|
|
|
|
|
|
| Author |
Message |
Pierre HABOUZIT
*nix forums beginner
Joined: 16 Apr 2006
Posts: 42
|
 Posted: Mon Jul 10, 2006 5:40 am Post subject:
Re: greylisting on debian.org?
|
|
|
Le lun 10 juillet 2006 02:17, Matthew R. Dempsky a écrit :
| Quote: | On Sun, Jul 09, 2006 at 05:02:39PM -0700, Thomas Bushnell BSG wrote:
Another problem is with hosts that do not accept a message from an
MTA unless that MTA is willing to accept replies. This is a common
spam prevention measure.
It also prevents mail from setups that use different servers for
inbound and outbound mail.
|
which is highly unlikely if you never greylist hosts that are not listed
in rbl's.
so your reproach is completely irelevant to the suggestion.
--
·O· Pierre Habouzit
··O madcoder@debian.org
OOO http://www.madism.org |
|
| Back to top |
|
 |
Andreas Metzler
*nix forums Guru Wannabe
Joined: 20 Mar 2005
Posts: 170
|
| Posted: Mon Jul 10, 2006 6:20 am Post subject:
Re: greylisting on debian.org?
|
|
|
Thomas Bushnell BSG <tb <at> becket.net> writes:
| Quote: | martin f krafft <madduck <at> debian.org> writes:
[...]
It assumes, for example, that the remote MTA will use the same IP
address each time it sends the message.
[...] |
eh no. Standard greylisting practise nowadays (it already was standard when
sarge was released) is to not greylist on host IP but at least on the /27
netblock.
cu andreas
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Henrique de Moraes Holsch
*nix forums Guru
Joined: 21 Feb 2005
Posts: 541
|
| Posted: Mon Jul 10, 2006 6:50 am Post subject:
Re: greylisting on debian.org?
|
|
|
On Sun, 09 Jul 2006, Thomas Bushnell BSG wrote:
| Quote: | I don't think I understand just what you're saying. Can you spell out
the details for me?
|
Does the second email I sent (with the missing stuff) provides the
clarification you asked for?
| Quote: | It distresses me that I have said twice now that a "solution" which
|
Read below. When you do, please remember that many of us consider that a
fully-open system which drowns us in SPAM is also broken, because you do
lose information for failure of locating it among the noise.
| Quote: | dumb one in my book. I want a solution which specifically *never*
needs any preset hardcoded "this set of addresses/domains gets a
pass".
|
There is no hardcoding. Please use more exact terms. I think I understood
what you wanted to say, but whitelists are not *hardcoded*. They have never
been, they are updated in runtime. So use the proper terms next time.
| Quote: | In their dumbest form, match using big, static netmasks like 255.255.128.0.
That should give you a hint of what I am talking about.
A hardcoded list is the problem. Got it? A loose hardcoded list is
still a problem.
|
What I believe you mean is that for you, a non-perfect solution for
identifying outgoing SMTP clusters is not acceptable, as it gives a non-zero
possibility of permanent delivery failure to a graylisted destination.
Well, there are solutions that are good enough in practice. If you do not
like them because they are not perfect (as in guaranteed zero fail rate),
then there is no solution I know of that will be acceptable to you.
But please remember that people operating outgoing SMTP clusters *want* to
deliver email, and that they are aware of graylisting practices and also of
the diminishing probability of sucessful delivery when the sending site has
broken DNS configuration, or is listed in popular blackists and dial-up
IP space lists.
Also, keep in mind that the Debian graylisting proposal specifically states
that graylisting is not to be applied to every single incoming connection,
but rather to those coming from broken DNS sources, and blacklisted sources,
which are extremely unlikely to be the class of sending cluster that would
break graylisting in the first place.
So you do NOT need a perfect theorical solution to get zero fail rate in
practice for the proposed graylisting scheme. You don't get any guarantees
of a zero fail rate, however.
| Quote: | Here's what I understood of what you wrote:
Alice wants to send email to Bob. Alice graylists incoming email. Bob does
sender verification trying to email people back before accepting a message.
You claim Alice cannot send mail to Bob because Bob will attempt to "almost
send email back to Alice", thus Bob's verification attempt will be
graylisted (with a 4xx), causing Bob to deny the delivery of Alice's message
with a 4xx.
If that's not correct, please clarify.
If it is correct, I am asking you *why* Alice's system will never let Bob's
verification probe through (thus allowing her email to be delivered to Bob).
Because Bob never sends a complete email message to Alice.
|
That is a broken graylist implementation, then. It should be fixed (or
avoided at all costs). Which graylister was that one?
For graylisting, you need to verify that the sender will retry. This is not
done through verification of completed email delivery! It is done as soon
as you got enough information to identify it as the same sender and message.
If the sender will retry, you are to approve him through the graylist
regardless of any delivery taking place.
| Quote: | I *can* see a scenario where delivery might never happen (I am ignoring
configuration error scenarios on Alice's side), but it depends on Alice also
doing the same type of sender verification, and on one or both sides
violating RFC 2821.
Doing sender verification and graylisting are both violations of the
RFCs. You can hardly say "this will work as long as everyone else
follows the RFC" when you aren't doing so yourself. My point is that
|
Agreed, you cannot say that. But nobody did say it. And the scenario you
experienced for Alice's failure to deliver email to Bob requires a broken
graylisting implementation that acts in a specific *wrong* way, and that was
the answer to my question.
Now, I am a bit annoyed with the "graylisting violates the RFCs" generic
statement, so I'd really appreciate if you could make it more specific.
Please explain how the idea behind graylisting ("force a host to retry a
SMTP transaction at a later time") violates RFC 2821. RFC 2821, AFAIK,
requires that the sending side deal with that scenario, and anyone who
doesn't deal with it is the one violating the RFC.
There is an issue with current graylisting implementations that *I know of*
(and I certainly am no expert in the area), in that they *will* fail to
recognize shared-queue outgoing clusters in theory, and *may* fail to do so
in practice (depends on such cluster deployments failing to match known
patterns). This has nothing to do with RFC 2821 except if you go into
subjective "in spirit" violations. Was this the violation you were talking
about when refering to graylisting?
| Quote: | If your system causes any RFC-compliant mail to lose, then your system
loses. So far you have argued at best that you are willing to ignore
the cases where it loses. Great. I'm not.
|
Actually, I am ALSO arguing that these cases are probably not going to
happen in practice, now that graylisting is far more mature and widely used.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Marc Haber
*nix forums Guru
Joined: 20 Feb 2005
Posts: 646
|
| Posted: Mon Jul 10, 2006 7:40 am Post subject:
Re: greylisting on debian.org?
|
|
|
On Mon, 10 Jul 2006 06:15:55 +0000 (UTC), Andreas Metzler
<ametzler@downhill.at.eu.org> wrote:
| Quote: | Thomas Bushnell BSG <tb <at> becket.net> writes:
martin f krafft <madduck <at> debian.org> writes:
[...]
It assumes, for example, that the remote MTA will use the same IP
address each time it sends the message.
[...]
eh no. Standard greylisting practise nowadays (it already was standard when
sarge was released) is to not greylist on host IP but at least on the /27
netblock.
|
So you will whitelist the spamming customer in the same rack farm than
your bona fide communications partner.
Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834 |
|
| Back to top |
|
|
martin f krafft
*nix forums Guru
Joined: 01 Mar 2005
Posts: 360
|
| Posted: Mon Jul 10, 2006 8:00 am Post subject:
Re: greylisting on debian.org?
|
|
|
also sprach Marc Haber <mh+debian-devel@zugschlus.de> [2006.07.10.0930 +0200]:
| Quote: | eh no. Standard greylisting practise nowadays (it already was
standard when sarge was released) is to not greylist on host IP
but at least on the /27 netblock.
So you will whitelist the spamming customer in the same rack farm
than your bona fide communications partner.
|
That's better than not greylisting anyone. Nobody is trying to
design the perfect spam filter. We just want to reduce spam on
debian.org.
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <madduck@debian.org>
: :' : proud Debian developer and author: http://debiansystem.info
`. `'`
`- Debian - when you have better things to do than fixing a system
"prisons are built with stones of law,
brothels with bricks of religion."
-- william blake |
|
| Back to top |
|
|
Marco d'Itri
*nix forums Guru
Joined: 03 Apr 2005
Posts: 401
|
| Posted: Mon Jul 10, 2006 10:40 am Post subject:
Re: greylisting on debian.org?
|
|
|
On Jul 10, Thomas Bushnell BSG <tb@becket.net> wrote:
| Quote: | I am concerned that you not use a spam-defeating technique which
blocks perfectly legitimate and standards-compliant email.
Then why you are not loudly complaining about the antispam software |
currently applied to our mail lists and BTS, which silently discards
mail that appears to be spam?
Silently discarding legitimate email is a problem, rejecting legitimate
email is at best an annoyance.
--
ciao,
Marco |
|
| Back to top |
|
|
Matthew R. Dempsky
*nix forums Guru Wannabe
Joined: 11 Mar 2006
Posts: 110
|
| Posted: Mon Jul 10, 2006 3:00 pm Post subject:
Re: greylisting on debian.org?
|
|
|
On Mon, Jul 10, 2006 at 07:39:19AM +0200, Pierre Habouzit wrote:
| Quote: | Le lun 10 juillet 2006 02:17, Matthew R. Dempsky a écrit :
On Sun, Jul 09, 2006 at 05:02:39PM -0700, Thomas Bushnell BSG wrote:
Another problem is with hosts that do not accept a message from an
MTA unless that MTA is willing to accept replies. This is a common
spam prevention measure.
It also prevents mail from setups that use different servers for
inbound and outbound mail.
which is highly unlikely if you never greylist hosts that are not listed
in rbl's.
|
This has nothing to do with greylisting. ``It'' above refers to ``Not
accepting messages from an MTA unless that MTA is willing to accept
replies'', not ``graylisting''.
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Adrian von Bidder
*nix forums Guru Wannabe
Joined: 05 Mar 2005
Posts: 206
|
| Posted: Mon Jul 10, 2006 3:40 pm Post subject:
Re: greylisting on debian.org?
|
|
|
On Sunday 09 July 2006 15:48, Martijn van Oosterhout wrote:
[greylisting]
| Quote: | The point was about mailers sending mail to debian. If they receive a
4xx they have to queue the mail and retry later. It's cheap for
debian, but expensive for everyone else.
|
Does anybody have sensible numbers about that?
On my relatively small server, I usually have between 0 and 40 messages in
the deferred queue. Of those, up to 1 or 2 are due to greylisting. All
others are because recipients have crap mailservers or nameservers.
As madduck said: either you are small, so your mailserver isn't loaded
anyway, or you're big, so the additional load from greylisting isn't
noticeable, or you're a spammer.
Hmm. Discussing mail problems on irc while answering mailing list mail in a
mail setup related mail thread mail confuses me mail. can't mail stop mail.
cheers
-- mail
--
Perl: The Swiss Army Chainsaw |
|
| Back to top |
|
|
Adrian von Bidder
*nix forums Guru Wannabe
Joined: 05 Mar 2005
Posts: 206
|
| Posted: Mon Jul 10, 2006 4:00 pm Post subject:
Re: greylisting on debian.org?
|
|
|
On Monday 10 July 2006 02:17, Matthew R. Dempsky wrote:
| Quote: | On Sun, Jul 09, 2006 at 05:02:39PM -0700, Thomas Bushnell BSG wrote:
Another problem is with hosts that do not accept a message from an MTA
unless that MTA is willing to accept replies. This is a common spam
prevention measure.
It also prevents mail from setups that use different servers for inbound
and outbound mail.
|
Hmm. I've not seen this kind of sender verification. As I know it, the
receiving MX connects the regular MX for the sender address to see if
*that* is ready to receive mail. Works beautifully if outbound != inbound.
While very effective, this is admittedly the kind of spam prevention measure
which puts some load on the systems on both ends.
cheers
-- vbi
--
featured product: the KDE desktop - http://kde.org |
|
| Back to top |
|
|
Adrian von Bidder
*nix forums Guru Wannabe
Joined: 05 Mar 2005
Posts: 206
|
| Posted: Mon Jul 10, 2006 4:20 pm Post subject:
Re: greylisting on debian.org?
|
|
|
On Monday 10 July 2006 06:58, Thomas Bushnell BSG wrote:
| Quote: | Doing sender verification and graylisting are both violations of the
RFCs.
|
Which rfcs and where, exactly? Specific filename, version and line numbers,
as Kimball would say it.
AFAICT, the protocol allows the receiving end to temporarily reject email,
and the sending end will retry. AFAICT QUIT is allowed after RCPT TO to
abort a mail transaction - and sender verification is no different from a
normal mail transaction in the view of the receiver.
-- vbi
--
featured link: http://fortytwo.ch/smtp |
|
| Back to top |
|
|
Blu Corater
*nix forums beginner
Joined: 10 Jul 2006
Posts: 1
|
| Posted: Mon Jul 10, 2006 4:30 pm Post subject:
Re: greylisting on debian.org?
|
|
|
On Mon, Jul 10, 2006 at 05:57:45PM +0200, Adrian von Bidder wrote:
| Quote: | On Monday 10 July 2006 02:17, Matthew R. Dempsky wrote:
On Sun, Jul 09, 2006 at 05:02:39PM -0700, Thomas Bushnell BSG wrote:
Another problem is with hosts that do not accept a message from an MTA
unless that MTA is willing to accept replies. This is a common spam
prevention measure.
It also prevents mail from setups that use different servers for inbound
and outbound mail.
Hmm. I've not seen this kind of sender verification. As I know it, the
receiving MX connects the regular MX for the sender address to see if
*that* is ready to receive mail. Works beautifully if outbound != inbound.
While very effective, this is admittedly the kind of spam prevention measure
which puts some load on the systems on both ends.
|
Actually, I don't see it as spam prevention. It is a mean to lock onself
out of broken|fascist mail servers and let their users know that it is their
server blocking legitimate email and not my users ignoring them. There is no
point in accepting a message that cannot be answered (or bounced). The
spam prevention is only a nice side effect.
--
Blu.
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Stephen Gran
*nix forums Guru Wannabe
Joined: 27 Feb 2005
Posts: 223
|
| Posted: Mon Jul 10, 2006 4:50 pm Post subject:
Re: greylisting on debian.org?
|
|
|
This one time, at band camp, Thomas Bushnell BSG said:
| Quote: | martin f krafft <madduck@debian.org> writes:
Anyway, I'll be interested to hear a summary of their arguments, as
Christian Perrier requested. I find it hard to imagine how properly
configured greylisting should cause any problems.
It's a violation of the standard. It is especially problematic,
because it is a violation against the spirit of being liberal in what
you accept, and conservative in what you require.
|
Sadly, those days may be coming to an end.
| Quote: | It assumes, for example, that the remote MTA will use the same IP
address each time it sends the message. If the remote MTA is a big
server farm, with a lot of different hosts that could be processing
the mail, what is your strategy for preventing essentially infinite
delay?
|
I use a greylist implementation that autowhitelists after a configurable
number of successful retries for a tuple. Assuming you mean places like
yahoo or aol, the essentially infinite delay you speak of has never been
an issue so far. They all end up whitelisted after a while, and then
mail from them proceeds without delay. Assuming the number of users
debian has, it shouldn't take very long to record hits for all of their
outbound servers.
| Quote: | Another problem is with hosts that do not accept a message from an MTA
unless that MTA is willing to accept replies. This is a common spam
prevention measure. The graylisting host cannot then send mail to
such sites until they've been whitelisted, because when they try the
reverse connection out, it always gets a 4xx error. I've been bitten
by this one before.
|
That is an odd implementation of sender callouts designed by someone who
doesn't understand SMTP, and is not really an issue for the conversation
at hand. Normal sender callouts, which route the message to the public
MX, have their pros and cons, but it's not under discussion at the
moment.
--
-----------------------------------------------------------------
| ,''`. Stephen Gran |
| : :' : sgran@debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
----------------------------------------------------------------- |
|
| Back to top |
|
|
Henrique de Moraes Holsch
*nix forums Guru
Joined: 21 Feb 2005
Posts: 541
|
| Posted: Mon Jul 10, 2006 5:00 pm Post subject:
Re: greylisting on debian.org?
|
|
|
On Mon, 10 Jul 2006, Adrian von Bidder wrote:
| Quote: | On Monday 10 July 2006 02:17, Matthew R. Dempsky wrote:
On Sun, Jul 09, 2006 at 05:02:39PM -0700, Thomas Bushnell BSG wrote:
Another problem is with hosts that do not accept a message from an MTA
unless that MTA is willing to accept replies. This is a common spam
prevention measure.
It also prevents mail from setups that use different servers for inbound
and outbound mail.
Hmm. I've not seen this kind of sender verification. As I know it, the
receiving MX connects the regular MX for the sender address to see if
*that* is ready to receive mail. Works beautifully if outbound != inbound.
|
And sets the envolope sender to what in the probe?
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Thomas Bushnell BSG
*nix forums Guru
Joined: 20 Feb 2005
Posts: 806
|
| Posted: Mon Jul 10, 2006 5:10 pm Post subject:
Re: greylisting on debian.org?
|
|
|
martin f krafft <madduck@debian.org> writes:
| Quote: | That's better than not greylisting anyone. Nobody is trying to
design the perfect spam filter. We just want to reduce spam on
debian.org.
|
A perfect spam filter is one which catches all spam and bounces no
valid mail. Saying "we aren't trying to be perfect" is ambiguous
about which imperfections you are willing to tolerate.
I would like you to be explicit and clear about which valid mail you
will be bouncing, rather than vague and inspecific.
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Thomas Bushnell BSG
*nix forums Guru
Joined: 20 Feb 2005
Posts: 806
|
| Posted: Mon Jul 10, 2006 5:10 pm Post subject:
Re: greylisting on debian.org?
|
|
|
Andreas Metzler <ametzler@downhill.at.eu.org> writes:
| Quote: | Thomas Bushnell BSG <tb <at> becket.net> writes:
martin f krafft <madduck <at> debian.org> writes:
[...]
It assumes, for example, that the remote MTA will use the same IP
address each time it sends the message.
[...]
eh no. Standard greylisting practise nowadays (it already was standard when
sarge was released) is to not greylist on host IP but at least on the /27
netblock.
|
Then, "it assumes, for example, that the remote MTA will use the same
/27 netblock each time it sends the message."
Thomas
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org |
|
| Back to top |
|
|
Google
|
|
| Back to top |
|
|
|
|
The time now is Sat Nov 22, 2008 8:14 am | All times are GMT
|
|
Loan | Unsecured Loans | Loans | Mortgage Calculator | Loans
|
|
Copyright © 2004-2005 DeniX Solutions SRL
|
|
|
|
Other DeniX Solutions sites:
Unix/Linux blog |
electronics forum |
medicine forum |
science forum |
|
|
Privacy Policy
|
Powered by phpBB © 2001, 2005 phpBB Group
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Forum index
»
*nix
»
Linux
»
Distributions
»
Debian
»
devel
