scam-grey milter README Greylisting is based on the principle that unlike legitimate mail servers, suspicious hosts sending out mail do not retry sending their message if there is a delivery error on the first try. Our implementation of greylisting is different as we target Windows machines specifically. Most home users on cable or DSL connections run Windows. These hosts can be infected through viruses and worms to act as spam sewers sending out mail. Current statistics show that most of the unwanted mail we see today originate from these hosts and not from open relays which were previously the prime target for sending out spam. How scam-grey works 1. Identify the operating system running on the host connecting to your mail server. 2. If that host is running Windows, we send out a temporary error the first time it attempts to send an email (greylisting). 3. If the host is a genuine mail server, it will retry to send the email after a few minutes. We already have a list of IP addresses from step two and on the second attempt, we accept mail from the mail server connecting from that IP address. 4. If we do not see any connections from the IP address within a 24-hour period, we expire the IP address which we have stored in step 2. This means that the Windows host will get a temporary error again when it tries to send us an email and it will have to go through the steps again before mail from it is accepted. There are no false positives as we are not giving out any permanent rejection as a blacklist does. RFC Compliant Mail servers will retry the delivery of an email if there is a temporary delivery failure. Disadvantages of greylisting i. There is a delay in the delivery of mail sent from Windows mail servers. ii. Non-compliant mail servers may not retry delivery after a temporary error. How scam-grey addresses these issues The first problem by can be addressed by whitelisting sites such as Hotmail which operate Windows-based mail servers. We estimate the numbers of servers being non-compliant (ii) to be negligible. They can be whitelisted on a case to case basic. Whitelisting, in this case, means bypassing the greylisting process and accepting the mail on the first attempt. Hosts with a second level reverse DNS (www.example.com) are not greylisted. The next question is whether this feature will affect Windows users sending out mail (relaying) through your mail server. Scam-grey measures the distance (hops) between the connecting host and the server it is running on. If you are an ISP, your users are usually a few hops away. Their connections are considered as safe for sending and are not greylisted. If you have any questions or suggestions, send an email to scam+grey@elandsys.com http://www.elandsys.com/scam Scam-grey Copyright © 2004 - 2005 Eland Systems All Rights Reserved.