Charles Sprickman:
> Hi all,
>
> I have a site with a very old domain that's at the front of the
> alphabet. For some reason (age, alphabetical order, ???) that
> domain gets bombarded with spam before the senders make it onto
> any of the blacklists I use (even trialed a few for-profit
> blacklists). Literally some of these miss getting caught by 2-3
> minutes. Aside from the general jaw-on-floor reaction I have to
> just how so many new 'clean' IPs are enlisted in these spamming
> efforts on a daily basis, I was wondering if greylisting might be
> a good option here. One of the folks that runs the Abusix service
> suggested this since he pointed out that I'm really missing these
> spammers by minutes
>
> What is your 'go to' greylisting solution these days? My main
> concerns are that it's something that's well-maintained, does not
> need babysitting, and is here for the long haul.
>
> I've been sort of opposed to greylisting in the past due to a
> userbase that's sensitive to delays, but the spam is worse.
With any form of greylisting you will need to whitelist senders
that have a large pool of sending IP addresses. Those can take an
excessive amount of time to whitelist, because each attempt is
likely to come from a different IP address.
I would suggest using postscreen (supported with Postfix) with
postwhite for whitelisting large senders.
Steve Jenkins wrote postwhite (available from github) for postscreen.
It mines the SPF records from major email senders and creates a
whitelist for their (outbound) IP addresses. Postwhite has been
updated for some 6 years; and its data source, SPF records, isn't
likely to change soon. Is that stable enough?
Apply the whitelist as described on postwhite documentation, and
enable some postscreen after-220 protocol test. You don't even have
to drop clients that fail the test.
postscreen_pipelining_enable=yes
postscreen_pipelining_action=ignore
postscreen's after-220 protocol tests implement a weaker form of
greylisting (based on IP address only) that should eliminate most
clients that are ahead of DNSBL lists. The clients won't know that
it's fake greylisting.
Wietse
