postfix-users April 2011 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: selective greylisting with a long delay

selective greylisting with a long delay

From: pf at alt-ctrl-del.org <pf_at_nospam>
Date: Mon Apr 11 2011 - 03:33:22 GMT
To: <postfix-users@postfix.org>

Has anyone implemented or experimented with selectively greylisting specific networks, with a long delay? Let's say 4
hours...
If so, what are your results?

Background:
1. Greylisting seems to have lost much of its value, and I stopped using it about a year ago.
2. By using and monitoring the logs for hits against the fresh15 list and scrutinizing .info domains, I have identified
and blocked several dozen networks that seem to cater to snowshoe type spammers. This has worked out very well. I block
all mail from their networks, and I get zero complaints (so far) of false positives. So I'm confident that the networks
and ISPs I have blocked, are black hat networks and ISPs.

But there are a few edge cases that I'm not comfortable with blocking. These are usually large and established ISPs (two
of which recently merged) that seem to have the same practices as the bad guys. But they host legit sites too. Even if
99% of the email from these networks is spam, I can't block that other 1%. All I can do is try my best to filter out the
99% of bad mail.

While monitoring my logs and watching these spammers move to the next IP every couple of hours, I notice that their
sending IP usually gets listed in at least one RBL within about three hours of their first appearance in my logs. But by
that time, they have usually moved to the next IP.

My thought on auto combating this is to use a CIDR list to kick these networks (and only these networks) over to a
greylist policy that delays these emails for 4+ hours. By then, most of the bad IPs would be listed in one or more RBL
and be blocked.

So, has anyone else already done something like this?