Print Page | Close Window

GreyListing Release

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=7049
Printed Date: 28 December 2024 at 4:58pm


Topic: GreyListing Release
Posted By: Bluefly
Subject: GreyListing Release
Date Posted: 15 January 2013 at 9:36pm
I have a new issue with emails being delivered from obviouly compromised home computers (based on their DNS names) which are making it through grey listing. From what I can gather, the initial connection from the computer is correctly sent to the grey list cache. However, if another spam email is later sent from the same IP, it is released from greylist limbo and the address white listed. This could be hours later. The email is forwarded and, generally, picked up by the Outlook junk mail filter.

This not the behaviour of a correctly RFC configured mail server but it seems to have the same effect from the point of the greylist filter in that the filter seems to "think" that a server is reconnecting (I think). 

Is there some way to control this or at least clear the greylist cache after, say 20 minutes of listing an IP address? I've noticed entries in the cache that are more than 7 hours old.

An example follows:

01/15/13 23:17:22:446 -- (3900) Detected TCP Connection: 62.83.170.235
01/15/13 23:17:22:446 -- (3900) Connection from: 62.83.170.235  -  Originating country : Spain
01/15/13 23:17:22:446 -- (3900) GreyList limbo - Added 62.83.170.235
01/15/13 23:17:22:446 -- (3900) IP is in not in GreyList Allowed. Disconnecting: 62.83.170.235
01/15/13 23:17:22:462 -- (3900) No Data Received
01/15/13 23:17:22:462 -- (3900) Disconnect

01/16/13 03:48:20:977 -- (3840) Detected TCP Connection: 62.83.170.235
01/16/13 03:48:20:977 -- (3840) Connection from: 62.83.170.235  -  Originating country : Spain
01/16/13 03:48:20:977 -- (3840) GreyList cache - 62.83.170.235 removed from limbo, will add to allowed list
01/16/13 03:48:20:977 -- (3840) IP Greylist - Added 62.83.170.235 to list
01/16/13 03:48:21:727 -- (3840) Received MAIL FROM: <ecizxvtrpoecb@cla.co.uk>




Replies:
Posted By: LogSat
Date Posted: 15 January 2013 at 10:59pm
If an IP was to be removed from the list of IPs that have passed the greylist test after a few hours, or even after a few days, this could result in too many emails being delayed, especially if the sender's domain does not send out many emails to your domain. This is because if for example a domain sends you an email once a day, and the IP for their mail server was removed from the greylist approved senders, each day the sender's mail server would send an email, the initial email would fail, and they would have to wait until the next re-try to re-send it. This could delay that email 20-30 minutes each day, which cold cause several complains, especially since this scenario would repeat itself for any domain that doesn't send you multiple emails per day.

The greylist filter is designed to be a first barrier from spammer bots. If a spam bot (very inefficiently) retries to send spam to the same server, this will indeed cause them to pass the greylist filter from that point on. This is how greylist filters are designed to work. There should be hopefully other filters that will catch that spam, even though of course no antispam software is perfect and some will make it thru.


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: Bluefly
Date Posted: 15 January 2013 at 11:43pm
Hi Roberto

Thanks for your reply. I may not have made my point very clear. I was not suggesting removing the IP from the list but from the cache. If a real mail server tries to send an email and finds it greylisted, it should retry within a few minutes, after which the IP will be whitelisted. It is the cache which seems to be holding IPs for hours. I can't see why this would be necessary. In my case, I believe that the compromised server is sending a DIFFERENT email some time later and, because the IP is already in greylist limbo, it is being flagged as okay and white listed. This then opens the door for more spam from that source. If this is the case, and I admit it may not be, then clearing the cache of a listed IP after 10 or 20 minutes would go some way to solve the problem.

Craig


Posted By: yapadu
Date Posted: 20 January 2013 at 2:35am
If a server is no longer greylisted the connection from the remote server is allowed.  That does not mean the server is whitelisted, the rest of the filtering systems should still be working.




-------------
--------------------------------------------------------------
I am a user of SF, not an employee. Use any advice offered at your own risk.



Print Page | Close Window