3
Greylisting... Again
Question asked by Sabatino - 7/21/2021 at 1:12 AM
Answered
SmarterMail Enterprise 100.0.7866.26361 (lug 15, 2021) 

I'm studying greylisting again

Years go by and inevitably I ask myself the question: is it still a method worth using?

The disadvantage of the delay is always there to remind me that I have to be careful.

Of course with smartermail the situation is better given the presence of the exception ip already compiled.

Here are some questions:

1) who keeps this list updated?

2) Does Trusted Domains and Trusted email address also affect the greylist filter or only the antispam?

3) There is a confusion on the statistics that does not allow me to understand the effectiveness of the greylist. If we go to the reports and analyze greylisted connections, the daily values are indicated for Passed, Blocked, Total at the trend and domains level. But if I then choose a single domain the same numbers are presented as Connections Allowed, Connections Delayed, Total

You understand that there is a big difference between blocked and delayed.

I would like to statistically understand how many connections are blocked to the greylist and how many are simply delayed. And this report data is really confusing.

Also given a domain, a user would be useful to see the sender, recipient, ip, date time, authorized, pending, expired pairs for record expirations or for Pass Period expiretion
Sabatino Traini
      Chief Information Officer
Genial s.r.l. 
Martinsicuro - Italy

7 Replies

Reply to Thread
1
Zach Sylvester Replied
Employee Post Marked As Answer
Hello Sabatino,

Here are the answerers to your questions. 

1. Who Keeps the lists updated?
This list was made in-house we make sure that it's updated.

2.Does Trusted Domains and Trusted email address also affect the greylist filter or only the antispam? 
Trusted Domains and Senders will bypass Greylisting

3.There is confusion on the statistics that does not allow me to understand the effectiveness of the greylist. If we go to the reports and analyze greylisted connections, the daily values are indicated for Passed, Blocked, Total at the trend and domains level. But if I then choose a single domain the same numbers are presented as Connections Allowed, Connections Delayed, Total 

We have an audit of the reports being done this will likely be changed in the future to be more intuitive. 

Please let me know if you have any questions. 

Best Regards, 

Zach Sylvester Software Developer SmarterTools Inc. www.smartertools.com
3
David Sovereen Replied
We find greylisting to be very effective in stopping zero-hour (for which definitions aren't yet aware) and botnet/virus-induced spam (which is rarely retried).  While the stats in Smartermail make it difficult to know its effectiveness, it is/was noticeable by end users (we had to disable it due to performance problems that were corrected in a fairly recent build).

I wish that instead of creating a Whitelist of chosen larger Email Service Provider IP blocks, Smartertools would implement SPF-aware greylisting so that greylisting worked well for all ESPs, large and small, who send mail from multiple IPs, and not just the ones Smartertools has chosen to include in its whitelist.  https://poolp.org/posts/2019-12-01/spf-aware-greylisting-and-filter-greylist/

I've requested the above several times.  I should probably create a thread just for it and see if others are interested and would "me too" it.

Dave
1
Sabatino Replied
I have seen another one called adaptive grelisting working on another mailserver

The concept is to consider everything good in the first connection. But then if the antispam score is high, the subsequent connections from that server start using greylisting
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
1
Churchweb Support Replied
As an approximation to SPF-aware greylisting, we have Greylist Weight Threshold enabled and set to -1, which has worked really well for us over the years, particularly with SmarterMail’s built-in greylist bypass list and manual additions for our own servers.

A passed SPF check (0 weight), along with any whitelisting (negative weight) from DNSBLs like SenderScore, DNSWL or Abusix allows smaller, but well-run, servers through without any greylisting.
0
Sabatino Replied
This last solution makes me ask many questions.

The greylisting technique helps to avoid server workloads due to spam checks. If I apply the greylist only after calculating the scores it becomes useless. Technically antispam, uribl should intercept almost all spam, perhaps not zerotime spam.
But always having the score calculated before applying the greylist does not seem like a good solution.
Sabatino Traini Chief Information Officer Genial s.r.l. Martinsicuro - Italy
0
Andrew Lupton Replied
Just curious:

    1. Who Keeps the lists updated?
    This list was made in-house we make sure that it's updated.

Where is the updated list? MS has apparently significantly expanded the number of IP ranges for Office 365 and I'm getting complaints that my mail users are not getting mail from others with 0365. I turned off Greylisting and the mail started coming in. 

Do the lists only get updated if we update SM to the latest version?

1
Douglas Foster Replied
Maintaining an IP address list has always seemed like the wrong approach for greylisting.    Instead, we should exempt based on server host name as long as the name forward-confirms to the source IP address.   It is much easier to exempt "outbound.protection.outlook.com", "google.com", or "bnc.salesforce.com" than to attempt to track all of the IP addresses that are used by these large server farms.   Based on my data collection, I can observe that "outbound.protection.outlook.com" servers will reliably pass fcDNS on the Reverse DNS name, but rarely on the HELO name.   Most other large server farms will reliably pass fcDNS on the HELO name.    From a risk management standpoint, the difference between HELO and ReverseDNS does not really matter.   All that matters is that the name is a trusted source and the name can be forward-confirmed with DNS to the Source IP.   This design will also be a much cleaner solution for sites that want to supplement the greylist exemptions with additional server organizations.

EDIT:  I just submitted a feature request to this effect.

Reply to Thread