[Mimedefang] SendmailMacros, greylisting and filter_recipient
David F. Skoll
dfs at roaringpenguin.com
Wed Dec 3 12:22:13 EST 2003
On Wed, 3 Dec 2003, Lucas Albers wrote:
> I have discovered another test based on greylisting to find spammers.
> if a host is temp rejected and then attempts delivery with 3 or more other
> relays in a short period of time, it is spammer. They are switching mail
> relays to allow delivery. Normal senders should never have delivery
> through more then 2 relays in a short period of time.
> It is possible the sending MTA is attempting relay through a backup mx
> mail server.
> Can anyone find fault with my reasoning, does this appear to be a good test?
It's a tricky test: How do you know it's the same message? I guess based
on the sender/recipient addresses.
Also, a large ISP in Canada has a load-balanced pool of outgoing mail servers,
and you'll see messages coming from several different machines, all in the
same class-C address pool.
I think your test would be safer if you only considered the first three
bytes of the IP address to determine "differentness"
But it's an intriguing idea.
One thing I found in CanIt that I mentioned on the list is that some spam
mail servers don't take no for an answer, and retry even after a 5XX code.
I think a machine that sends the exact same message to the exact same
recipients three times or more in face of a 5XX code is a good candidate
for blacklisting.
Regards,
David.
More information about the MIMEDefang
mailing list