[Mimedefang] Greylisting netmask
David F. Skoll
dfs at roaringpenguin.com
Sat Feb 3 22:37:12 EST 2007
Jeff Rife wrote:
> I'm starting down the "roll my own" greylisting track, and I'm curious
> what other people use for a netmask in comparing IP addresses in the
> list.
I use /24.
> Also, it's not hard to store the IP/from/to tuple for each connection
> in a database, but all the ideas I have for storing whitelist
> information in the database seem a bit dodgy, as all the sources of
> whitelist data use netmasks. Storing this isn't really the
> issue...it's the fact that you
> can't use this to directly query the database, and so performance can
> be poor.
You could do what "cidrexpand" does and expand the netmask-based whitelists
to lots of individual entries. If your IP field is indexed, it shouldn't
hurt to have lots (millions, even) of entries.
Our implementation matches on (ip/24, sender, recipient) where ip/24
is the first three octets of the sending relay. Once a sending relay
makes it pass greylisting, we add the full IP address to a
"hosts_known_to_retry" table and we don't greylist hosts in that table
for 40 days. Once a host retries, it'll probably keep retrying in
future, so it's wasteful to greylist it.
We do our greylisting post-DATA for a number of reasons, and I was
actually thinking of adding the Subject: header into the mix. I used
to see spam zombies that tried 5 times, every 5 minutes, from the same
IP address. They'd keep the same sender and recipient, but mutate the
subject. However, I haven't seen that lately, so I guess spam
technology has evolved (unlike spammers...)
--
David.
More information about the MIMEDefang
mailing list