Andrew Boring wrote the following on 10/07/04 06:16 :
>
> On Oct 6, 2004, at 11:49 PM, Francis Vidal wrote:
>
>> From what I gather, greylisting limits the bogus SMTP servers as it
>> requires the server to resend the mail while sender verification is
>> for limiting bogus sender addresses.
>
>
> Greylisting was designed to combat "spam runs", or a quick one-time
> mass send of spam before the spammer switches to a different mail host
> for the next run. However, spammers can (and perhaps eventually will)
> retry too...so it's not a silver bullet.
>
> Your end-to-end (ie, user-to-user) mail performance will suffer, since
> some really crappy legit MTAs won't retry very quickly. When I set up
> greylisting at my last corporate gig, several of my users complained
> that "mail didn't come through immediately" like it used to, so they
> would call their contact at the other end to resend it, and several
> hours later my end users would get large qtys of duplicate emails...
First implementations did that. But now auto-whitelisting is implemented
: only the very first messages between 2 individuals are delayed.
SQLgrey add a second level auto-whitelisting to learn which domains are
handled by mail servers and let them pass : when it sees several (actual
number configurable) e-mail adresses from the same domain and same IP,
the domain is whitelisted. gld does have a lightgreydomain algorithm
which is a dumbed down version of SQLgrey's second-level
auto-whitelisting (apply greylisting on domains only, disregard user
component in e-mail addresses).
>
>> The sender verification would
>> verify both SMTP server AND sender but I don't know how it will affect
>> the performance of the server.
>
>
> No, sender verification will connect to the DNS-listed MX of the
> domain part of the sender address -- which may be different from the
> "outgoing" mail server used to send from that domain[1] -- and attempt
> to verify if the sender address exists. Of course, some connecting
> MTAs don't keep a local_recipient_maps (or their MTA equivalent) on
> their MXes, so you'll get a positive sender verification every single
> time. So sender verification is also not the silver bullet.
Note to self : toy with this in SQLgrey. I was thinking about SPF
support in SQLgrey could be good to, but is there a plan to add SPF
support directly in Postfix ?
Best regards,
Lionel.
|
