Before I switched over to qpsmtpd I was implementing a kind of feedback
mechanism with the greylist. Any host that was caught doing anything
illegal (e.g. by spamassassin or clamav) was also immediately removed
from the greylist and then had to go through the whole qualifying
period again. This took some extra load off the scanners.
I had considered saving details of how many times / how often a host
had been caught offending, but the great majority of zombies that
geylisting is designed to thwart are not worth keeping information
about.
Right now I am looking at a model where instead of a new unknown host
being treated as suspect, it is welcomed as a "clean" sender. Should
it commit an offence it then goes on the greylist.
Some hosts can, however, probably be cosidered as suspect from the
start - e.g. any with a dynamic IP or numeric HELO.
On 16/04/2006, at 15:18, Fred Moyer wrote:
On Sat, 15 Apr 2006, Max Clark wrote:
idea would be to then take this information and create a ratio - if
the threshold is crossed then the remote ip, host, and/or domain would
be blacklisted/greylisted for a period of time.
What do you think, is there value in this approach?
You can eliminate a log of offenders right away with greylisting.
Most of the attacks I get are from zombies and get shut down by
greylisting, but there are smarter than average zombies out there
which come by for seconds and defeat the greylisting solution. I've
been thinking that maybe the best approach is to send a soft
disconnect after one questionable email is received from a given
connection. That way legitimate senders will have no problem but
smart zombies are limited to one email per connection.
