Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: exim: users

greylisting

  

 
exim users RSS feed   Index | Next | Previous | View Threaded


terry at bluelight

Jun 6, 2009, 9:19 AM

Post #1 of 8 (634 views)
Permalink
greylisting
I have grey listing running and it seems to work well stopping the bulk
of spam. But I had one chap complaining last week that some one was
emailing him and it was failing to get through.
A quick log check showed

2009-06-04 12:29:10 [76405] H=vscano-b2.ucl.ac.uk [128.40.105.157]:47833
I=[94.76.221.176]:25 F=<Egyptian[at]thebritishmuseum.ac.uk> temporarily
rejected RCPT <Christine[at]carmarthentown.com>: greylisted host
128.40.105.157

2009-06-04 12:29:10 [76405] H=vscano-b2.ucl.ac.uk [128.40.105.157]:47833
I=[94.76.221.176]:25 incomplete transaction (QUIT) from
<Egyptian[at]thebritishmuseum.ac.uk>

2009-06-05 16:19:50 [48875] H=vscano-a2.ucl.ac.uk [144.82.100.153]:64384
I=[94.76.221.176]:25 F=<Egyptian[at]thebritishmuseum.ac.uk> temporarily
rejected RCPT <Christine[at]carmarthentown.com>: greylisted host
144.82.100.153

2009-06-05 16:19:50 [48875] H=vscano-a2.ucl.ac.uk [144.82.100.153]:64384
I=[94.76.221.176]:25 incomplete transaction (QUIT) from
<Egyptian[at]thebritishmuseum.ac.uk>

So I guess there server just never retried after being grey listed at
least not from the same host. Other than not greylisting I take it
theres no way of avoiding the odd incident like this
There email got returned with a 550 unable to relay error. I am no
expert at this but I do try and get things right and avoid causing other
people problems.
I have since whitelisted them ( using postgrey by the way ) .

Thanks
Terry

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


wbh at conducive

Jun 6, 2009, 10:01 AM

Post #2 of 8 (590 views)
Permalink
Re: greylisting [In reply to]
Terry wrote:
> I have grey listing running and it seems to work well stopping the bulk
> of spam. But I had one chap complaining last week that some one was
> emailing him and it was failing to get through.
> A quick log check showed
>
> 2009-06-04 12:29:10 [76405] H=vscano-b2.ucl.ac.uk [128.40.105.157]:47833
> I=[94.76.221.176]:25 F=<Egyptian[at]thebritishmuseum.ac.uk> temporarily
> rejected RCPT <Christine[at]carmarthentown.com>: greylisted host
> 128.40.105.157
>
> 2009-06-04 12:29:10 [76405] H=vscano-b2.ucl.ac.uk [128.40.105.157]:47833
> I=[94.76.221.176]:25 incomplete transaction (QUIT) from
> <Egyptian[at]thebritishmuseum.ac.uk>
>
> 2009-06-05 16:19:50 [48875] H=vscano-a2.ucl.ac.uk [144.82.100.153]:64384
> I=[94.76.221.176]:25 F=<Egyptian[at]thebritishmuseum.ac.uk> temporarily
> rejected RCPT <Christine[at]carmarthentown.com>: greylisted host
> 144.82.100.153
>
> 2009-06-05 16:19:50 [48875] H=vscano-a2.ucl.ac.uk [144.82.100.153]:64384
> I=[94.76.221.176]:25 incomplete transaction (QUIT) from
> <Egyptian[at]thebritishmuseum.ac.uk>
>
> So I guess there server just never retried after being grey listed at
> least not from the same host.

There is the key.

A SWAG says it looks as if they make two back-to-back attempts, then drop any
failures onto a backup host for delayed retry, and that it also does two
back-to-back then hard fail. .. Where 'back to back' may mean a RST and go again
on the same connection. Your logs can show that if made more verbose.

Hard to fault their approach, BTW.

Compared to typical retry configurations it will make far queue-manips, fewer
*total* retries, gives the opportunity of avoiding IP or route-specific
problems, and lets the sender know much earlier that there *is* a problem.

OTOH - greylisting-friendly it is not...

> Other than not greylisting I take it
> theres no way of avoiding the odd incident like this

You could do - if you choose to ignore the source IP and go only on the
envelope-from and recpt-to coupling.

OTOH, unless you have ALSO pre-qualified the source IP (reverse_host_lookup)
ignoring the IP might make GL far less effective for OTHER arrivals.

...it will also make GL trigger less often, 'coz zombots rarely pass rDNS
checks. Enough 'less often' that we were able to scrap GL altogether.. YMMV.

> There email got returned with a 550 unable to relay error. I am no
> expert at this but I do try and get things right and avoid causing other
> people problems.
> I have since whitelisted them ( using postgrey by the way ) .
>
> Thanks
> Terry
>

So long as your user-base doesn't go berserk while discovering the hard way what
*needs* WL, you probably won't have to WL more than a dozen or so (ever), as the
above multi-IP pattern WITH a mere 4 total tries is not all that common.



Bill

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


dwmw2 at infradead

Jun 8, 2009, 3:07 AM

Post #3 of 8 (581 views)
Permalink
Re: greylisting [In reply to]
On Sat, 2009-06-06 at 17:19 +0100, Terry wrote:
> So I guess there server just

Where server?

> never retried after being grey listed at least not from the same host.

Why would you require them to retry from the _same_ host?

That seems unnecessary and silly -- many sites will punt 'problematic'
mails to another host to be retried periodically, to keep the mail queue
on the main servers clear.

> Other than not greylisting I take it theres no way of avoiding the
> odd incident like this

Er, how about greylisting sensibly, instead of badly? :)

> ( using postgrey by the way ) .

Ah, that explains it. Postgrey is one of the worst implementations of
greylisting I've ever encountered. Why aren't you just using Exim's
native capabilities?

I'd suggest reading http://wiki.exim.org/SimpleGreylisting -- the prose
sets out some things that you may want to think about regardless of
which greylisting implementation you use, and then there's an example
Exim configuration which shouldn't suffer most of the stupid problems
that postgrey does.

There are still trade-offs which are fundamental to the nature of
greylisting, of course, but most of them can be significantly minimised.
Especially in comparison with postgrey.

--
dwmw2


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


pookey at pookey

Jun 11, 2009, 5:41 AM

Post #4 of 8 (565 views)
Permalink
Re: greylisting [In reply to]
2009/6/8 David Woodhouse <dwmw2[at]infradead.org>:
> I'd suggest reading http://wiki.exim.org/SimpleGreylisting -- the prose
> sets out some things that you may want to think about regardless of
> which greylisting implementation you use, and then there's an example
> Exim configuration which shouldn't suffer most of the stupid problems
> that postgrey does.

There's actually a flaw in this implementation here.

# Generate a hashed 'identity' for the mail, as described above.
warn set acl_m_greyident =
${hash{20}{62}{$sender_address$recipients$h_message-id:}}

Because it's common at the moment to get a mail to someone sent from
their own address without a message ID, hash clashes occour.

I'm currently not sure of the best way to d eal with this - perahps
adding the Subject line into the hash...

Perhaps I should just block mail sent from someone, to themselves,
with a null message ID.

--
Blog: http://pookey.co.uk/blog
Follow me on twitter: http://twitter.com/ipchristian

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


eduardo at kalinowski

Jun 12, 2009, 6:38 AM

Post #5 of 8 (550 views)
Permalink
Re: greylisting [In reply to]
On Seg, 08 Jun 2009, David Woodhouse wrote:
> I'd suggest reading http://wiki.exim.org/SimpleGreylisting -- the prose
> sets out some things that you may want to think about regardless of
> which greylisting implementation you use, and then there's an example
> Exim configuration which shouldn't suffer most of the stupid problems
> that postgrey does.

Thanks for the link. I already had selective greylisting implemented
in my exim (using another database recipe I found somewhere), but this
implementation is simpler and more straightforward. I've just
implemented it.

One thing that struck me is: once a greylisted message is seen again
and accepted (because the delay is over), couldn't its entry be
removed from the greylist table? It will eventually be removed 7 days
later from the cron script, but couldn't it be removed with something
like this:

# The message was listed but it's been more than five minutes.
Accept it now and whitelist
# the _original_ sending host by its { IP, HELO } so that we don't
delay its mail again.
warn set acl_m_orighost = ${lookup sqlite {GREYDB SELECT host FROM
greylist \
WHERE
id='${quote_sqlite:$acl_m_greyident}';}{$value}}
set acl_m_orighelo = ${lookup sqlite {GREYDB SELECT helo FROM
greylist \
WHERE
id='${quote_sqlite:$acl_m_greyident}';}{$value}}
set acl_m_dontcare = ${lookup sqlite {GREYDB INSERT INTO resenders \
VALUES ( '$acl_m_orighost', \
'${quote_sqlite:$acl_m_orighelo}', \
'$tod_epoch' ); }}
set acl_m_dontcare = ${lookup sqlite {GREYDB DELETE FROM greylist \
WHERE id='${quote_sqlite:$acl_m_greyident}';}}
logwrite = Added host $acl_m_orighost with HELO
'$acl_m_orighelo' to known resenders

What do you guys think? Is it worth it? Or it is better to leave
old entries (retried or not) to be bulk deleted from cron?


--
Eduardo M KALINOWSKI
eduardo[at]kalinowski.com.br


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


eximusers at downhill

Jun 28, 2009, 12:04 AM

Post #6 of 8 (413 views)
Permalink
Re: greylisting [In reply to]
David Woodhouse <dwmw2[at]infradead.org> wrote:
> On Sat, 2009-06-06 at 17:19 +0100, Terry wrote:
[...]
>> ( using postgrey by the way ) .

> Ah, that explains it. Postgrey is one of the worst implementations of
> greylisting I've ever encountered.

Hello David,

Could you please tell me what's so bad about postgrey? I am also using it
using and I just do not get where it fails. (For reference I do know
why postgrey is smarter than greylistd. greylistd has no
--auto-whitelist-clients.)

> Why aren't you just using Exim's native capabilities?

At the time I was implementing greylisting the hand-built exim-acl
stuff either used flat files ($run /binecho >>) or was requiring
postgres or mysql. At that time these slolutions also were less smart
than postgrey.

> I'd suggest reading http://wiki.exim.org/SimpleGreylisting
[...]

Situation seems to have changed, though.

thanks, cu andreas

--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


eximusers at downhill

Jun 28, 2009, 12:30 AM

Post #7 of 8 (414 views)
Permalink
Re: greylisting [In reply to]
Andreas Metzler <eximusers[at]downhill.at.eu.org> wrote:
> David Woodhouse <dwmw2[at]infradead.org> wrote:
[...]
>> I'd suggest reading http://wiki.exim.org/SimpleGreylisting
> [...]

> Situation seems to have changed, though.

Major thing I do not like about this: It runs after DATA. For me a
major point of greylisting is to be cheap. i.e. mails not transfered
twice, spamassassin not run twice, etc.
cu andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/


dms at samersoff

Jun 28, 2009, 1:00 AM

Post #8 of 8 (414 views)
Permalink
Re: greylisting [In reply to]
Andreas Metzler wrote:
> Andreas Metzler <eximusers[at]downhill.at.eu.org> wrote:
>> David Woodhouse <dwmw2[at]infradead.org> wrote:
> [...]
>>> I'd suggest reading http://wiki.exim.org/SimpleGreylisting
>> [...]
>
>> Situation seems to have changed, though.
>
> Major thing I do not like about this: It runs after DATA.

+1 - one of main goal of my implementation was reject messages as early
as possible.

But unfortunately we have very limited set of information about a
message at HELO time so I'm thinking about two stages greylisting.

-Dmitry

--
Dmitry Samersoff
dms[at]samersoff.net, http://devnull.samersoff.net
* There will come soft rains ...


--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

exim users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.