[Mimedefang] greylisting in filter_end after SA check?

[Cahya Wirawan]

On Tue, Mar 16, 2004 at 12:07:35PM -0700, Lucas Albers wrote:
> You are in a sense implementing a floating blacklist with this policy.
> The reason greylist has a short delay is so it is not noticed, with your
> longer policy you will delay legitimate email.

the original paper about greylisting uses 1 hour as block time anyway. 

> Their are a few things you can do raise your accuracy withought blocking
> legitimate email.
> Use bayes, Use network tests, Use helo checks.

actually I use all of them.

> Use floating greylists for machines that re-attempt delivery within
> 1-2minutes of their first delivery attempt.

unfortunately there are many legitimate mail servers that resend email
1-2 minutes after their first delivery attempt.  
so I can't greylist them longer based on this.

> Analyze your logs for new relay addresses or sender address that have a
> high average spam score. Then blacklist their relay ip/sender address.

At the beginning I have also this idea to blacklist specific relay ip
address based on high average spam score , but then I found out that many
of our users have external email account, and they forward their email
to our domain, and many of them are only spams. This make the average
score of the relay very high although they are not spam sender.
the same also with sender address, I saw one that forward his email from
his external email address to our domain, but somehow the original sender 
address is changed to his external email address.

cahya.