[Mimedefang] Repeated attempts with different sender and IP whengreylisting

Paul Murphy pjm at ousekjarr.org
Fri Feb 17 10:53:41 EST 2006


> I recently started using greylisting within Mimedefang on our relays.
> When TEMPFAIL'ed a spammer resends the same piece of mail every few
> seconds using a different IP and sender address. This continues until a
> permanent error is sent (User unknown). How do others deal with this
> tactic? 

I have multiple approaches:

1. Ignore it - greylisting is doing what I intended, and when they do finally
come back, I reject at the RCPT TO: stage via filter_recipient which works
out that they're trying to send to a non-existent user.

2. Firewall persistent greylist attempts which never retry the message but
reconnect using a different sender/recipient pair, or systems which claim to
be localhost, or which send to more than one non-existent user in a single
message, or which hard fail SPF checks. I scan my logs for new greylist
entries, and then also for successful connections from that sender/mailhost
pair.  If there are no successes within 2 days, I firewall the mailhost.
I've seen a rash of systems which try 48-50 sender/recipient pairs (all
different), and never come back, plus some incidents where I see 50 different
hosts connect and all failing greylisting around the same time.  These are
fairly clearly spambot networks.

3.  I refuse connections from any host which has its IP address in its
reverse IP name (e.g. i219-164-64-114.s02.a018.ap.plala.or.jp =, or where the name contains a good indication of an end-user
host (e.g. it contains one or more of the terms "cable", "dsl", "hsd",
"dynamic", "static", "pool", etc).  Basically, this is either a badly managed
mail host which has a useless reverse IP entry, or a broadband host which
probably shouldn't have a mail daemon running on it.  This is of course
fraught with issues, but since I'm doing it on a home network with 2 users,
I'm fairly happy to deal with issues as they arise.

Also, note that if a system is going to retry, it will probably retry
immediately and then every 5 minutes for a while.  Setting your greylist
timeout to 30 minutes is probably too extreme, and will penalise legitimate
mail so badly that you're bound to get complaints.  I have mine set for 30
seconds, which does the job on mass mailers which never retry, and allows
99.9% of mail through within a minute.  I've been tempted to take it down to
2 seconds to see what happens, since legitimate mailers do sometimes retry
every second for 10 seconds before they back off.

Best Wishes,


No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.10/263 - Release Date: 16/02/2006

More information about the MIMEDefang mailing list