[Mimedefang] Pre-Emptive Greylist entries

Gary Funck gary at intrepid.com
Tue Jan 10 11:43:57 EST 2006


> From: Roland Pope
> Sent: Monday, January 09, 2006 5:50 PM
>
> One idea I had was to try and create a whitelist entry in the
> database for
> emails sent from within my network to customers, to try and reduce delays
> for initial replies from said customers.
>
> Ie. When one of my users sends an  email from user at mynet.com to
> customer at custnet.com, I lookup custnet.com in DNS, get the IP's of the
> highest priority MX's and create a whitelist entry so that it
> decreases the
> chance that a reply from customer at custnet.com to user at mynet.com. gets
> delayed by the greylist code.

Others have mentioned possible problems with this approach.  I'll add
one more: viruses.  If one of the client PC's on your network gets hit
with a virus then it may try to send mail to every address in the user's
address book; presumably many of those addresses will be for clients.
You might catch many of those virus initiated e-mails via a virus scanner.
However, many installations don't scan outgoing messages for viruses
(we don't), so they won't be caught in this fashion.

Q: As a matter of best practice should we be scanning outgoing messages
for viruses, and rejecting them?

A couple of ideas on the incoming side:

1. RDNS the sending relay, and match the domain name against a list
   of domain names of customers, which might be found by saving outbound
   domains as you describe above (with the caveats as described also).

2. Something I've toyed with: _if_ the sending relay supports SPF and
   the SPF validates - accept the mail unconditiionally and don't greylist
it.
   You might need to run another milter for validation, or adapt some Perl
   code to the task.  There may be other validation methods (HABEAS, etc)
   that work here.

3. Match the sender's mail address domain to the RDNS domain.  If they
match,
   let the mail through without tempfailing (this is weaker than SPF,
   so must be done after the SPF check).

To catch some of the cases where a spammer hijack's a legitimate user's PC,
and sends mail as that user (haven't seen this, except for viruses, but it
seems possible), perhaps it is a good idea to _always_ tempfail messages
with
many recipient addresses?





More information about the MIMEDefang mailing list