[Mimedefang] SendmailMacros, greylisting and filter_recipient

[David F. Skoll]

On Wed, 3 Dec 2003, Lucas Albers wrote:

> I have discovered another test based on greylisting to find spammers.
> if a host is temp rejected and then attempts delivery with 3 or more other
> relays in a short period of time, it is spammer. They are switching mail
> relays to allow delivery.  Normal senders should never have delivery
> through more then 2 relays in a short period of time.
> It is possible the sending MTA is attempting relay through a backup mx
> mail server.
> Can anyone find fault with my reasoning, does this appear to be a good test?

It's a tricky test:  How do you know it's the same message?  I guess based
on the sender/recipient addresses.

Also, a large ISP in Canada has a load-balanced pool of outgoing mail servers,
and you'll see messages coming from several different machines, all in the
same class-C address pool.

I think your test would be safer if you only considered the first three
bytes of the IP address to determine "differentness"

But it's an intriguing idea.

One thing I found in CanIt that I mentioned on the list is that some spam
mail servers don't take no for an answer, and retry even after a 5XX code.
I think a machine that sends the exact same message to the exact same
recipients three times or more in face of a 5XX code is a good candidate
for blacklisting.

Regards,

David.