439|1161316439|1|0 > GREY|205.152.59.67|<[EMAIL PROTECTED]>|<[EMAIL > PROTECTED]>|1161294517|1161308917|1161308917|1|0 > GREY|205.152.59.68|<[EMAIL PROTECTED]>|<[EMAIL > PROTECTED]>|1161292315|1161306715|1161306715|1|0 > GREY|205.152.59.72|<[EMAIL PROTECTED]>|<[EMAIL > PROTECTED]>|1161297659|1161312059|1161312059|1|0 > > On my personal email server, it happens VERY seldom. On our work > server, it only took a couple of hours for this to show up. It looks > like Yahoo might be the same way. > > I am 99% sure that I have seen on the internet SOMEWHERE a "whitelist" > of servers that are like this. I thought Bob Beck had forwarded one at > one point in time, but I can only find his post regarding the tarfile he > maintains for the "zombie" hosts. > > Bob, if you are listening, what do you do at the U of A to handle these > mis-behaving server pools? Anyone else?? > > Thanks, > Steve Williams
I have the same issue with certain pools. I added a bit to my pf.conf: ---------- table <mywhite> persist file "/etc/mail/whitelist.txt" # place this BEFORE rdr rules for spamd no rdr inet proto tcp from <mywhite> to any port smtp ---------- Then I manually add certain pools to whitelist.txt. Sometimes you get lucky and find SPF entries, like for gmail. Otherwise you have to make a guess. FYI, "host -ttxt bellsouth.net" returns 205.152.58.0/23 for spf. Oh, I also use whitelist.txt in spamd-setup, though it's not really needed since the "no rdr" bypasses all that anyway. -- Darrin Chandler | Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |