?

Log in

No account? Create an account
greylisting 4xx patterns - brad's life [entries|archive|friends|userinfo]
Brad Fitzpatrick

[ website | bradfitz.com ]
[ userinfo | livejournal userinfo ]
[ archive | journal archive ]

greylisting 4xx patterns [Aug. 17th, 2006|04:01 pm]
Brad Fitzpatrick
[Tags|, , ]

We're building a list of error messages as given out by greylisting email servers so we can pattern-match on it and re-schedule the email exactly when we're told it's okay to.

Here's the patterns we've seen so far:
451 Greylisting enabled, try again in 1 minutes                                                                                                                  
451 4.7.1 Greylisting in action, please come back in 00:09:00                                                                                                     
451 4.7.1 Greylisting in action, please come back later                                                                                                   
450 <xxx@xxx.com>: Recipient address rejected: Greylisted for 181 seconds
450 4.7.1 <xxx@xxx.com>: Recipient address rejected: Greylisted for 300 seconds (see http://isg.ee.ethz.ch/tools/postgrey/help/xxxxxx.html)
450 <livejournal.com[204.9.177.18]>: Client host rejected: Policy Rejection- GreyList learning. Please try later.
450 <xxx@xxx.com>: Recipient address rejected: Policy Rejection- Hotkey Greylisting in progress ... Please try again after 2 minutes
451 sender/recip/ip triad greylisted; retry AFTER A DECENT INTERVAL will succeed
450 <xxx@xxx.com>: Recipient address rejected: Greylisting in action. Please try delivery again in 240 seconds.
451 4.3.0 Temporarily greylisted as anti-spam measure.  Please try again.
451 <xxx@xxx.com>: Recipient address rejected: Service is greylisted.  Waiting for retransmit.
etc, etc.

Think I need to write a CPAN module just to return the number of seconds to retry given a string.
LinkReply

Comments:
(Deleted comment)
[User Picture]From: brad
2006-08-17 11:04 pm (UTC)
Gotta find what greylister says that and read its source, eh?
(Reply) (Parent) (Thread)
(Deleted comment)
(Deleted comment)
[User Picture]From: scsi
2006-08-17 11:08 pm (UTC)
I always thought greylisting was sorta a jinky idea.. I've had a lot of reciepts (mostly airlines) blocked because their MTA blow and doesnt retry when it gets the inital greylist 4xx.
(Reply) (Thread)
[User Picture]From: brad
2006-08-17 11:12 pm (UTC)
Yeah, pretty pathetic on their MTA's side.
(Reply) (Parent) (Thread)
[User Picture]From: xlerb
2006-08-18 10:19 am (UTC)
I've heard the word “Lotus” used in connection with this particular, ah, feature.
(Reply) (Parent) (Thread)
From: jmason
2006-08-18 11:01 am (UTC)
There are many sending MTAs that need to be whitelisted before greylisting works reliably. That's the big problem with it, IMO -- it's actually pretty labour-intensive to operate, and false positives are hard to rescue.
(Reply) (Parent) (Thread)
[User Picture]From: davidphillips
2006-08-21 04:20 am (UTC)
I implemented greylisting a few weeks ago and it had a dramatic decrease on my spam volume. Any MTA that can't impelement RFC 821 properly (it's relatively new at 24 years old) is going to lose a lot of mail.

Do you have a list of such senders / MTAs?
(Reply) (Parent) (Thread)
[User Picture]From: burr86
2006-08-17 11:15 pm (UTC)
I call "Not It" on being the monkey who has to fill in the captchas for Earthlink. :P
(Reply) (Thread)
[User Picture]From: brad
2006-08-18 12:09 am (UTC)
Screw that. They don't deserve email.
(Reply) (Parent) (Thread)
[User Picture]From: edm
2006-08-18 01:25 am (UTC)

Greylisting captchas

"In order to continue using LiveJournal we need to be sure that you're a human and not a robot. Please type in the text in this image below. [Image scraped from Earthlink]" Followed by backending the answer into Earthlink.

A lot of problems are solved by the Chinese Television/Lottery approach. And here you don't even have to promise anything new since you've got a captive user base that'd probably (mostly) silently accept it.

But more generally I've almost given up on email being reliable for any use these days. Greylisting just seems like a last ditch attempt to escalate the war, and seems to be resulting in spammers preferring to gain control of webmail, etc, services which feed into real MTAs to do their dirty work. I know people say "it seems to work" at present, but that's been true of every other escalation step on the anti-spam side... for a while. And unlike some of these steps, greylisting makes things worse for non-spammers too, in a way that it seems we'll never be able to undo. Sigh.

Parsing the greylisting messages and retrying exactly on time sounds like a good work around, though.

Ewen
(Reply) (Parent) (Thread)
[User Picture]From: fanf
2006-08-21 06:07 pm (UTC)
Earthlink's CAPTCHAs are so incredibly lame that a trivial program can answer them correctly. So you can automate the process of letting through forged spam to Earthlink users :-)

http://www.cl.cam.ac.uk/~rnc1/cr/earthlink.html
(Reply) (Parent) (Thread)
[User Picture]From: taral
2006-08-17 11:55 pm (UTC)
450 4.7.1 <xxx@xxx.com>: Recipient address rejected: Policy Rejection- Please try later.

= postfix-policyd, 4 minutes by default (in debian).
(Reply) (Thread)
[User Picture]From: brad
2006-08-18 12:08 am (UTC)
Thanks!
(Reply) (Parent) (Thread)
From: legolas
2006-08-18 12:04 am (UTC)
I find it funny (unless you have to work with it like you do, I guess) that all these servers return human readable text to indicate how long you should wait.
What, they think everyone types their mail directly in a connection to the smtp host (whose address we got from the mx records manually)??

I wonder if they can even just process their own text replies, let alone what others reply...
(Reply) (Thread)
[User Picture]From: brad
2006-08-18 12:09 am (UTC)
No kidding.
(Reply) (Parent) (Thread)
[User Picture]From: mendel
2006-08-18 12:35 am (UTC)
No, it's for the humans, just different ones than you expected. When one of my users sends mail to a greylist-protected address, my mailserver log contains something like

Aug 16 17:11:20 smtp postfix/qmgr[22481]: 7A0EE20044: from=<alice@example.net>, size=4622, nrcpt=2 (queue active)
Aug 16 17:11:33 smtp postfix/smtp[26334]: 7A0EE20044: to=<bob@example.com>, relay=mail.example.com[192.168.0.1], delay=13, status=deferred (host mail.example.com[192.168.0.1] said: 451 4.7.1 Greylisting in action, please come back in five minutes (in reply to RCPT TO command))


and then when Alice opens a trouble ticket because she sent Bob mail and it never arrived, I can look at the logs and tell her why. If I find the mail still hasn't delivered after a few attempts over the course of an hour, then the "five minutes" part tells me I should probably give the postmaster at example.com a shout to see what's up.
(Reply) (Parent) (Thread)
(Deleted comment)
[User Picture]From: feren
2006-08-18 01:31 am (UTC)

Evil, filthy spammers. They're like Hobbits but more filthy.

You hit the nail on the head when you said the people who write and use this just don't care. I've met a few of the folks who think SORBS is a really great idea and yes, this is exactly the case because of how they think -- collateral damage is completely acceptable in their world. Breaking known process/RFC? Too bad, they're stopping spam! Dumping mail that other people are expecting, based entirely on faulty and arbitrary information? Too bad, they're stopping spam! Violating the basic Internet precept of "be conservative in what you send and generous in what you receive?" Too bad, they're stopping spam!
I think this may be because they're in control of their own mail system and don't actually have paying users who expect mail to work. My users, who know only that their mail did not get delivered to a particular site, don't care that our mail relay got tagged as a spamfeed (even though it isn't... it's just relaying mail to/from an enterprise of >2,000 people). They just know it's broke and that it should be fixed, and what do I mean it's out of my hands?

So yeah, in my world these things are great in theory but in practice they cause as much damage as they prevent.
(Reply) (Parent) (Thread)
[User Picture]From: quelrod
2006-08-20 08:59 pm (UTC)
You are so incredibly correct. I was testing out a blacklist on a personal server to ensure it wasn't overly restrictive. Well, at one point it had blacklisted yahoo, hotmail, and gmail. Better yet all the mail from those hosts that hit my server was all legitimate email from friends and family. I followed that up by never using that blacklist again.
(Reply) (Parent) (Thread)
From: ospf_ripe
2006-08-18 05:44 pm (UTC)
I think developers of greylisting soft shuld choose standart text to 45x reply. If such paper will be publishet at greylisting.org many diferent implimentations will use standart reply text.
(Reply) (Thread)