Hi,

I was considering implementing greet-pause on my Sendmail server. It's a
mail server for an nationwide ISP who uses a wholesaler for it's dialup
numbers.

In reading about greet-pause, I read this: Set GreetPause localhost: 0 to
prevent the pause from applying to connections from your local machine,
which would otherwise be annoying when you're sending mail. If you're doing
this on a server which accepts mail from multiple machines, you'll want to
do the same for the whole local network.

How do folks deal with greet-pause then on a mailserver with outsourced
dialups? Would I need to "whitelist" hundreds of possible ip addresses from
dialup address pools in order to use greet-pause?

Thanks,

Lisa Casey

On Tue, 4 Sep 2007 09:02:20 -0400, "Lisa Casey" <lisa [at] jellico.net>
wrote:

>How do folks deal with greet-pause then on a mailserver with outsourced
>dialups? Would I need to "whitelist" hundreds of possible ip addresses from
>dialup address pools in order to use greet-pause?
>
I use AUTH method, then for properly authenticated user greet-pause is
omitted.

Andrzej Ciach

In article <13dqlrj2j6fqu55 [at] corp.supernews.com>,
"Lisa Casey" <lisa [at] jellico.net> wrote:

> Hi,
>
> I was considering implementing greet-pause on my Sendmail server. It's a
> mail server for an nationwide ISP who uses a wholesaler for it's dialup
> numbers.
>
> In reading about greet-pause, I read this: Set GreetPause localhost: 0 to
> prevent the pause from applying to connections from your local machine,
> which would otherwise be annoying when you're sending mail. If you're doing
> this on a server which accepts mail from multiple machines, you'll want to
> do the same for the whole local network.
>
> How do folks deal with greet-pause then on a mailserver with outsourced
> dialups? Would I need to "whitelist" hundreds of possible ip addresses from
> dialup address pools in order to use greet-pause?

The basic issue here is a mail system design fundamental: split
"inbound" and "outbound" mail. Your users should not be doing initial
mail submission to the same MTA's that your MX records point to. Your
submission machines ("outbound" mail) should be only accepting mail from
authenticated users, probably only on encrypted sessions (because SMTP
AUTH is a lot easier to make work for everyone safely in conjunction
with STARTTLS) and ideally only on port 587 (although realistically you
might have to support non-standard always-SSL on 465 as well.)

If you cannot split inbound and outbound mail, your flexibility with
each is severely limited. GreetPause is just an obvious case, and it is
actually rather complex. On one hand, you can whitelist for GreetPause
by octet-bounded IP range, but if you're using a dialup wholesaler you
may well end up whitelisting non-customers that way and will be
whitelisting your own dialup customers who could very well be running
just the sort of SMTP clients you WANT to clobber with GreetPause:
infected spambots. You can avoid that dilemma somewhat by a conservative
application of GreetPause: most of the non-pausing bots are completely
non-pausing and will be caught with a GreetPause of 3 seconds, and most
real clients won't notice that sort of delay. Besides that, when you get
much above 5 seconds, you will start to cause trouble with legitimate
but misconfigured senders (e.g. Yahoo, MessageLabs, Postini) who don't
have the patience that the SMTP standard decrees. Making a stand on
principle there might be a fine idea, but it means that your users won't
get some mail...

--
Now where did I hide that website...

In article <ionqd31t3qgqnvq1hvjq2t4f1ralq98r8e [at] 4ax.com>,
Andrzej Ciach <_ciach__ [at] microsun.pl> wrote:

> On Tue, 4 Sep 2007 09:02:20 -0400, "Lisa Casey" <lisa [at] jellico.net>
> wrote:
>
> >How do folks deal with greet-pause then on a mailserver with outsourced
> >dialups? Would I need to "whitelist" hundreds of possible ip addresses from
> >dialup address pools in order to use greet-pause?
> >
> I use AUTH method, then for properly authenticated user greet-pause is
> omitted.

That CANNOT be the truth. If you think you are doing that, you need to
re-think what you are really doing.

The greeting pause happens before the user has any opportunity to
authenticate.

--
Now where did I hide that website...

On Tue, 04 Sep 2007 14:13:34 GMT, Bill Cole <bill [at] scconsult.com>
wrote:

>In article <ionqd31t3qgqnvq1hvjq2t4f1ralq98r8e [at] 4ax.com>,
> Andrzej Ciach <_ciach__ [at] microsun.pl> wrote:
>
>> On Tue, 4 Sep 2007 09:02:20 -0400, "Lisa Casey" <lisa [at] jellico.net>
>> wrote:
>>
>> >How do folks deal with greet-pause then on a mailserver with outsourced
>> >dialups? Would I need to "whitelist" hundreds of possible ip addresses from
>> >dialup address pools in order to use greet-pause?
>> >
>> I use AUTH method, then for properly authenticated user greet-pause is
>> omitted.
>
>That CANNOT be the truth. If you think you are doing that, you need to
>re-think what you are really doing.
Sorry, you are absolutely right. I was thinking about greylisting...
Silly mistake...

"Lisa Casey" <lisa [at] jellico.net> writes:
> I was considering implementing greet-pause on my Sendmail server. It's a
> mail server for an nationwide ISP who uses a wholesaler for it's dialup
> numbers.
>
> In reading about greet-pause, I read this: Set GreetPause localhost: 0 to
> prevent the pause from applying to connections from your local machine,
> which would otherwise be annoying when you're sending mail. If you're doing
> this on a server which accepts mail from multiple machines, you'll want to
> do the same for the whole local network.
>
> How do folks deal with greet-pause then on a mailserver with outsourced
> dialups? Would I need to "whitelist" hundreds of possible ip addresses from
> dialup address pools in order to use greet-pause?

Have you separated MX (submissions by MTA) and MSA
(submissions by your own users)?
[ separate ip addresses/servers or separate ports (25 and 587)]

It should allow you to use short greet-pause on to-MSA connections
(sub second e.g. 0.2 s ) before SMTP AUTH required for all MSA
connections and longer (variable) greet-pause on to-MX connections.

BTW It may be a good idea to use intentionally *LONG* delays (5-10s) for
IP addresses listed by CBL.abuseat.org or dnsbl-1.uceprotect.net for
"educational" before accepting MSA connections to provide "a hint" :-)
[sources of spam caught by spamtraps ]

--
Andrzej Adam Filip : anfi [at] priv.onet.pl : anfi [at] xl.wp.pl
Power corrupts. Absolute power is kind of neat.
-- John Lehman, Secretary of the Navy, 1981-1987

Bill Cole <bill [at] scconsult.com> writes:

> In article <ionqd31t3qgqnvq1hvjq2t4f1ralq98r8e [at] 4ax.com>,
> Andrzej Ciach <_ciach__ [at] microsun.pl> wrote:
>
>> On Tue, 4 Sep 2007 09:02:20 -0400, "Lisa Casey" <lisa [at] jellico.net>
>> wrote:
>>
>> >How do folks deal with greet-pause then on a mailserver with outsourced
>> >dialups? Would I need to "whitelist" hundreds of possible ip addresses from
>> >dialup address pools in order to use greet-pause?
>> >
>> I use AUTH method, then for properly authenticated user greet-pause is
>> omitted.
>
> That CANNOT be the truth. If you think you are doing that, you need to
> re-think what you are really doing.
>
> The greeting pause happens before the user has any opportunity to
> authenticate.

You are right *BUT* it is worth to remember that sendmail "encourages":
* using separate port (MSA=587) for mail submission via user
* requiring SMTP AUTH for MSA connections

It makes different greet-pause for connections required later to
authenticate themselves "implementable".

--
[pl>en: Andrew] Andrzej Adam Filip : anfi [at] priv.onet.pl : anfi [at] xl.wp.pl
To be a kind of moral Unix, he touched the hem of Nature's shift.
-- Shelley

On Tue, 4 Sep 2007, Bill Cole wrote:

> The basic issue here is a mail system design fundamental: split
> "inbound" and "outbound" mail. Your users should not be doing initial
> mail submission to the same MTA's that your MX records point to. Your
> submission machines ("outbound" mail) should be only accepting mail from

I agree here..

> authenticated users, probably only on encrypted sessions (because SMTP
> AUTH is a lot easier to make work for everyone safely in conjunction

I disagree here, this might work fine for small networks, but large
national ISP's this is not practicle and can result in a lot of
congestion and other temp_fail problems, but if it were large network,
they would have their own IP ranges, or could perhaps get their
wholesaler to allocate their customers in certain ranges dedicated to them
and them allow relaying by IP ranges, perhaps this is something they need
to tlak to their supplier about, else ascertain if their supplier has
outbound smtp servers and use them.


--

Cheers
Res

In article <Pine.LNX.4.64.0709050901350.22851 [at] ebfjryy.nhfvpf.arg>,
Res <res [at] ausics.net> wrote:

> On Tue, 4 Sep 2007, Bill Cole wrote:
>
> > The basic issue here is a mail system design fundamental: split
> > "inbound" and "outbound" mail. Your users should not be doing initial
> > mail submission to the same MTA's that your MX records point to. Your
> > submission machines ("outbound" mail) should be only accepting mail from
>
> I agree here..
>
> > authenticated users, probably only on encrypted sessions (because SMTP
> > AUTH is a lot easier to make work for everyone safely in conjunction
>
> I disagree here, this might work fine for small networks, but large
> national ISP's this is not practicle

Seems to be practical for Google and AT&T.

--
Now where did I hide that website...

On Tue, 4 Sep 2007, Bill Cole wrote:

>> I disagree here, this might work fine for small networks, but large
>> national ISP's this is not practicle
>
> Seems to be practical for Google and AT&T.

They do not provide such services in my country, but I would suspect at
least google have billions of dollars to throw at any issues, why should
spend extra million to do somthing that's not needed, we stopped smtp
auth for hosting customers as well some time ago, because of spam.


--

Cheers
Res

Lisa Casey <lisa [at] jellico.net> wrote:
> How do folks deal with greet-pause then on a mailserver with outsourced
> dialups? Would I need to "whitelist" hundreds of possible ip addresses from
> dialup address pools in order to use greet-pause?

Well, a lot of posters have given you some hints - one last word about
greet-pause. IMO dont care too much just start with very short delays
(lets say 1/10 of second, or 1/5 or so). From my personal experience
higher delays do not drop a significant higher amount of spammy connects.
And such short delays are in fact barely noticeable for your customers.

Whitelisting large blocks and so on is a good idea anyway.

cu
Clemens.
--
/"\ http://czauner.onlineloop.com/
\ / ASCII RIBBON CAMPAIGN
X AGAINST HTML MAIL
/ \ AND POSTINGS

On Sep 5, 3:44 pm, Clemens Zauner <cz+use... [at] onlineloop.com> wrote:
> Well, a lot of posters have given you some hints - one last word about
> greet-pause. IMO dont care too much just start with very short delays
> (lets say 1/10 of second, or 1/5 or so). From my personal experience
> higher delays do not drop a significant higher amount of spammy connects.
> And such short delays are in fact barely noticeable for your customers.

I agree with Clemens, short delays are all that are needed. Remember,
the spammer is trying to maximize their throughput. They open the
connection, then stream the SMTP conversation without waiting for any
TCP replies, and then close the connection. This then allows them to
start the next SMTP conversation. GreetPause dumps this type of
message by waiting a short time, clearing the TCP receive buffer and
then offering the initial 220 greeting.

Has anyone seen the spammers becoming more sophisticated about this?
Like waiting for the initial 220 greeting before streaming the rest of
the SMTP conversation?

What do other people use for the timeout value? If it is longer, why?
I agree with Clemens and use values ranging between 1/10 and 1/2 of a
second.

Hope this helps

RLH

For info about our "Sendmail and DNS Handson Training" or our in depth
"Managing Internet Mail, Setting Up and Trouble Shooting sendmail and
DNS" classes and a schedule of dates and locations, please send email
to info [at] harker.com, or visit www.harker.com

Robert Harker
Harker Systems
harker [at] harker.com

On Wed, 5 Sep 2007, Robert Harker wrote:

> I agree with Clemens, short delays are all that are needed. Remember,
> the spammer is trying to maximize their throughput. They open the
> connection, then stream the SMTP conversation without waiting for any
> TCP replies, and then close the connection. This then allows them to
> start the next SMTP conversation. GreetPause dumps this type of
> message by waiting a short time, clearing the TCP receive buffer and
> then offering the initial 220 greeting.
>
> Has anyone seen the spammers becoming more sophisticated about this?
> Like waiting for the initial 220 greeting before streaming the rest of
> the SMTP conversation?
>
> What do other people use for the timeout value? If it is longer, why?
> I agree with Clemens and use values ranging between 1/10 and 1/2 of a
> second.

I've found the best to be about 3 to 5 seconds, real short times had
little effect here, bare in mind a virus infect spam engine on a dialup
users account, they will be lagged to start with, and longer than about 15
seconds used to confuse some broken mailers.


--

Cheers
Res

Res <res [at] ausics.net> wrote:
> I've found the best to be about 3 to 5 seconds, real short times had
> little effect here, bare in mind a virus infect spam engine on a dialup
> users account, they will be lagged to start with, and longer than about 15
> seconds used to confuse some broken mailers.

Well, the mileage varies ... Even though :587 is a good idea, as an ISP
you will find it difficult to get all the users to use this service. This
is why I prefer shorter pauses. With a broad user-base you start to
slow down your users *and* you need more resources on your MX. Depending
on the userbase this is IMO an issue.

Yes, as posted - one gets more spamware caught with longer delays but
the growth isn't linear. This is why I suggested to start with small
delays and to raise them. Until one hits the sweet-spot. The ideal
settings will for sure differ from installation to installation.

cu
Clemens.
--
/"\ http://czauner.onlineloop.com/
\ / ASCII RIBBON CAMPAIGN
X AGAINST HTML MAIL
/ \ AND POSTINGS

In article <Pine.LNX.4.64.0709061128340.29671 [at] ebfjryy.nhfvpf.arg>,
Res <comp-mail-sendmail [at] ausics.net> wrote:
>On Wed, 5 Sep 2007, Robert Harker wrote:
>
>> I agree with Clemens, short delays are all that are needed. Remember,
>> the spammer is trying to maximize their throughput. They open the
>> connection, then stream the SMTP conversation without waiting for any
>> TCP replies, and then close the connection. This then allows them to
>> start the next SMTP conversation. GreetPause dumps this type of
>> message by waiting a short time, clearing the TCP receive buffer and
>> then offering the initial 220 greeting.
>>
>> Has anyone seen the spammers becoming more sophisticated about this?
>> Like waiting for the initial 220 greeting before streaming the rest of
>> the SMTP conversation?
>>
>> What do other people use for the timeout value? If it is longer, why?
>> I agree with Clemens and use values ranging between 1/10 and 1/2 of a
>> second.
>
>I've found the best to be about 3 to 5 seconds, real short times had
>little effect here, bare in mind a virus infect spam engine on a dialup
>users account, they will be lagged to start with, and longer than about 15
>seconds used to confuse some broken mailers.

Now that Sendmail can log the connections dropped by GreetPause and how
much of the timeout was actually used, you can easily expermiment with
this value. I found that some spammers would send commands as late as
60 seconds after opening the connection when the GreetPause was set to
a large enough value to see this. While I did not want to set the
GreetPause to such a large value on my main mail server, I set it to
65 seconds on my secondary MXs. As spammers like to use secondary MXs
in preference to the main server, I get the spammers but not the normal
mail.

>--
>
>Cheers
>Res

--
Tom Schulz
schulz [at] adi.com

On Thu, 6 Sep 2007, Clemens Zauner wrote:

>
> Res <res [at] ausics.net> wrote:
>> I've found the best to be about 3 to 5 seconds, real short times had
>> little effect here, bare in mind a virus infect spam engine on a dialup
>> users account, they will be lagged to start with, and longer than about 15
>> seconds used to confuse some broken mailers.
>
> Well, the mileage varies ... Even though :587 is a good idea, as an ISP
> you will find it difficult to get all the users to use this service. This

hahahaha, as an ISP we found it impossible to get anyone to use it, hence
dont bother with it.

We use different smtp boxes for outgoing that relay only for our ip
ranges so its not an issue as greet pause is not used, but many services
do not operate like that and have in/out all on same hardware, they just
have to try different values until what suites them works.


--

Cheers
Res

On Thu, 6 Sep 2007, Thomas Schulz wrote:

> GreetPause to such a large value on my main mail server, I set it to
> 65 seconds on my secondary MXs. As spammers like to use secondary MXs
> in preference to the main server, I get the spammers but not the normal
> mail.

Do you have hotmail or yahoo issues? We sure did when we tried 30sec once
(in early days of finding out whats best to use), mind you was a long time
ago, so curious to know if you do have many or any hits for them ?

--

Cheers
Res

In article <Pine.LNX.4.64.0709070849420.3749 [at] ebfjryy.nhfvpf.arg>,
Res <comp-mail-sendmail [at] ausics.net> wrote:
>On Thu, 6 Sep 2007, Thomas Schulz wrote:
>
>> GreetPause to such a large value on my main mail server, I set it to
>> 65 seconds on my secondary MXs. As spammers like to use secondary MXs
>> in preference to the main server, I get the spammers but not the normal
>> mail.
>
>Do you have hotmail or yahoo issues? We sure did when we tried 30sec once
>(in early days of finding out whats best to use), mind you was a long time
>ago, so curious to know if you do have many or any hits for them ?

No problems, but we may not have anyone using those services sending mail
to us. Also, most (almost all) normal mail just goes to our main mail
server. I do other things to our secondary MXs. For instance, our main
mail server has confALLOW_BOGUS_HELO defined but our secondary MXs
do not.

>
>--
>
>Cheers
>Res
--
Tom Schulz
schulz [at] adi.com

In article <fbpc2g$1lh$1 [at] bluegill.adi.com>,
Thomas Schulz <schulz [at] adi.com> wrote:
>While I did not want to set the GreetPause to such a large value on
>my main mail server, I set it to 65 seconds on my secondary MXs.

It would be very helpful if you would provide a histogram of the
actual timeouts that you see.

:: Jeff Makey
jeff [at] sdsc.edu

Department of Tautological Pleonasms and Superfluous Redundancies Department

In article <fc4bs8$1ef3$1 [at] ihnp4.ucsd.edu>, Jeff Makey <jeff [at] sdsc.edu> wrote:
>In article <fbpc2g$1lh$1 [at] bluegill.adi.com>,
>Thomas Schulz <schulz [at] adi.com> wrote:
>>While I did not want to set the GreetPause to such a large value on
>>my main mail server, I set it to 65 seconds on my secondary MXs.
>
>It would be very helpful if you would provide a histogram of the
>actual timeouts that you see.
>
> :: Jeff Makey
> jeff [at] sdsc.edu
>
>Department of Tautological Pleonasms and Superfluous Redundancies Department

The following is a bit crude, but here goes:

Seconds Hits
0 62
1-5 39
6-10 30
11-15 11
16-20 17
21-25 73
26-30 125
31-35 11
36-40 4
41-45 0
46-50 3
51-55 25
56-62 26

Note that seconds 25 and 26 accounted for 155 (63 & 92).
Seconds 30 and 31 accounted for 30 (21 & 9).
--
Tom Schulz
schulz [at] adi.com