Zitat von "pf at alt-ctrl-del.org" <p...@alt-ctrl-del.org>:
Has anyone implemented or experimented with selectively greylisting specific networks, with a long delay? Let's say 4 hours...If so, what are your results? Background:1. Greylisting seems to have lost much of its value, and I stopped using it about a year ago. 2. By using and monitoring the logs for hits against the fresh15 list and scrutinizing .info domains, I have identified and blocked several dozen networks that seem to cater to snowshoe type spammers. This has worked out very well. I block all mail from their networks, and I get zero complaints (so far) of false positives. So I'm confident that the networks and ISPs I have blocked, are black hat networks and ISPs.But there are a few edge cases that I'm not comfortable with blocking. These are usually large and established ISPs (two of which recently merged) that seem to have the same practices as the bad guys. But they host legit sites too. Even if 99% of the email from these networks is spam, I can't block that other 1%. All I can do is try my best to filter out the 99% of bad mail.While monitoring my logs and watching these spammers move to the next IP every couple of hours, I notice that their sending IP usually gets listed in at least one RBL within about three hours of their first appearance in my logs. But by that time, they have usually moved to the next IP.My thought on auto combating this is to use a CIDR list to kick these networks (and only these networks) over to a greylist policy that delays these emails for 4+ hours. By then, most of the bad IPs would be listed in one or more RBL and be blocked.So, has anyone else already done something like this?
We have by default a somewhat long greylisting period (~40 minutes) and have experimented with even much longer periods some time ago. By raising the greylisting time above ~1hour there was no improvement and the "error" rate caused by misconfigured sender was increasing. I would guess that your legitim 1% sender in the spam networks would fall in the category of "misconfigured sender", because they don't care being included in the spam net. Because of this i doubt you could improve your filtering by very long greylisting period because you will cut of most of the remaining 1% anyway.
Regards Andreas
smime.p7s
Description: S/MIME Cryptographic Signature
