Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - GreyListing Release
  FAQ FAQ  Forum Search   Register Register  Login Login

GreyListing Release

 Post Reply Post Reply
Author
Bluefly View Drop Down
Newbie
Newbie
Avatar

Joined: 01 March 2011
Status: Offline
Points: 17
Post Options Post Options   Thanks (0) Thanks(0)   Quote Bluefly Quote  Post ReplyReply Direct Link To This Post Topic: GreyListing Release
    Posted: 15 January 2013 at 9:36pm
I have a new issue with emails being delivered from obviouly compromised home computers (based on their DNS names) which are making it through grey listing. From what I can gather, the initial connection from the computer is correctly sent to the grey list cache. However, if another spam email is later sent from the same IP, it is released from greylist limbo and the address white listed. This could be hours later. The email is forwarded and, generally, picked up by the Outlook junk mail filter.

This not the behaviour of a correctly RFC configured mail server but it seems to have the same effect from the point of the greylist filter in that the filter seems to "think" that a server is reconnecting (I think). 

Is there some way to control this or at least clear the greylist cache after, say 20 minutes of listing an IP address? I've noticed entries in the cache that are more than 7 hours old.

An example follows:

01/15/13 23:17:22:446 -- (3900) Detected TCP Connection: 62.83.170.235
01/15/13 23:17:22:446 -- (3900) Connection from: 62.83.170.235  -  Originating country : Spain
01/15/13 23:17:22:446 -- (3900) GreyList limbo - Added 62.83.170.235
01/15/13 23:17:22:446 -- (3900) IP is in not in GreyList Allowed. Disconnecting: 62.83.170.235
01/15/13 23:17:22:462 -- (3900) No Data Received
01/15/13 23:17:22:462 -- (3900) Disconnect

01/16/13 03:48:20:977 -- (3840) Detected TCP Connection: 62.83.170.235
01/16/13 03:48:20:977 -- (3840) Connection from: 62.83.170.235  -  Originating country : Spain
01/16/13 03:48:20:977 -- (3840) GreyList cache - 62.83.170.235 removed from limbo, will add to allowed list
01/16/13 03:48:20:977 -- (3840) IP Greylist - Added 62.83.170.235 to list
01/16/13 03:48:21:727 -- (3840) Received MAIL FROM: <ecizxvtrpoecb@cla.co.uk>

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 15 January 2013 at 10:59pm
If an IP was to be removed from the list of IPs that have passed the greylist test after a few hours, or even after a few days, this could result in too many emails being delayed, especially if the sender's domain does not send out many emails to your domain. This is because if for example a domain sends you an email once a day, and the IP for their mail server was removed from the greylist approved senders, each day the sender's mail server would send an email, the initial email would fail, and they would have to wait until the next re-try to re-send it. This could delay that email 20-30 minutes each day, which cold cause several complains, especially since this scenario would repeat itself for any domain that doesn't send you multiple emails per day.

The greylist filter is designed to be a first barrier from spammer bots. If a spam bot (very inefficiently) retries to send spam to the same server, this will indeed cause them to pass the greylist filter from that point on. This is how greylist filters are designed to work. There should be hopefully other filters that will catch that spam, even though of course no antispam software is perfect and some will make it thru.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
Bluefly View Drop Down
Newbie
Newbie
Avatar

Joined: 01 March 2011
Status: Offline
Points: 17
Post Options Post Options   Thanks (0) Thanks(0)   Quote Bluefly Quote  Post ReplyReply Direct Link To This Post Posted: 15 January 2013 at 11:43pm
Hi Roberto

Thanks for your reply. I may not have made my point very clear. I was not suggesting removing the IP from the list but from the cache. If a real mail server tries to send an email and finds it greylisted, it should retry within a few minutes, after which the IP will be whitelisted. It is the cache which seems to be holding IPs for hours. I can't see why this would be necessary. In my case, I believe that the compromised server is sending a DIFFERENT email some time later and, because the IP is already in greylist limbo, it is being flagged as okay and white listed. This then opens the door for more spam from that source. If this is the case, and I admit it may not be, then clearing the cache of a listed IP after 10 or 20 minutes would go some way to solve the problem.

Craig
Back to Top
yapadu View Drop Down
Senior Member
Senior Member


Joined: 12 May 2005
Status: Offline
Points: 297
Post Options Post Options   Thanks (0) Thanks(0)   Quote yapadu Quote  Post ReplyReply Direct Link To This Post Posted: 20 January 2013 at 2:35am
If a server is no longer greylisted the connection from the remote server is allowed.  That does not mean the server is whitelisted, the rest of the filtering systems should still be working.


--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk.
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.188 seconds.