[SLL] Greylisting downsides: Solutions?
Glenn Stone
technoshaman at liawol.org
Tue Jun 12 13:59:19 PDT 2007
On Tue, Jun 12, 2007 at 02:25:52PM -0500, Jeremy C. Reed wrote:
>On Tue, 12 Jun 2007, Glenn Stone wrote:
>
>> So I was just doing something on a major car-rental company's website, and I
>> said to myself, "That's gonna generate an email." So I went into Postgrey's
>> whitelist, added what I *thought* should be the appropriate domain,
>> reloaded, hit SUBMIT, and.... nothing. Checked /var/log/mail.log, there's
>> the attempt, but it HELOed as... who?? Turns out it was a host owned by
>> Postini, who is apparently handling Not Exactly's email for them. (Hertz,
>> for what it's worth, whoever is running their email servers actually have
>> them HELO'ing as hertz.com. Win!)
>
><snip>
>
>> (SPF would be nice, but very few people, including said
>> rent-a-car company, implement it.)
>But you mention SPF. And the SPF record for them lists a bunch of IPs --
>what about whitelisting based on that instead?
Ummmm, read what I wrote? Hertz is doing it right. It's $OTHERCOMPANY that
doesn't implement SPF atall that's the problem.
>Somewhere I saw a script that reads SPF records and creates a lists of IPs
>(or networks) ready to add to a whitelist.
>
>I have done that some to prepopulate some of my whitelists to bypass my
>spamd greylisting.
This points to the converse problem I have with SPF... Hertz is the first
site I've ever seen that uses -all rather than ~all or even ?all in its
record... and I have yet to see an SPF client that will let me say "if a
sender actually has an SPF record atall, take what he says to be gospel and
hard-fail (or at least, or optionally, 471 soft-bounce) anything that's
not"... I would love to SPF a lot of stuff out of existence; actually doing
so is far easier said than done. (No, I don't have time to hack the source
and test it. I wish I did.)
Glenn
More information about the linux-list
mailing list