Hello all,
Sorry if this has already discussed in the list. I am using a simple
trick (which I call "Hostname-based Selective Greylisting", or
"hbs-greylisting" for short) which is popular in Japan. But AFAICS
there's no English article or web pages mentioning this technique.
It's easy, and I believe it's useful. So here goes.
--------
In normal installation, you check all of incoming connections through
postgrey like:
smtpd_recipient_restrictions =
permit_mynetworks
...
reject_unauth_destination
check_policy_service inet:127.0.0.1:10023
This is what described in Postgrey documentation. But, this way, you
have to be careful keeping whitelist up-to-date so that your server
won't reject or put unnecessary delay for messages from legitimate
clients. Also, your database may contain many legitimate clients'
addresses.
Since most of UCE/UBE messages that are blocked by postgrey come from
unresolvable or dynamically-assigned addresses, you can check only
those suspicious clients by postgrey and let others pass unchecked, by
configuring postfix as follows:
---- main.cf ----
smtpd_restriction_classes =
check_greylist
check_greylist = check_policy_service inet:127.0.0.1:10023
smtpd_recipient_restrictions =
permit_mynetworks
...
reject_unauth_destination
check_client_access regexp:/etc/postfix/check_client_fqdn
---- check_client_fqdn ----
/^unknown$/ check_greylist
/^[^\.]*[0-9][^0-9\.]+[0-9]/ check_greylist
/^[^\.]*[0-9]{5}/ check_greylist
/^([^\.]+\.)?[0-9][^\.]*\.[^\.]+\..+\.[a-z]/ check_greylist
/^[^\.]*[0-9]\.[^\.]*[0-9]-[0-9]/ check_greylist
/^[^\.]*[0-9]\.[^\.]*[0-9]\.[^\.]+\..+\./ check_greylist
/^(dhcp|dialup|ppp|adsl)[^\.]*[0-9]/ check_greylist
----
This technique is proposed by SATOH Kiyoshi
(http://k2net.hakuba.jp/rgrey/, in Japanese), and getting popularity
among mail administrators in Japan. I call this "Hostname-based
Selective Greylisting" ("hbs-greylisting" for short). (*)
(*) Mr. Satoh calls his technique "S25R + Greylisting". S25R
(Selective SMTP Rejection) is a technique that unconditionally
rejects those hosts that matched regexps unless whitelisted.
(http://www.gabacho-net.jp/en/anti-spam/anti-spam-system.html)
Satoh's technique is a safer alternative that combines S25R and
greylisting. I thought the name "Selective Greylisting" would be
more apropriate but this is already used by Christian Mock to mean
yet another technique (http://www.tahina.priv.at/~cm/spam/). Hence
I coined a name "Hostname-based Selective Greylisting".
The effect of greylisting is slightly impaired with hbs-greylisting
because UCE/UBEs from hosts that do not match the regexps are no
longer blocked. But there are many benefits:
* Safer - The risk of rejecting legitimate clients becomes lower.
* Easier - The conservative nature of the technique makes maintenance
of whitelist rarely needed.
* Still effective - Almost all of UCE/UBEs that are blocked by normal
greylisting are also blocked by hbs-greylisting. (According to
http://www.gabacho-net.jp/en/anti-spam/anti-spam-system.html,
98% of UCE/UBE-sending hosts matches to the regexps above.)
* Requires less space - Postgrey database now contains less entries.
Now, how do you think? Comments are welcome.
--
Best Regards,
MAEDA Atusi
--
Unsubscribe mailto:postgrey-request@list.ee.ethz.ch?subject=unsubscribe
Archive http://lists.ee.ethz.ch/postgrey
WebAdmin http://lists.ee.ethz.ch/lsg2.cgi
|