greet_pause whitelisting

We're finally trying out greet_pause with a value of 5000 (5 secs).
Would anyone comment on these oddities:

One gmail host has been caught several times, but not any others. I
see on the web that a few other people have noted gmail as a problem.

The strangest catch: alumni.wesleyan.edu runs sendmail 8.12.9 and gets
caught. I don't understand that one. How does a sendmail that recent
do this wrong?

A place called efax.com gets caught every time. This is one of the
standard Spamassassin whitelist domains, for some reason.

Joseph Brennan Columbia University Information Technologies
Columbia University in the City of New York
brennan@columbia.edu

Re: greet_pause whitelisting

In article , Joseph Brennan wrote:
>
> We're finally trying out greet_pause with a value of 5000 (5 secs).

I found that 500 msec was plenty. Either they blast at full speed, or
they don't. Bright pink bits of http://www.brandeis.edu/its/spam.png

No, we didn't do hard greylisting (100% false positives), but I thought
that http://www.elandsys.com/scam/ has an implementation that's both
hilarious and highly effective.

> One gmail host has been caught several times, but not any others. I
> see on the web that a few other people have noted gmail as a problem.

Just whitelist sproxy. This has been discussed here.

> The strangest catch: alumni.wesleyan.edu runs sendmail 8.12.9 and gets
> caught. I don't understand that one. How does a sendmail that recent
> do this wrong?

Maybe they're behind a firewall that's transparent to you, or something.
Being behind a firewall for the first time, I'm finding we're breaking
all sorts of things.

> A place called efax.com gets caught every time. This is one of the
> standard Spamassassin whitelist domains, for some reason.

I don't remember ever seeing that. Maybe it's happy to wait 500 msec
but not 5000.
--
Rich Graves

Re: greet_pause whitelisting

Joseph Brennan wrote:

> The strangest catch: alumni.wesleyan.edu runs sendmail 8.12.9 and gets
> caught. I don't understand that one. How does a sendmail that recent
> do this wrong?

Try to catch the TCP connection and see what's going on. Are you
sure it's a "real" sendmail? Maybe there's some "helpful" software
inbetween?

PS: you should tell them to upgrade to 8.12.11 or 8.13, versions
older than 8.12.10 have security problems: http://www.sendmail.org/

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting my time.

Re: greet_pause whitelisting

Rich Graves wrote:
> In article , Joseph Brennan wrote:
>
>>We're finally trying out greet_pause with a value of 5000 (5 secs).
>
>
> I found that 500 msec was plenty. Either they blast at full speed, or
> they don't.
>

The guy who developed the original technique, a friend of mine from
college, found that 35 seconds was almost the 90th percentile.

http://deeptht.armory.com/~spcecdt/spamware/

Though, he limits his targets to hosts with particular PTR record
formats (see his first paragraph). Anyways, my point is, his research
contradicts your assertion. It is not black and white, either they are
full speed and/or blind senders or they're RFC compliant. There are, in
fact, shades of grey.


I personally do 15 seconds for verizon's mail servers (because they do a
call-back ... I think they actually timeout around 28 seconds, but I
decided to be generous), 1 second for mac.com's mail servers (they had
fixed theirs for a while, but apparently after my friend left they went
back to being lame), and 1 second for livejournal.com (because they
suck, but I need to receive email from them).

There's one spammer out there that annoyed me enough that I set him to
299999 (just 1 second short of the RFC requirement). He apparently
waits for a long while, because he was getting passed 30 seconds and a
few other values I set.

Everyone else, who isn't on my LAN, gets 30 seconds. (machines on my
LAN get 0 seconds)

Here's the entries from my access file (since I'm not sure if the
original poster was asking _how_ to whitelist with greet_pause):

# the default, 30000, is in the mc/cf file
GreetPause:127.0.0.1 0
GreetPause:69.12.154.165 0
GreetPause:10.0.0 0
# apple's mac.com being lame
GreetPause:17.250.248 1000
GreetPause:17.250.236 1000
# subnet with relay.verizon.net, which uses call-back verification
GreetPause:206.46.12 15000
# slow down this annoying spammer
GreetPause:69.72.218 299999
# subnet with livejournal.com
GreetPause:66.150.15 1000

Re: greet_pause whitelisting

John Rudd writes:
>Rich Graves wrote:

>> I found that 500 msec was plenty. Either they blast at full speed, or
>> they don't.

>The guy who developed the original technique, a friend of mine from
>college, found that 35 seconds was almost the 90th percentile.

At 35 seconds, you will lose some email. Some MTAs won't wait that
long before they give up.

Re: greet_pause whitelisting

John Rudd wrote:

> The guy who developed the original technique, a friend of mine from
> college, found that 35 seconds was almost the 90th percentile.

Note: RFC 2821 says:

4.3.1 Sequencing Overview
....
One important reply is the connection greeting. Normally, a receiver
will send a 220 "Service ready" reply when the connection is
completed. The sender SHOULD wait for this greeting message before
^^^^^^
sending any commands.

Hence an MTA that doesn't wait is NOT in violation of RFC 2821.
For those who care: it might be a good idea to look at RFC 2821bis
and have this changed into a MUST.
--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting my time.

Re: greet_pause whitelisting

Neil W Rickert wrote:
> John Rudd writes:
>
>>Rich Graves wrote:
>
>
>>>I found that 500 msec was plenty. Either they blast at full speed, or
>>>they don't.
>
>
>>The guy who developed the original technique, a friend of mine from
>>college, found that 35 seconds was almost the 90th percentile.
>
>
> At 35 seconds, you will lose some email. Some MTAs won't wait that
> long before they give up.
>

A) that doesn't contradict the quoted assertion in the slightest. (it
makes no claim at all about degree nor presence of false positives)

B) that's what the access file is for, to make exceptions for problem sites.

C) I've been doing this for over a year, with 100's of rejections per
day (at my home site), and have had exactly 2 legitimate messages that
didn't get through (one from my wife's mac.com account, one from my own
livejournal sign up). Both of which were easily fixed with access file
additions.

I also use it at work, with a slightly lower threshold, 10's of
thousands of rejections per day, and not one complaint (and, given the
environment I work in (a university), we have plenty of people who would
rant and rave if they were missing even the slightest bit of legitimate
mail from their colleagues).

Re: greet_pause whitelisting

John Rudd wrote:
> Neil W Rickert wrote:
>
>> John Rudd writes:
>>
>>> Rich Graves wrote:
>>
>>
>>
>>>> I found that 500 msec was plenty. Either they blast at full speed, or
>>>> they don't.
>>
>>
>>
>>> The guy who developed the original technique, a friend of mine from
>>> college, found that 35 seconds was almost the 90th percentile.
>>
>>
>>
>> At 35 seconds, you will lose some email. Some MTAs won't wait that
>> long before they give up.
>>
>
> A) that doesn't contradict the quoted assertion in the slightest. (it
> makes no claim at all about degree nor presence of false positives)
>
> B) that's what the access file is for, to make exceptions for problem
> sites.
>
> C) I've been doing this for over a year, with 100's of rejections per
> day (at my home site), and have had exactly 2 legitimate messages that
> didn't get through (one from my wife's mac.com account, one from my own
> livejournal sign up). Both of which were easily fixed with access file
> additions.
>
> I also use it at work, with a slightly lower threshold, 10's of
> thousands of rejections per day, and not one complaint (and, given the
> environment I work in (a university), we have plenty of people who would
> rant and rave if they were missing even the slightest bit of legitimate
> mail from their colleagues).

Greet_pause and SURBL account for most of my rejections and they have no
significant risk. A content filter I've built up over time is next,
followed by spamcop, njabl, etc. All the filters are applied outbound as
well as inbound and volume is around 750k+/week messages. 55% is
rejected. I get about .3 tickets/week to whitelist domains listed by
dnsbl - rarely for other filters. I just wish I could enable grey-listing.

dp