[SLL] Greylisting downsides: Solutions?

Jeremy C. Reed reed at reedmedia.net
Tue Jun 12 14:32:57 PDT 2007 

On Tue, 12 Jun 2007, Glenn Stone wrote:

> >On Tue, 12 Jun 2007, Glenn Stone wrote:
> >
> >> So I was just doing something on a major car-rental company's website, and I
> >> said to myself, "That's gonna generate an email."  So I went into Postgrey's
> >> whitelist, added what I *thought* should be the appropriate domain,
> >> reloaded, hit SUBMIT, and.... nothing.  Checked /var/log/mail.log, there's
> >> the attempt, but it HELOed as... who??  Turns out it was a host owned by
> >> Postini, who is apparently handling Not Exactly's email for them.  (Hertz,
> >> for what it's worth, whoever is running their email servers actually have
> >> them HELO'ing as hertz.com.  Win!)  
> >
> ><snip>
> >
> >> (SPF would be nice, but very few people, including said
> >> rent-a-car company, implement it.) 
> 
> >But you mention SPF. And the SPF record for them lists a bunch of IPs -- 
> >what about whitelisting based on that instead?
> 
> Ummmm, read what I wrote?  Hertz is doing it right.  It's $OTHERCOMPANY that
> doesn't implement SPF atall that's the problem.  

Sorry I didn't understand that. I looked back at the original email and it 
never said $OTHERCOMPANY and I couldn't find any mention of the company. I 
don't know what "Not Exactly's" means but I really read your email to mean 
you were talking about Hertz. I read your email to say that Postini's mail 
servers used "hertz.com" as the HELO when relaying Hertz.com emails. I 
re-read this a couple times and I read it different ways each time :)

I feel that if you want help you should not make it difficult to reply. I 
tried to give an honest and friendly response based on what I read and how 
I understood it. But being told "Ummmm, read what I wrote?" makes me not 
want to respond and may scare other readers from assisting in the future.

> >Somewhere I saw a script that reads SPF records and creates a lists of IPs 
> >(or networks) ready to add to a whitelist.
> >
> >I have done that some to prepopulate some of my whitelists to bypass my 
> >spamd greylisting.
> 
> This points to the converse problem I have with SPF... Hertz is the first
> site I've ever seen that uses -all rather than ~all or even ?all in its
> record...

Good point. On a case-by-case basis I assume -all even if they don't say 
it. (But I do that manually when pre-seeding my whitelists only for some 
major mail providers.)

Some admins assume that -all also automatically.

> and I have yet to see an SPF client that will let me say "if a
> sender actually has an SPF record atall, take what he says to be gospel and
> hard-fail (or at least, or optionally, 471 soft-bounce) anything that's
> not"... I would love to SPF a lot of stuff out of existence; actually doing
> so is far easier said than done.  (No, I don't have time to hack the source
> and test it.  I wish I did.)  

  Jeremy C. Reed

More information about the linux-list mailing list