[Mimedefang] Greylisting

Paul Whittney pwhittney at net.arrivetech.com
Thu Dec 15 11:50:52 EST 2005


To All,

I too have been thinking a lot about greylisting, and before spending the
time on the MIMEDefang front (as I think it's much better to have it hooked 
in there, unless someone can say otherwise ;-) I thought I'd try it as a
milter add-on:
  http://hcpnet.free.fr/milter-greylist/

I made it run as the defang user, and placed all the pid, dump and sock
files in the MIMEDefang spool directory (as I know defang has all the right
permissions).
Added the following to my sendmail mc file:
 INPUT_MAIL_FILTER(`greylist', \
 	`S=local:/var/spool/MIMEDefang/milter-greylist.sock')
 define(`confMILTER_MACROS_CONNECT', `j, {if_addr}')

and used the greylist.conf file to whitelist by default, only add
a header if delayed, and specifically process one of the recipients
that get 1000's of spam (on an old domain).

I'm a little worried on the effect of the confMILTER_MACROS_CONNECT
macro, but it hasn't hurt MIMEDefang (that I can notice), so I need
to do some background reading on it. David, would this break some of
the MIMEDefang milter code by not passing the default (not figured
out what that is, I should look in the cvs diff output.. just not had
the time).

Settings of the greylisting, in the way of timing, is still hit and miss
for me. I might look at the effect of David's 40d whitelist time.

The only issue I have is how to monitor it. Actually, the user I
had set it up for said that in 1 day the results were noticeable, by
the lack of spam emails. But that doesn't help my calculations.
I actually only block for 10 minutes, but if an email server
connects, it might get blacklisted 3 to 5 times in those 10 minutes
then get whitelisted. That doesn't mean that for 5 blocks, I get one
good email. Maybe I just need to grab IP's, and see how many never
retry..?

I'm curious to try out the milter netguy mentioned, and see how that
runs.

One other major problem I've run into, is ISP's providing additional
MX records in the DNS. So the spam systems that follow the "If the first 
attempt to send email fails, try the next MX" happens, then the ISP
sends it on, which will make it past the blacklist, and if the ISP
is whitelisted by IP alone, means the spam gets in.

-Paul

On Thu, Dec 15, 2005 at 08:45:22AM -0700, netguy wrote:
[snip...]
> I have a small amount of eMail clients using Fedora core 4.  When I 
> 'turned-up' graylisting in June 05, spam ( and virus ) dropped by 70% 
> immediately.  Gone, None, Notta.  Check out www.puremagic.com   These 
> folks have written a sendmail milter that runs as a seperate process 
> before MIMEDefang can get a chance.  I am not a programmer, but have 
> fiddled my way around Linux boxes for about 10 years, so I don't know 
> all of the internal workings of these systems.  I do know that if you 
> install graylisting as stipulated in the instructions, you shouldn't 
> have any problems.  Your mileage may vary.
> 
-- 
Paul Whittney                                  ArriveTech, Inc.
Network Specialist / Systems Engineer         / |670 West 36th Street,
                                             /--|Erie, PA, 16508, USA
PWhittney [at] arrivetech.com (Main)        /   |www.arrivetech.com 
PWhittney [at] net.arrivetech.com (Aux)    /    |Tel: 814 868 3306



More information about the MIMEDefang mailing list