Greylisting - Use The IPs in a blacklist

Use this forum if you want to suggest a new feature to hMailServer. Before posting, please search the forum to confirm that it has not already been suggested.
Post Reply

Do you this this feature would be useful or effective

Yes
7
70%
No
3
30%
 
Total votes: 10

tocpcs
New user
New user
Posts: 12
Joined: 2008-02-26 13:58

Greylisting - Use The IPs in a blacklist

Post by tocpcs » 2008-09-12 16:41

The pattern for greylisting from my point appears:
1. They try multiple times to send the message.
2. They use different 'From' email addresses.
3. They are trying to send to the same recipient.

I'm thinking we can put this sort of activity on hold or make it less effective for spammers by implementing a blacklist.

If an IP is sending email (And creating greylist entries) at X limit over Y time, then the server should be blocked from any connection attempts for Z period.

Example:
Server 1.2.3.4 connects, tries to send email 'From joe@domain1.com' - 'To sales@mydomain.com', gets a 451, quits.
Server 1.2.3.4 connects (seconds to minutes later), tries to send email 'From jan@domain2.com' - 'To sales@mydomain.com', gets a 451, quits.

They do this a few times.

This activity is spam bot activity, and I think it's best that it gets a plug put on it.

I've thought about this. I can't see any genuine reason where a single mailserver would report its got mail from a different email address, and sending to the same person it did 'just moments ago'.
Of course, a seperate whitelist can be maintained where appropriate.

From there, it's just a matter of simply 'Sorry, you appear to have spam related activity', and disconnect.

The advantages are also possibly hidden:
If the spambot is poorly coded, it may break at finding this behaviour (because it won't be expecting the server to answer one time, and the next just simply hang up on connect, slowing the activity (possibly).
Otherwise, it'll just make it a less effective method of distributing spam.

The blacklist should be visible in the administrator, we should see what IPs are on it, and when they were added, and when they are due for removal, and of course, whitelisting to those 'trusted' servers (servers that hMail is sending mail to for example).

I can't see many valid reason a real mailserver would exhibit such activity (with exception to perhaps a busy single ISP mailserver and many users on that server sending email to that ONE email address at the same time, but that's gotta be rare as opposed to spam bot attempts, and whitelisting will allow those connections).

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: Greylisting - Use The IPs in a blacklist

Post by ^DooM^ » 2008-09-12 21:42

I like the idea but i would not like the server to just ignore connections especially if the blacklisting is automatic. It needs to at least respond with a 5XX code so any possible legit mail servers that may get banned will be able to see why they are not connecting and contact you via other means.
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

tocpcs
New user
New user
Posts: 12
Joined: 2008-02-26 13:58

Re: Greylisting - Use The IPs in a blacklist

Post by tocpcs » 2008-09-13 01:47

Of course:
On connect, 5XX - Your temporary blacklisted due to possible spam activity. Disconnect.

Shiloh
Normal user
Normal user
Posts: 163
Joined: 2006-04-14 00:00

Re: Greylisting - Use The IPs in a blacklist

Post by Shiloh » 2008-09-19 08:54

A lot of legitimate email servers will immediately try to send new email to a remote domain even if other email is already queued for that domain. It does not automatically indicate a spam bot. Just outright blocking those sending attempts will ensure that some legitimate email gets lost.

westdam
Senior user
Senior user
Posts: 728
Joined: 2006-08-01 21:24
Location: Padova, Italy
Contact:

Re: Greylisting - Use The IPs in a blacklist

Post by westdam » 2008-09-26 09:21

no, this could be a loss email feature.
i disagree..

Post Reply