Criteria for release from greylist purgatory

[KatyComputer]

What are the criteria used to accept email when greylisting is active?

Is it knock once, gain admission in an hour, knock three times gain admission ?

Can these parameters be changed?

When a message is RBL rejected, is there a mechanism to greylist its ip address &/or network for 24 hours?

 

[t.lamprecht]

So you probably know what the basic idea of Greylisting is, for anybody else, Wikipedia summarizes it actually quite good. https://en.wikipedia.org/wiki/Greylisting#How_it_works

s it knock once, gain admission in an hour, knock three times gain admission ?

It's recieve once be unkown -> defer, then we have a 3 minute greylist delay window, the senders is expected to re-try sending a bit later as defined in SMTP, but only after that window passed, else it's not a valid retry. Spammers normally do not retry at all, or to fast, or when they retry they are already on a realt-time blacklist.

"knocking" three times doesn't do anything, the time between sends is the only thing relevant.
But waiting to long for the re-send also defers again, e.g., if the MTA waits for over 2 days for resending, the initial send is forgotten and this it's deferred again.

Once accepted the tuple of sender and host are "approved" for another month (36 days to be specific), and on a future retry the greylist check is thus passed immediately (but the rest of the checks are naturally done independently).

 

[KatyComputer]

Is it possible to increase the 3 minute delay?

 

[t.lamprecht]

No, it's hardcoded.

Also, why would you want to increase the delay a sender needs to wait for resend? If they keep their sending mailq and wait for over 3 minutes before retrying to your mailgateway it's normally safe to say that it is a valid MTA not just a "try once and forget" (spammy) sender. Also, you then increase the chance to add latency to mail reception and increase the chance to reject mails which followed the SMTP protocol in a valid way (which greylist checking is for).

 

[KatyComputer]

Spam is getting delivered using a server with a good reputation at 6am, by 10am several DNSBL sites will have corrected the server's reputation, so by increasing the delay, we buy ourselves some ability to catch this scam.

I am using Postwhite to mitigate delivery delays from Office 365, Google etc.

 

[KatyComputer]

The other piece of this question is, how do we put a block on IPs delivering spammy email?

Something along the lines of score a 20, get a 5 day block, score a 10, get a 1 day block etc

 

[KatyComputer]

Perhaps Fail2Ban would work here, there are quite a few recipes. For the temporary block (3 < DNSBL rank > 20), we could use something like:
failregex = ^%(__prefix_line)sDNSBL rank (([3-9]|1[09])) for \[<HOST>\]:.*$