cPanel & WHM Version 94 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Greylisting -- requesting enhancements

mtindor shared this idea 5 years ago
Open Discussion

Now that Greylisting is out in WHM 11.50, I have some suggestions.


1. Do not enable the option for whitelisting connecting IPs that pass SPF checks by default.


Why? Because you'll whitelist nearly all of the spamming IPs that are currently targeting cPanel servers since spammers use SPF/CKIM.


2. Enable much more robust logging in the mail logs


the developers of the CP greylist daemon should really check out smf-grey-milter for ideas. You need to provide decent logging that indicates that a message came in and was deferred due to greylisting, and then keep track of how long it was between the time the message was initially deferred and the time it was accepted by the server.


Make separate distinct log entries to differentiate between when the message was deferred and when it was accepted


3. Add an X-header to messages subjected to greylisting.


Use the information to add an X-header to the processed emails so that recipients can look at their message headers and see (a) that the message had originally been greylisted and (b) how long it was greylisted for.


4. Add the ability to whitelist by full/partial PTR match


This really is a must.


WhitelistPTR .ac1.yahoo.com #

WhitelistPTR .ac2.yahoo.com #

WhitelistPTR .ac3.yahoo.com #

WhitelistPTR .ac4.yahoo.com #

WhitelistPTR mailserver.bob.com #


Of course, with PTR / partial PTR whitelisting, you also need to perform a forward lookup and ensure that forward/reverse match up. Otherwise, there is nothing that prevents spammers from using .ac4.yahoo.com in their reverse [because the spam friendly companies are glad to provide the spammers with the ability to set any PTR they want].


Assume you whitelist .mx.mydomain.com (any host whose PTR record ends in .mx.mydomain.com)


An IP address connects with a PTR of d.mx.mydomain.com. The greylisting daemon does a forward lookup on d.mx.mydomain.com to make sure the returned IP matches the Ip address of the connecting server. If it doesn't, whitelisting doesn't occur.


I'm sure I'll have more comments. Hopefully the cPanel folks are open to further enhancing the greylisting daemon. Adding the ability to greylist is a great start, but my feeling is that you [cPanel] have a long way to go [and I'm sure you realize that].


SMF-GREY-MILTER works beautifully. I've used it for many years. You should take a look at its features to get an idea of what should be added to the CP greylisting daemon.


M

Comments (17)

photo
1

I am really looking forward to using greylisting to help curtail spam. That said, one of my biggest concerns is causing excessive delays in delivering mail from known good mail sources. I can't possibly list all of Yahoo or GMail or Spam Experts mail IPs, as they are likely very fluid. I would, instead, like to be able to to whitelist wildcard host names (as Mike has eluded to in point #4 above.


I also agree that the "whitelist with good SPF" option is not a good idea. Spot checking the spam that gets through Spam Assassin almost always shows good SPF. The spammers can easily setup an SPF record for their spamming domain, and ado!


- Scott

photo
1

Hi,


We have a script that can add many of the common mail systems automatically.


The docs for that is at: https://documentation.cpanel.net/display/ALD/Greylisting#Greylisting-AddcommonmailserviceIPaddressestotheTrustedHostslist


As for the SPF, we enabled by default to reduce the delay. But I am interested in getting more details on how it is affecting you.


Thanks,

Travis

photo
1

Travis,


Admittedly I am spoiled because I have been able to use whitelisting by PTR for years with smf-grey-milter on other boxes. But i'll give you a single example below how lack of whitelisting by PTR is a major inconvenience.


If you've ever heard of SpamExperts spam filtering, their outbound servers are geographically spread out, on different IP networks and such. If I want to whitelist all of those servers, I have to determine all of the IP addresses of all of those servers [currently about 32 of them, which can and do change over time]. But all of their servers reverse-resolve to "delivery.antispamcloud.com".


So, if I had the ability to whitelist by PTR, I would simply do something [in SMF-Grey-Milter] such as:


WhitelistPTR delivery.antispamcloud.com


Then it would not matter if they added/removed servers, and I would never have to update my whitelist.


I assure that over the years I have determined that many mail providers [not just the big ones that your script handles] should be whitelisted by PTR / partial-PTR / wildcard PTR for best effectiveness and have done so.


M

photo
1

As far as the suggestion I made about not whitelisting mail that passes SPF checks by default, I understand why you have chosen to enable that. After more thought, I'd agree with why you all do that by default. People [admins] should understand though that with that enabled, they will be exempting a lot of spam from greylisting because spammers nowadays are using SPF [and DKIM, and probably DMARC].


M

photo
1

  1. The first time you enable Greylisting, the system adds the most common mail service IP addresses and ranges to the Trusted Hosts list:

      GoogleAppleMicrosoftYahooAOL

    You can use the /scripts/setup_greylisting_db script to automatically add several common IP addresses to the Trusted Hosts list.


Is this a one-time thing? Or does it check daily with these providers to see their current list of mail server IPs?


- Scott

photo
1

At this time, the strings are hardcoded. We are looking to make this more intelligent in the future by having the system dynamically scrape the SPF includes. We got in a time crunch though and released this version. We wanted to give you at least a starting set.


We didn't do Domain name whitelisting in this version since it is not recommended in the RFC for Greylisting. The fastest way to get the IP addresses for systems is to query the SPF records. It is pretty efficient. An example of how to do this can be found at https://support.google.com/a/answer/60764


I hope this helps,

Travis

photo
1

Querying SPF records to get an idea of the IP space that needs whitelisted is only useful if the company / accountowner has properly set up SPF records to begin with. That's a leap.


I guess I'll have to take a look at the RFC. I only know that I've been whitelisting by rDNS/PTR for years, and it has worked out great for me. I can only guess that the reason that whitelisting based upon PTR might not be recommended is because PTRs can be forged, or that resolution of a PTR takes more effort than a simple SPF query. But still, whitelisting on a greylisting platform has been done for years and I'd have to say its a successful method, regardless of what the author of the RFC suggests.


I'm using the cPanel provided greylisting on one machine now and am extremely happy with it thus far. I posted a comment in a thread on the forum on Jun 21 2015 about my experience thus far.


Please do consider the addition of rDNS/PTR whitelisting. I'd also suggest that cPanel not even bother to prepopulate the whitelisting because then you are on the hook to do it for the foreseeable future. If you can't thoroughly whitelist mail from the large providers [it is difficult, and you guys missed many IP blocks for many of the big providers], it's better to not do it and force the server admins to do this.


Thanks for the great work and effort put into greylisting!


M

photo
photo
2

Although I haven't tested it yet, I don't see why checking SPF would be a bad idea. If spammers have an SPF record then they most likely also have a real mail server. If they have a real mailserver then they will pass the Grey listing.


Do spammers who have their server IP's in SPF not have mailserver that can try again ?

photo
1

"Although I haven't tested it yet, I don't see why checking SPF would be a bad idea. If spammers have an SPF record"


This is exactly the case where whitelisting incoming mail that passes SPF doesn't make sense as it lets the spam through. If one disables the whitelisting [from greylisting] of incoming mail passing SPF, then the spam email that passes SPF will still be greylisted.


M

photo
1

I think what monarobase was getting at is that real mail servers resend messages, which is exactly what greylisting assumes legitimate mail servers would do, which is why subsequent messages from the same server are allowed through.


Which means a spammer with a real mail server would be getting through anyway, since it would be resending. So disabling the SPF whitelisting wouldn't make a difference in that case, since those are supposedly the types of servers that have SPF enabled.

photo
photo
1

"This is exactly the case where whitelisting incoming mail that passes SPF doesn't make sense as it lets the spam through."


Grey listing only stops spam that isn't sent from a real mail server. A real mail server will try again.


If a spammer goes to the trouble of setting up an SPF record, won't he also setup a real mail server ? If spammers create an SPF record without using a real mail server, then yes whitelisting SPF records is useless.


Whitelisting has the advantage of making it more transparent for the end user.


What about allowing each cPanel user to choose to :


Greylist only e-mails that don't have the IP in the SPF record

Greylist all incomming e-mails


This way, users who get alot of spam can choose to enable full greylisting and users who don't don't have to suffer the extra delay in recieving e-mail.

photo
1

Yes, spammers do use real mail servers. But the spammers who are the biggest pains in the butt these days are the ones who spam one time time [brief period, less than 8 hours, usually much much less] from each IP address. Simply causing them to defer for the first ten minutes, does indeed give the RBLs/URIBLs places some time to collect some data on those particular spam messages and list the IPs / domains referenced in the emails. By the time they come back and successfully pass greylisting, they emails end up getting scored high enough [if you are using RBLs / URIBLs] that they are designated as spam.


At least that is my case. In addition, thus far, the spammers simply aren't keeping the IPs alive long enough after a spam run to even retry in many cases. So although they are legitimate servers pumping out spam, they are often only doing it, per IP, for a brief period of time.


Listen, I do things my way and you do things yours. I'm not suggesting anybody must do things my way. I'm seeing great results [stellar, so far] by _not_ whitelisting IPs from greylisting that pass SPF. If you guys don't want to go through the trouble and you want to ensure that all the big spammers [who are most often using SPF] are able to inject their mail into your system, go for it :)


M

photo
1

Is this available in Reseller WHM or Root WHM?


The Docs NEVER say if they're referring to "Root WHM" or "Reseller WHM"...you just have to guess.


I know the feature just came out, but please Enable it for Reseller WHM too. Root should be able to Enable/Disable & set the Default for the server (On or Off), but a Reseller should be able to Enable/Disable for their sub-accounts (if the feature is "Enabled" as "Default On" or "Default Off", in Root WHM).


Furthermore, as long as it's "Enabled" in Root WHM & Reseller WHM, cPanel & Webmail users should be able to turn it on/off for themselves too...


Root WHM...

    Greylisting
    • Default On
    • Default Off
    • Disabled


Reseller WHM...

    Greylisting
      For my account...
      • Use Default (<status>) — <status> being either "On" or "Off" from the Root's settings
      • On
      • Off

      For sub-accounts...

      • Use Default (<status>) — <status> being either "On" or "Off" from the Root's settings
      • Default On
      • Default Off
      • Disabled


cPanel user...

    Greylisting
      For my account...
      • Use Default (<status>) — <status> being either "On" or "Off" from the Reseller's settings
      • On
      • Off

      For Webmail users...

      • Use Default (<status>) — <status> being either "On" or "Off" from the Reseller's settings
      • Default On
      • Default Off
      • Disabled


Webmail user...

    Greylisting
    • Use Default (<status>) — <status> being either "On" or "Off" from the cPanel user's settings
    • On
    • Off


...also each level of user should be able to Whitelist (& change other settings) for themselves & their sub-ordinate users, sub-ordinate users should be able to ignore their parent's Whitelist (& other settings) & use their own...for example, a Reseller can ignore Root's Whitelist, a cPanel user can ignore the Reseller's Whitelist & a Webmail user can ignore the cPanel users Whitelist...I wasn't gonna list them all, but I wanted to be clear. Each type of user can "ignore" or "supplement" their parents Whitelist.


PS: Where can I report bugs with this feedback/comment system? — I didn't think this comment was gonna appear correctly, due to bugs I experienced while trying to make it & unfortunately this system has no Preview function...however, after posting, I saw that I was able to edit it, that's good at least!.

photo
1

Another feature / improvement for cpgreylistd is the ability to _easily_ export the full content of the whitelisted entries and subsequent easy import into another server. Once a company gets one machine set up with their preferred whitelisted hosts, it then becomes an extremely tedious process to do the same for each additional server they are running.


Being able to easily export the whitelist entries and then import it into every other new server deployed will save a tremendous amount of time and ensure that the hosting company's servers are effective [without penalizing their favored whitelisted hosts].


Please consider a utility to easily export / import whitelist data between servers.


Mike

photo
1

You can easily import the whole sqlite database from your existing server to the new server. Once the database is copied over, cpgrey should work with the copied DB.

photo
1

Hi Travis. Can you expand on that? What is the name of the sqlite db? Can you give some sample commands and stuff?

photo
1

Travis: Are you saying that just by downloading and uploading in another server the file file /var/cpanel/greylist/greylist.sqlite should be enough to transfer the whitelisted entries to other servers?

photo
photo
2

....or better yet, synchronize them......... :)

photo
2

Indeed, synchronize would be nice, BRT.


The more machines I set up with greylisting, the more of a major nightmare this becomes. I'm sure cPanel would have the answer of "simply enable the whitelisting of hosts that pass SPF." But, that is not an option. If you do that, you might as well not bother using greylisting as a spam prevention measure. For greylisting to truly be effective, you need to NOT allow hosts to bypass greylisting just because they have valid SPF in place. Why? All the good spammers use SPF. And that is a fact.


I'm working on server #3 now and finding the time that it takes me to scour a month worth of mail logs looking for appropriate items to whitelist is just taking way too much time and energy. We should be able to do it once and then export it and import it into another server.


Mike

photo
1

I'd also like the ability to search the IPs on the Greylisting page (and, if possible, have it match an IP even if it is in the middle of a defined range)


For example, let's say that you learn of a couple of new blocks of IPs that GMail is using. I'd like to see if I have these already listed, but it's pretty time consuming to scroll through the list (although I realize they are sorted by the first octet).


cPanel uses cool ajax search in a lot of places, so hopefully this isn't too difficult to implement someday.


- Scott

photo
3

I found something interesting today. After upgrading to 11.50 and enabling GreyListing, I noticed that some large mail providers were already whitelisted and assumed that this meant that ALL of the IPs that are listed in cPanel's documentation at https://documentation.cpanel.net/display/ALD/Common+Mail+Service+IP+Addresses were in this list. But that is NOT the case. It seems selectively only some of the IPs are whitelisted for you automatically... you MUST run a script manually to get ALL of these IPs added to your Whitelist.


Here is the command you will want to run:


  1. /scripts/setup_greylist_db --trust aol --trust apple --trust comcast --trust cpanel --trust google --trust hotmail --trust microsoft --trust outlook --trust roadrunner --trust verizon --trust yahoo

photo
2

Wow, thanks for that. This is an important piece of information that certainly ought to be prominently placed (or turned into a GUI feature) on the Greylisting page in WHM.

photo
1

I found this out when I went to whitelist one of Comcast's servers, 68.87.31.167. I noticed it is already on cPanel's list of IPs in their docs (last updated June 26, 2015), but on my server, which just got the 11.50 update on July 4, 2015, it did not have that Comcast IP... so there was an obvious discrepancy.

photo
1

Just ran the command 5 minutes ago on mine. Thanks! :)

photo
1

We are looking to improve the use of this functionality in 11.54. We will likely make this into a GUI tool.

photo
1

Please consider expanding the SPF checkbox to the following list of checkboxes:

----------------

Exempt from greylisting domains matching the following criteria (select all checkboxes that apply):


  • Valid PTR
  • No PTR
  • Invalid PTR

  • Passes DMARC
  • No DMARC
  • Fails DMARC

  • Valid SPF
  • No SPF
  • Invalid SPF

  • Valid DKIM
  • No DKIM
  • Invalid DKIM

  • Specific service providers
  • - AOL
  • - Apple
  • - Comcast
  • - cPanel
  • - Google
  • - Hotmail
  • - Microsoft
  • - Outlook
  • - Road Runner
  • - Verizon
  • - Yahoo

----------------

photo
1

Travis: I noticed that if once a week I run

  1. /scripts/setup_greylist_db --trust aol --trust apple --trust comcast --trust cpanel --trust google --trust hotmail --trust microsoft --trust outlook --trust roadrunner --trust verizon --trust yahoo


new IPs are added to the whitelist every time, ever if I didn't whitelisted new ones and opt not to whitelist those using SPF.


Hence, there is a list of good IP's being updated, right? If it is so, why can't cPanel auto-add those IP's to the Trusted list?

photo
2

I'm surprised running it weekly would add anything, since their documentation page listing the IPs says it has not been updated for a month: "Created by Doc User, last modified on Jun 26, 2015"


FYI, I opened a ticket with cPanel a couple days ago, and my email confirmation was delayed by over an hour. Looking at the logs, I found two surprising things:


1) The IP that it came from is NOT listed on their documentation as one of the cPanel IPs to whitelist.

2) After the first attempt by cPanel to deliver the mail to our server was deferred (due to greylisting), their server did not try to redeliver for 60 MINUTES. Per Wikipedia, the default retry interval for most major MTAs is 15 mins, so this was pretty surprising.


I opened another ticket with cPanel to let them know about these things, and they said they'd "pass it on".


- Scott

photo
1

That 'last modified' date probably refers to the date that the documentation page (rather than the list of IP addresses) was last updated.


It would be nice to have a list of checkboxes in WHM, one for each provider (AOL, Apple, etc) as I had suggested 3 posts up.


cPanel could then auto-update the list of whitelisted IPs (not just adding but also removing outdated entries for each provider) on a nightly basis, perhaps as part of the /scripts/upcp cron job.


In addition to the nightly updates, the whitelist would also be updated on demand whenever the checkbox selection is changed by the server admin.

photo
1

Agree with all your suggestions. FYI, the IP addresses ARE on the documentation page... so I'm just saying that the IPs, on the documentation page, have not been updated in a month. I guess it's possible (perhaps likely) that the IPs are being updated for the script, but nobody is updating the documentation page (in which case the IPs should be removed from the documentation page)

photo
1

I just ran the script (again) and it added a bunch of new IPs, so thanks for the tip. One of the IP ranges covers the cPanel.net IP address that I commented on earlier. That IP is still not on their Documentation page, so this proves that the Documentation page is not being kept up to date. Sounds like a cron is in order to re-run this script from time to time.

photo
1

Sorry for the confusion -- I'm completely wrong. The IP or IP range from cPanel.net was NOT added, and while the script claims to have added a bunch of new IPs, further tests reveal that these IPs are the same ones already added when I first ran the script a couple weeks ago. Zero new entries were added. I verified this by checking the number of hosts/ranges were under Trusted Hosts prior to running the script, then I checked again after running the script (refreshing WHM) and there is no change.

photo
1

P.S. the cPanel.net range where the ticket email came from is: 208.74.120.0/21. Verified via ARIN that cPanel owns this range, so I felt safe to just add the whole range to my Greylist.

photo
1

Yep, a weekly cron task could do the trick. Only thing I wouldn't love to wait until 11.54.


Another thing this feature will likely need in the NEAR future is the ability to whitelist well known mail providers of the countries you select, or at least,...

1) add a switch to "UPDATE ALL" of the available mail providers.

2) extend the list of known providers with others well known too: GMX (widespread in Europe), Terra (widespread in Latam), Yandex and mail.ru (widespread in Russia), fastmail, icloud (maybe same IP's than "Apple" ip ranges?), Sina.com and 163.com (for those in Chinese market).

photo
1

I doubt cPanel is going to want the work of keeping this list updated. My guess is that we will either have to pay a fee to subscribe to some service that is responsible for keeping such a list updated, or maybe there will be a way to check SPF records for these major providers and suck in those hosts & ranges automagically.

photo
2

Alright, I have a ton of updates for this.


We have been developing a new tab for Greylisting. The Common Mail Providers tab will allow you to subscribe to updates for IPs of systems like Outlook and Gmail. We will also allow you to subscribe to new systems that we may add in the future. This does include updates to the full list.


We will be removing the prepopulated IP Addresses that we entered upon activation of Greylisting and putting them in this table instead.


cPanel will be updating this list out of band of regular build updates and as such we have created logic that will check for updates to the common mail provider IP addresses and will update them as needed. The update is only done if you subscribe to updates for that specific mail provider. We will also send the Server Admin a message when we remove entries from the list. That email will include a list of IP address we are removing so that you may manually add them yourselves if you wish.


Additionally we have added support for exporting and importing Trusted Hosts lists.

This will all be included in 11.52.

photo
2

15634c11730d3de6b0eac73b5dc1a374

photo
1

Will be be able to add our own suppliers to this list ?

photo
1

Travis, this looks great! In case you missed my previous comment(s), greylisting has been working fantastically. As in a 'spam fighting miracle'. Very few complaints, certainly some time involved tweaking, but the results are just stunning. Major thanks to you and the cPanel crew for this feature!


- Scott

photo
1

@monarobase


This list is maintained by cPanel. If you want to add your own suppliers, you will need to use the Trusted Hosts tab.


@Scott

Thanks for the awesome feedback. I'm pretty proud of how it is performing.

photo
photo
1

The amount of spam that just made it through my servers today was enormous, despite (a) all domains have greylisting enabled and (b) the IP blocks of the spammers are not whitelisted.


I had a ticket open about this, but I was left having to do all the work figuring out what the problem is and I just don't have time for that. There is some error in the cpgreylistd logic, or perhaps some problem when one adds their own whitelisting blocks, that suddenly causes incoming hosts to be able to totally bypass greylisting.


I think before any features need added, this needs resolved. And it is possible that If nobody else is seeing what I'm seeing, then (a) they aren't looking or (b) they haven't added a bunch of their own entries to the whitelist or (c) or they bypass greylisting on hosts that pass SPF.


The issue I describe is a real issue. The IP blocks are never deferred, even if its the first time the IPs have been seen in four weeks.


Greylisting is great, when it works.


m

photo
1

Well, that's weird. Maybe there is a configuration in your server preventing it from working. In my case, it just did a great job deferring tons of spammers.


The only thing I'm concerned about is that when your Trusted Host list becomes bigger and bigger... will it make greylisting/exim to consume more and more CPU or RAM? I deal with customers with mission critical tasks, who cannot wait 10-15 minutes of delayed emails to arrive, so that I need to whitelist a bunch of IP addresses (and I'm saying 500-700). May this cause the server to underperform?

photo
1

Before Greylisting, my queues would routinely fill up with 1000+ messages, mostly auto-replies and bounces of undelivered spam that we accepted. After we implemented Greylisting, it's nearly zero. I just spot checked four of my servers, and they all have about 50 or less messages, and not all of those are spam related. This is a dramatic improvement and I'm very thankful for cPanel implementing this feature. We've seen very few complaints, once we added IPs for some of the big mailers that weren't in the provided whitelists. We also tweaked the Greylisting settings, allowing mailers to retry sooner than 10 minutes, and also we are keeping successful triplets whitelisted a lot longer than the defaults, to minimize future mail delays.


@mtindor, how many total rules do you have listed under Trusted Hosts? We are around ~225 so far, between cPanel provided rules plus ones we've added ourselves. Sure sounds like something is broken with your config -- I hope it can be sorted out. Let us know what the result is (if you ever figure it out!)


- Scott

photo
3

Greylisting was fantastic for us, but after a few days in use we had to disable it. We had lots of complains about long delays or e-mails that never reached customer mailboxes. After investigating logs we found tons of situations from mails providers that don´t use same IP for every deliver attemp and triplet was never found even after dozens of deliver attemps. I tried tweking settings and also spent a long time looking for logs and adding IP blocks to whitelist but day by day our help-desk was just receiving same complaints, until we stop to use it. Our whitelist was over 1000 entries.


Regards,

Jeff

photo
1

SpamExperts whitelists 255 IP's at a time and not a single IP adress when an e-mail makes it through. They also do the same for any outgoing IP's. I believe it mainly prevents the issue you subscribe. While causing some e-mails to make it through that shouldn't it also means that most of the time you don't notice the greylist at all.

photo
2

@Jefferson Zardo, this is definitely an issue... where large providers have a bank of mail servers, and every delivery attempt comes from a different IP. Those are the ones that we had to spend time whitelisting and I'm sure we still have some work to do. That may be a feature that cPanel could offer... "consider IP in same /24 as a match during retries when looking for triplets" or something along those lines. I realize that many providers change IPs ranging even more broadly than that, but this would still help.

photo
1

@Scott, We looked into doing that, and may in the future. I would recommend opening another Feature request for that specific functionality.

photo
1

As it turns out, this issue that I was ranting above was an an issue I caused all by myself, by adding an improper IP range to the whitelist [I had to have mistyped something].


cpgreylistd is working fab!

photo
1

  1. As it turns out, this issue that I was ranting above was an an issue I caused all by myself, by adding an improper IP range to the whitelist [I had to have mistyped something].

    cpgreylistd is working fab!

mtindor: thanks for getting back to us on that! I'm glad to know greylisting is working for you.

photo
1

Re: https://features.cpanel.net/topic/greylisting-requesting-enhancements#comment-45860


I don't think a feature request has been opened for this as @Travis suggested, so I've just opened one:


https://features.cpanel.net/topic/greylisting-flexibility-for-dynamic-sender-ip-addresses


Please upvote if you would like a solution to the problem of greylisting senders who use multiple IP addresses.

photo
photo
1

"Consider IP in same /24 as a match during retries" would be a very, very useful feature. A /24 would have matched everything I've had to go manually whitelist so far because of IP jumping as mentioned.

photo
1

For all of you wanting cpgreylistd to whitelist all IPs in a /24 where one IP was whitelisted, you really should think long and hard about that.


The real key to effective greylisting is NOT autowhitelisting AND populating a whitelist from the start with meaningful data. Sure, it takes works [it took a couple weeks for me to do this on my servers].


Imagine this scenario [and it would happen often] -- A spam run starts from an IP in 1.2.3.0/24. One single spam manages to make it through the greylisting mechanism, and then suddenly the whole /24 is available to the spammer to spam without any delay or consequence. You've now just defeated the whole purpose of greylisting.


Despite RFCs or anything else, greylisting should never automatically whitelist blocks of IP space. Or, if it does, it should be an _optional_ setting.


Some people, like myself, spend weeks prepopulating the database with whitelist entries. Now that I've done that, I rarely ever have to touch it. But, there are no blocks of spammer IPs whitelisted.


If a "feature" is added to cpgreylistd to whitelist /24s, it must be an optional thing . Please, cPanel, before you enable this feature do consider making it an optional setting.


I already know, on my servers, that if a future version of cpgreylistd defaults to whitelisting /24s and there is no way for me to disable that, then the greylisting has become totally unffective for me.


Mike

photo
1

I second this. The ability to block just the IP or a /24 or /16 range like you can do actually, must remain optional. I track spammers' IP's and I've widely seen that some of them use just one given IP belonging to one compromised or purposedly configured VPS, and sometimes is the hosting company itself providing mailing services to grey companies, and as such, the problematic IP range will be more wide.


In the other hand, I also have to whitelist large companies who send mission critical messages, where a delay in delivery may represent a business problem. Those companies sometimes use a /24 range, or even worst: sometimes they use a single IP from a VPS belonging to a hosting company who allowed sending spam from their other IP's.


That's why this blocking option must always be optional, and cPanel needs to assure their system can decode all kind of CIDR's, like /26 or /18 when inputted manually.

photo
1

Not at all......


You could whitelist a C class, but only for same sender and same recipient...


This way, for that sender/recipient, you may accept mails whitelisted from the C class, but not other emails...


If the sender/recipient is different, the C class is not considered.

photo
photo
1

I personally wasn't necessarily talking about -whitelisting- the /24, but rather that if a message comes from 10.10.10.131 and the -same- message arrives ten minutes later from 10.10.10.72, it could be accepted as a match.


Proceeding to whitelist the whole /24 wouldn't be a good idea, no.

photo
1

Could you check to see if those additional IPs that you had to manually allow through also happen to share the same PTR (either full or partial wildcard) as the original IPs?


If so, implementing the PTR whitelisting as suggested by mtindor would (as a bonus) negate the need to perform the IP range checks.

photo
photo
2

Greylisting is ok but there are problems with email delay.

For that i have two suggestions

1. Currently cPanels greylisting implementation allows a triplet to send mail (after successful delivery ), which in my opinion is not enough.

For example if user1@domain.com sends a successful mail from IP : 1.2.3.4 , then for a a period of time cpgreylistd will accept all mail from that user1@domain.com and IP : 1.2.3.4 ; but will greylist for example user2@domain.com ( from same IP )

I would suggest that accept anything from that IP , or at least anything from that IP and domain.com source domain.

1.2.3.4 already proved that has a proper queuing , so we don't gaining anything from delaying/greylisting the other mails .


2. Its a more complicated suggestion: i would like an option to greylist based on IP sender scores ( for example http://senderscore.org, their scores is available via a RBL like DNS list ).

I would accept any mail from IPs having a score bigger than for example 80, and would allow normal greylisting rules for the ips having less ( or having no score).

While high scoring IP's can send spam, they have proper mail server behind, so greylisting wouldn't help anyway.

photo
1

This is a massive change in functionality. Can you please open another user story for this requests?

photo
1

Travis, should there be a feature request for each point (1 and 2) ? or can point 1 continue here ?


If point 1 is true (haven't tested yet) then it would make grey listing almost unusable. The point being that users should not notice it once they have been using it for a short time. Once an IP is known to be a real mail server, no e-mails from this serveur should require further grey listing validation.

photo
1

Please add each as it's own feature request.

photo
photo
1

I think whitelisting a C class is perfectly possible without risks, but only for same sender and same recipient...

This way, for that sender/recipient, you may accept mails whitelisted from the C class, but not other emails...

If the sender/recipient is different, the C class is not considered.

Leave a Comment
 
Attach a file