I've been experimenting with technique that involves combination of
mail server ip address whitelist with greylisting. The idea is by
default to greylist, but once good email is received, the ip address
of mail system is added to special whitelist (I also record name
reported in EHLO but do not use right now) and afterward greylisting
is no longer done and email is processed immediately. Note that messages
from both whitelisted and non-whitelisted mailservers still go through
my normal spamfilters, so this is purely greylisting-related whitelist.
This techniques appear to be extremely useful against viruses and
zombies (4 hour greylisting is used which is fairly long, shorter
periods may not be as effective), while still allowing mail from all
common sources to be received immediately.
One of the problems is however determining what is good email. Right
now I'm doing it more or less manually, which makes it more difficult
and slow to build list of good mail servers. I'm wondering if there
are any good automated methods people use when they need to separate
"absolutely non-spam"?
What I'm thinking however is that for this technique (since spam-
filtering is still being done) it should ok to just take email if
spamassasin score is low (say < 1.0). I'm concerned however that
this could open a door for spammers to test how "good" my system
thinks their email is and adjust the content. Am I being too
paranoid?
Anyway comments on the technique and on questions are welcome.
---
William Leibzon
mailto: william(_at_)completewhois(_dot_)com
Anti-Spam and Email Security Research Worksite:
http://www.elan.net/~william/emailsecurity/
Whois & DNS Network Investigation Tools:
http://www.completewhois.com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg