GreyListing Release |
Post Reply 
|
| Author | |
Bluefly 
Newbie 
Joined: 01 March 2011 Status: Offline Points: 17 |
 Post Options
 Thanks(0)
 Quote Reply
 Topic: GreyListing ReleasePosted: 15 January 2013 at 9:36pm |
|
I have a new issue with emails being delivered from obviouly compromised home computers (based on their DNS names) which are making it through grey listing. From what I can gather, the initial connection from the computer is correctly sent to the grey list cache. However, if another spam email is later sent from the same IP, it is released from greylist limbo and the address white listed. This could be hours later. The email is forwarded and, generally, picked up by the Outlook junk mail filter.
This not the behaviour of a correctly RFC configured mail server but it seems to have the same effect from the point of the greylist filter in that the filter seems to "think" that a server is reconnecting (I think). Is there some way to control this or at least clear the greylist cache after, say 20 minutes of listing an IP address? I've noticed entries in the cache that are more than 7 hours old. An example follows: 01/15/13 23:17:22:446 -- (3900) Detected TCP Connection: 62.83.170.235 01/15/13 23:17:22:446 -- (3900) Connection from: 62.83.170.235 - Originating country : Spain 01/15/13 23:17:22:446 -- (3900) GreyList limbo - Added 62.83.170.235 01/15/13 23:17:22:446 -- (3900) IP is in not in GreyList Allowed. Disconnecting: 62.83.170.235 01/15/13 23:17:22:462 -- (3900) No Data Received 01/15/13 23:17:22:462 -- (3900) Disconnect 01/16/13 03:48:20:977 -- (3840) Detected TCP Connection: 62.83.170.235 01/16/13 03:48:20:977 -- (3840) Connection from: 62.83.170.235 - Originating country : Spain 01/16/13 03:48:20:977 -- (3840) GreyList cache - 62.83.170.235 removed from limbo, will add to allowed list 01/16/13 03:48:20:977 -- (3840) IP Greylist - Added 62.83.170.235 to list 01/16/13 03:48:21:727 -- (3840) Received MAIL FROM: <ecizxvtrpoecb@cla.co.uk> |
|
 |
|
|
LogSat
Admin Group 
Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
Quote Reply
Posted: 15 January 2013 at 10:59pm |
|
If an IP was to be removed from the list of IPs that have passed the greylist test after a few hours, or even after a few days, this could result in too many emails being delayed, especially if the sender's domain does not send out many emails to your domain. This is because if for example a domain sends you an email once a day, and the IP for their mail server was removed from the greylist approved senders, each day the sender's mail server would send an email, the initial email would fail, and they would have to wait until the next re-try to re-send it. This could delay that email 20-30 minutes each day, which cold cause several complains, especially since this scenario would repeat itself for any domain that doesn't send you multiple emails per day.
The greylist filter is designed to be a first barrier from spammer bots. If a spam bot (very inefficiently) retries to send spam to the same server, this will indeed cause them to pass the greylist filter from that point on. This is how greylist filters are designed to work. There should be hopefully other filters that will catch that spam, even though of course no antispam software is perfect and some will make it thru.
|
|
|
|
|
Bluefly
Newbie
Joined: 01 March 2011 Status: Offline Points: 17 |
Post Options
Thanks(0)
Quote Reply
Posted: 15 January 2013 at 11:43pm |
|
Hi Roberto
Thanks for your reply. I may not have made my point very clear. I was not suggesting removing the IP from the list but from the cache. If a real mail server tries to send an email and finds it greylisted, it should retry within a few minutes, after which the IP will be whitelisted. It is the cache which seems to be holding IPs for hours. I can't see why this would be necessary. In my case, I believe that the compromised server is sending a DIFFERENT email some time later and, because the IP is already in greylist limbo, it is being flagged as okay and white listed. This then opens the door for more spam from that source. If this is the case, and I admit it may not be, then clearing the cache of a listed IP after 10 or 20 minutes would go some way to solve the problem. Craig |
|
|
|
|
yapadu
Senior Member 
Joined: 12 May 2005 Status: Offline Points: 297 |
Post Options
Thanks(0)
Quote Reply
Posted: 20 January 2013 at 2:35am |
|
If a server is no longer greylisted the connection from the remote server is allowed. That does not mean the server is whitelisted, the rest of the filtering systems should still be working.
|
|
|
--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk. |
|
|
|
Topic Options|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.250 seconds.