An option to greylist non-secure SMTP connections over port 25
Idea shared by Steve Norton - 2/20/2019 at 12:32 PM
Proposed
In my analysis of the past 2 weeks I can see that 99+% of Spam does not use STARTTLS, they can't get through the volume they need to if they were to implement extra commands and take a hit on the computational cost of encryption.
I also see that 97+% of legitimate email uses STARTTLS which every good administrator would configure their server to do.
If Smartermail could respond with a greylisting message if it does not receive "cmd: STARTTLS" after "rsp: 250-mail.domain.name Hello [65.55.52.234]250-SIZE 31457280250-AUTH CRAM-MD5250-STARTTLS250-8BITMIME250 OK" wouldn't this reduce the number of unknown good senders that get greylisted?
Would that be easy to code?

7 Replies

Reply to Thread
0
Matt Petty Replied
Employee Post
Could potentially work, greylisting can already be setup to greylist based on a certain SMTP weight threshold. Adding some additional logic to check if the weight is above a certain value OR the session was not secure could add the desired functionality. A setting would need to be added somewhere to control this behavior as well.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
It would cover all the domains that the default greylist filters achieve and millions more legitimate senders like me, you and all of your customers. It allows for new IP ranges to be added by the likes of G/Hotmail without the need to adjust the greylist filters as today's default configuration would require. It's then up to the Spammers to work this out and start encrypting mail but I'd expect us all to be ahead of them for a few years at least.
Another thought that would sit in the same piece of code would be to add a delay (30 - 45 seconds for example) if the STARTTLS command was not submitted (with or without greylisting), Spammers would have moved on at that stage but legitimate/unencrypted email would wait for a response.
3
If not greylisting, could we have an Antispam check for 'STARTTLS not used' so that we can add weight to email accepted without encryption?
2
Steve, all excellent ideas! If the stats are accurate that 99% of messages coming in through a non-secure connection are spam, then adding a weight to those messages would be a simple solution. Thumbs up.

I wonder how risky it would be to just reject messages that don't use TLS.

Kevin
0
+1 for Steve's idea
0
@Kevind @jade-d thanks for the votes guys.
@Kevind the Google transparency reports say that in the past few years 90+% of email is delivered over TLS, this is slightly higher than my report for this month of delivered non-spam so we're still far from a position where we can outright block unsecure email, although I've made good progress here in the UK this past 9 months having worked with BT to use TLS which they haven't been doing for the past 8-10 years :(
They used to use cpcloud.co.uk who had a 'not bothered' approach to STARTTLS, BT appear to be removing evidence of the events. I replied to this which has been removed from the forum.
0
If there was a 'Spam Check' for not using STARTTLS it could be the same as 'Null Sender' as it can act on incoming SMTP and/or spool filtering adding weight as we see fit.

Reply to Thread