[Mimedefang] Greylisting netmask

[Jonas Eckerman]

> One question:

> scenario a)
> A big hoster has multiple outbound servers; a message retried may be 
> issued by any of them.

> scenario b)
> An ISP has multiple dynamic IP addresses.

> How do you differ both scenarios?

I don't.

I simply remove the last number of the dotted IP address before 
using it in the greylist. The greylist triplets consists of this 
stripped IP address, the recipient and a massacred/stripped 
senders address. New triplets are black for 3 minutes.

A completely separate table contains the full IP addresses (but 
no mail addresses) and is used to tempfail any never-seen-before 
hosts the first 10 seconds, and to whitelist any host that has 
succesfully bypassed the greylist (no point in greylisting a host 
that retries). Obviously this check is done before ever involving 
the normal greylist. (This table allready contained most hosts 
sending mail to us before I started tempfailing new hosts for 10 
seconds.)

Also done before involving the greylist are a bunch of checks 
that excempts many legit systems/mails from the greylist.

So far the system has worked just fine, and results in most virus 
and spam from zombies beeing stopped in filter_relay, while most 
legit mail bypasses the greylist without delay, but if you tell 
us about potential problems with it I would of course be thankful.

For more info just read the stuff at:
<http://whatever.frukt.org/mimedefangfilter.text.shtml>

Regards
/Jonas
-- 
Jonas Eckerman, FSDB & Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/