[Mimedefang] Greylisting netmask

[David F. Skoll]

Jeff Rife wrote:

> I'm starting down the "roll my own" greylisting track, and I'm curious 
> what other people use for a netmask in comparing IP addresses in the 
> list.

I use /24.

> Also, it's not hard to store the IP/from/to tuple for each connection 
> in a database, but all the ideas I have for storing whitelist 
> information in the database seem a bit dodgy, as all the sources of 
> whitelist data use netmasks.  Storing this isn't really the 
> issue...it's the fact that you  
> can't use this to directly query the database, and so performance can 
> be poor.

You could do what "cidrexpand" does and expand the netmask-based whitelists
to lots of individual entries.  If your IP field is indexed, it shouldn't
hurt to have lots (millions, even) of entries.

Our implementation matches on (ip/24, sender, recipient) where ip/24
is the first three octets of the sending relay.  Once a sending relay
makes it pass greylisting, we add the full IP address to a
"hosts_known_to_retry" table and we don't greylist hosts in that table
for 40 days.  Once a host retries, it'll probably keep retrying in
future, so it's wasteful to greylist it.

We do our greylisting post-DATA for a number of reasons, and I was
actually thinking of adding the Subject: header into the mix.  I used
to see spam zombies that tried 5 times, every 5 minutes, from the same
IP address.  They'd keep the same sender and recipient, but mutate the
subject.  However, I haven't seen that lately, so I guess spam
technology has evolved (unlike spammers...)

--
David.