[Mimedefang] Repeated attempts with different sender and IP whengreylisting

Fri Feb 17 10:53:41 EST 2006

Mike,

> I recently started using greylisting within Mimedefang on our relays.
> When TEMPFAIL'ed a spammer resends the same piece of mail every few
> seconds using a different IP and sender address. This continues until a
> permanent error is sent (User unknown). How do others deal with this
> tactic? 

I have multiple approaches:

1. Ignore it - greylisting is doing what I intended, and when they do finally
come back, I reject at the RCPT TO: stage via filter_recipient which works
out that they're trying to send to a non-existent user.

2. Firewall persistent greylist attempts which never retry the message but
reconnect using a different sender/recipient pair, or systems which claim to
be localhost, or which send to more than one non-existent user in a single
message, or which hard fail SPF checks. I scan my logs for new greylist
entries, and then also for successful connections from that sender/mailhost
pair.  If there are no successes within 2 days, I firewall the mailhost.
I've seen a rash of systems which try 48-50 sender/recipient pairs (all
different), and never come back, plus some incidents where I see 50 different
hosts connect and all failing greylisting around the same time.  These are
fairly clearly spambot networks.

3.  I refuse connections from any host which has its IP address in its
reverse IP name (e.g. i219-164-64-114.s02.a018.ap.plala.or.jp =
219.164.64.114), or where the name contains a good indication of an end-user
host (e.g. it contains one or more of the terms "cable", "dsl", "hsd",
"dynamic", "static", "pool", etc).  Basically, this is either a badly managed
mail host which has a useless reverse IP entry, or a broadband host which
probably shouldn't have a mail daemon running on it.  This is of course
fraught with issues, but since I'm doing it on a home network with 2 users,
I'm fairly happy to deal with issues as they arise.

Also, note that if a system is going to retry, it will probably retry
immediately and then every 5 minutes for a while.  Setting your greylist
timeout to 30 minutes is probably too extreme, and will penalise legitimate
mail so badly that you're bound to get complaints.  I have mine set for 30
seconds, which does the job on mass mailers which never retry, and allows
99.9% of mail through within a minute.  I've been tempted to take it down to
2 seconds to see what happens, since legitimate mailers do sometimes retry
every second for 10 seconds before they back off.

Best Wishes,

Paul.

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.10/263 - Release Date: 16/02/2006