The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

"Grey Listing" the other method to avoid spam mail

Discussion in 'E-mail Discussions' started by taotoon, Jun 26, 2005.

  1. taotoon

    taotoon Well-Known Member

    Joined:
    Nov 14, 2004
    Messages:
    135
    Likes Received:
    0
    Trophy Points:
    16
  2. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    It is indeed a very interesting concept, however cPanel uses Exim and NOT Sendmail,

    Some alternatives are listed in the sites link section however:
    http://projects.puremagic.com/greylisting/links.html

    It should also be noted, that this is in no way "the other method" in that it replaces other spam prevention techniques, its mearly a very useful aid if used wisely.
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I'd like to add that I really dislike the concept of greylisting. Unless you know esxactly what you are doing and the pitfalls involved you shouldn't go near it. I've seen it used on large ISP's where it does not work correctly.

    I also hate the concept of rejecting email when it is perfectly deliverable. If you say you cannot accept an email for delivery then there's no compunction on the sender to try again. It's a horrible method of spam prevention, IMHO, compared to the wealth of other methods available.
     
  4. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Are you sure there's no compulsion to retry the delivery? I thought it was mandated on the sender but I'm a bit rusty on the RFC's.
     
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I checked the RFC's some time back and IIRC they said that an email should be retried, not must. Which in RFC speak means it isn't mandatory for it to happen. I could be rembering incorrectly, though ;)
     
  6. budway

    budway Well-Known Member

    Joined:
    Apr 16, 2003
    Messages:
    186
    Likes Received:
    0
    Trophy Points:
    16
    I don't know what is worst....

    Having to filter/delete all spam

    our

    DELAY e-mail because of spammers (not to say that this would have a large impact on cpu usage for all servers admin)

    Wanna solve spam? Get rid of free email.
     
  7. jatos

    jatos Member

    Joined:
    Jan 17, 2006
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    My personal way of getting rid of spam is forwarding all email to my Gmail account as Gmail does a REALLY good job of filtering spam.
     
  8. mrcpu

    mrcpu Member

    Joined:
    Feb 7, 2005
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    The whole point of greylisting is that it returns a temporary error, with the implication that the sending system should try again.

    If a SMTP sender only takes one-shot to deliver mail, I wouldn't think too much of that mail system, I mean, network outage, oops, mail bounced. Routing problem? Oops, mail bounced. Over quota? Mail bounced. Seems pretty lame on the face of it.

    Within broad limits, the largest group of people that doesnt' queue mail is the spammer. Not that there aren't others, but as a percentage, it's gotta be huge, compared to the rest.

    The other thing that people are forgetting is that the "delay" only happens the first sender/IP combination. There's some futzing around that has to be done to handle some sites that may deliver from a variety of IP's, but most of that is handled in the software itself. So the initial mail message is delayed, but with the proper implementation, only that first one.

    And of course, auth'd senders bypass the greylisting completely.

    I believe yahoo uses greylisting rather extensively.

    Some more research may be in order.
     
  9. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    I'm still at a bit of a loss to understand how greylisting is of any benefit.

    Imagine the situation if I try to send an email to somewhere that uses greylisting:

    1) I send an email from my machine through my server
    2) My server tries to send it on to the recipient's MTA, where it is temporarily rejected
    3) My server processes the mail queue some time later and the mail goes through fine​

    The only 'benefit' of this is that it has taken my email about an hour longer to get to the recipient than it otherwise would have done. This doesn't really help!

    Now, imagine the situation of a compromised account on my server with some script sending out spam to somewhere that uses greylisting:

    1) Spammer has spam sent through automated script on my server
    2) My server tries to send it on to the recipient's MTA, where it is temporarily rejected
    3) My server processes the mail queue some time later and the mail goes through fine​

    So, not much use there. The spam is still sent with a bit of a delay.

    Lastly, imagine the situation of a compromised PC, infected with a virus or similar, trying to send mail directly from it's own malicious MTA:

    1) Infected PC tries to send mail to recipient's MTA
    2) Recipient's MTA temporarily rejects mail
    3) Infected PC probably doesn't queue mail and so it never gets resent​

    This seems to be the only situation where greylisting has any effect. And that's only if the malicious MTA doesn't queue mail. The solution? Malicious MTAs are changed so that they queue mail - would that not then bypass greylisting? Maybe.

    Greylisting only seems to be of some use in dealing with spam sent from compromised personal machines where the malicous MTA doesn't queue mail.

    However it is already perfectly possible to reject mail from compromised personal machines through careful HELO/EHLO checks, therefore making greylisting redundant.

    Is, then, there any point to greylisting?
     
  10. nxds

    nxds Well-Known Member

    Joined:
    Jan 6, 2006
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    6
    Yes, but only the first few messages will be delayed. Once your server has retried, the greylisting server will whitelist your server's IP address and further mail will be accepted immediately.

    Many of these scripts bypass your server's MTA and send mail out by directly communicating with remote servers on port 25. They generally don't retry so they won't get whitelisted as of themselves, but if your MTA has been whitelisted then the spam will be allowed in. The thing to do here is prevent non-MTA mail leaving your server by permitting outbound smtp to only the exim process owner and root. I found one of these scripts and they are nasty pieces of work!

    But you're right, a compromised script sending out via your MTA will get past greylisting if your MTA has already been whitelisted.

    Greylisting is only one weapon in the armoury and it is of limited use in many scenarios.
     
  11. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    As nxds says, it's one option. But, IMO, not a very good one. I don't like the concept of giving a false error, and I especially don't like the idea of my MTA having to do twice the work, therefore twice the resources, in trying to deliver an email to a server using greylisting.

    If you do use greylisting, you will almost definitely lose valid email.
     
  12. mydomain

    mydomain Well-Known Member

    Joined:
    Aug 10, 2003
    Messages:
    138
    Likes Received:
    0
    Trophy Points:
    16
    Would you be kind enough to clarify how to set outbound SMTP restriction to exim PID owner and root - we currently have a spammer bypassing exim, confirmed with chirpy's LFD script which clearly indicates the outbound SMTP connections - yet to find the script being exploited or how they are doing this.... :(
     
  13. nxds

    nxds Well-Known Member

    Joined:
    Jan 6, 2006
    Messages:
    53
    Likes Received:
    0
    Trophy Points:
    6
    Install APF and use a rule like:

    # UID-Match egress (outbound) TCP ports
    EG_TCP_UID="0:25,47:25"

    which means only root (uid 0) and mailnull (uid 47) can send outbound to port 25 (smtp).
     
  14. rossh_cp

    rossh_cp Member

    Joined:
    May 31, 2005
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Grey listing... seems to be easily defeated by spammers... All they need to do is repeat the spam run 15 minutes later.

    Hence grey listers get one mail, and everyone else gets 2.

    Grey listing just forces spammers to increase in the volume of spam sent. Really dumb idea.

    Regards rossh.
     
  15. jwiens

    jwiens Member

    Joined:
    Mar 8, 2004
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    I was initially skeptical myself, and I agree the idea of "lying" about a temporary error doesn't sit well with me. However, the university where I work is currently testing it, and I have to say I'm absolutely stunned at how effective it is in cutting down spam.

    While researching the topic, I've found some other interesting points as well -- even if the spammers come back later, greylisting can STILL be useful. Why? Because you've delayed the spammer somewhat from your machine, and therefore increased the odds that an RBL somewhere else will trip on that message so when the spammer comes back the second time he's more likely to be rejected.

    Also, greylisting doesn't double the server load. You don't actually wait for the DATA portion of the SMTP transaction during greylisting -- it's based on the RCPT TO:, MAIL FROM:, and source IP address. So really there's not ~that~ much overhead in making legitimate email go through twice the first time. I actually expect an overall significant ~decrease~ of bandwidth and processing for recipient mail servers due to not having to process the message bodies of a large percentage of spam, and for the outgoing process, again, it's only the first time that to/from/ip tuple shows up that it's delayed, and the delayed transaction was only a bare minimum transaction, so you don't come anywhere close to doubling the work.

    Possibly, but given that I've accidentally deleted messages just trying to clear out gobs of spam, I'm also losing valid email drowning in a flood spam. :)

    Of course, I just paid for your expert services earlier today, Chirpy and am looking forward to Mailscanner on my cPanel box, so maybe that'll take care of spam so much I won't even feel grey-listing is worth it. ;)
     
  16. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    For a while now I've been wondering whether it wouldn't make more sense to greylist against the ip rather than the to/from/ip tuple. The point being that this would still eliminate 90% of spam, but would make it less likely mail from known valid recipients would be delayed. Most spam is going to come direct from a spammer IP. Also, managing the data becomes a lot less complex, you don't need a database to manage a list of IPs.

    Interested in other's opinions and experience...
     
  17. SoftDux

    SoftDux Well-Known Member

    Joined:
    May 27, 2006
    Messages:
    983
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Johannesburg, South Africa
    cPanel Access Level:
    Root Administrator
    How would you setup greylisting like this?
     
  18. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    There are several ways to implement it. Do a Google search for greylisting exim and you'll get the most popular ones.
     
  19. lloyd_tennison

    lloyd_tennison Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    698
    Likes Received:
    1
    Trophy Points:
    18
    Anyone who has actually used it - which one have you done? I have tested/tried to install a couple, and none I have tried work well - some not at all!
     
    #19 lloyd_tennison, Nov 9, 2006
    Last edited: Nov 13, 2006
  20. eurorocco

    eurorocco Well-Known Member

    Joined:
    Jun 23, 2003
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    No greylisting please

    Yahoo implemented greylisting and we gave up Yahoo.

    Greylisting means delaying email delivery. Bad email service. I want my email to arrive on the spot.

    Try the http://www.rvskin.com/index.php?page=public/antispam solution instead, specially applying RBL blocking to email coming from dialups njabl.org, spammers spamcop.net, etc.

    We implemented our own RBL like spamcop.net, in front of the other RBLS, to control email reception policy from a central server. Also, to reduce the load our servers send to the public RBLs. All servers talk to our RBL to check if an IP is allowed or not allowed, and the central server checks IP to see what RDNS name they come up with, and whitelists or blacklists according to polify. Also, we whitelist if a recipient gets a bounce with a link to our RBL page, and asks for help, and can whitelist them.

    One very important thing about controlling spam reception is also that email queues become very small. Without hard spam blocks the queues become filled with Malbox Full bounce emails and Recipient Does not Exist emails. Some servers had 12,000 crap emails without applying good spam control.

    No greylisting please! Give up on this silly idea! :)

    ER
     
    #20 eurorocco, Nov 13, 2006
    Last edited: Nov 13, 2006
Loading...

Share This Page