[Sqlgrey-users] Re: Greylist or sender verification?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Andrew Boring wrote the following on 10/07/04 06:16 :

>
> On Oct 6, 2004, at 11:49 PM, Francis Vidal wrote:
>
>> From what I gather, greylisting limits the bogus SMTP servers as it
>> requires the server to resend the mail while sender verification is
>> for limiting bogus sender addresses.
>
>
> Greylisting was designed to combat "spam runs", or a quick one-time 
> mass send of spam before the spammer switches to a different mail host 
> for the next run. However, spammers can (and perhaps eventually will) 
> retry too...so it's not a silver bullet.
>
> Your end-to-end (ie, user-to-user) mail performance will suffer, since 
> some really crappy legit MTAs won't retry very quickly. When I set up 
> greylisting at my last corporate gig, several of my users complained 
> that "mail didn't come through immediately" like it used to, so they 
> would call their contact at the other end to resend it, and several 
> hours later my end users would get large qtys of duplicate emails...

First implementations did that. But now auto-whitelisting is implemented 
: only the very first messages between 2 individuals are delayed.
SQLgrey add a second level auto-whitelisting to learn which domains are 
handled by mail servers and let them pass : when it sees several (actual 
number configurable) e-mail adresses from the same domain and same IP, 
the domain is whitelisted. gld does have a lightgreydomain algorithm 
which is a dumbed down version of SQLgrey's second-level 
auto-whitelisting (apply greylisting on domains only, disregard user 
component in e-mail addresses).

>
>> The sender verification would
>> verify both SMTP server AND sender but I don't know how it will affect
>> the performance of the server.
>
>
> No, sender verification will connect to the DNS-listed MX of the 
> domain part of the sender address -- which may be different from the 
> "outgoing" mail server used to send from that domain[1] -- and attempt 
> to verify if the sender address exists. Of course, some connecting 
> MTAs don't keep a local_recipient_maps (or their MTA equivalent) on 
> their MXes, so you'll get a positive sender verification every single 
> time. So sender verification is also not the silver bullet.

Note to self : toy with this in SQLgrey. I was thinking about SPF 
support in SQLgrey could be good to, but is there a plan to add SPF 
support directly in Postfix ?

Best regards,

Lionel.