spamd and google smtp ips

classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|

spamd and google smtp ips

Chris Narkiewicz
Hi,

I'm configuring spamd and I noticed that when I send an e-mail from
GMail, each time the e-mail is submitted by a different IP address.

Here is spamdb output after sending a test email to myself:

GREY|209.85.219.182|mail-yb1-f182.google.com|...
GREY|209.85.219.177|mail-yb1-f177.google.com|...
GREY|209.85.219.176|mail-yb1-f176.google.com|...
GREY|209.85.219.172|mail-yb1-f172.google.com|...
GREY|209.85.219.180|mail-yb1-f180.google.com|...
GREY|209.85.219.175|mail-yb1-f175.google.com|...
GREY|209.85.219.173|mail-yb1-f173.google.com|...
GREY|209.85.219.179|mail-yb1-f179.google.com|...
GREY|209.85.208.46|mail-ed1-f46.google.com|...
GREY|209.85.161.52|mail-yw1-f52.google.com|...
... snip ...

Of course they are not whitelisted, as each submission
attempt is done by a different node and I guess google has A LOT of
them. I see 2 issues with that:

1) e-mail delivery takes a lot of time (as google uses exponential
backoff and stops frequent retries after few failures)

2) whitelisted IPs are more likely being expired, as my server is
not getting a lot of gmail traffic

I suppose different big e-mail providers will
have similar issues.

I'm also running BGP server to download a whitelist,
but it does not contain google servers.

Are there any solutions get around this problem? Ideally I'd like
to just whitelist reputable mail providers as I see little chance
that any spammer will outsmart Google/Yahoo/Microsoft/etc.

Reply | Threaded
Open this post in threaded view
|

Re: spamd and google smtp ips

Peter N. M. Hansteen-3
On 10/30/18 7:54 PM, Chris Narkiewicz wrote:
> Hi,
>
> I'm configuring spamd and I noticed that when I send an e-mail from
> GMail, each time the e-mail is submitted by a different IP address.

yes, a well-known problem, and it's what nospamd (hinted at in the spamd
man pages) is for.

To some extent it helps to whitelist IP addresses and networks that
domains list in their SPF info.

feeding interesting domains into smtpctl spf walk is good for keeping an
up to date list to be fed into your nospamd table.

If you trust me to keep the list up to date, you're of course welcome to
fetch my hand maintained one at https://home.nuug.no/~peter/nospamd
(later parts generated by echo $domain | smtpctl spf walk, older parts
by host -ttxt $domain).

- Peter

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply | Threaded
Open this post in threaded view
|

Re: spamd and google smtp ips

Chris Narkiewicz
W dniu 30/10/2018 o 19:31, Peter N. M. Hansteen pisze:
> yes, a well-known problem, and it's what nospamd (hinted at in the spamd
> man pages) is for.
>
> To some extent it helps to whitelist IP addresses and networks that
> domains list in their SPF info.

Yeah, I hoped there are some reputable sources of validated mail
sources based on SPF and DKIM.

I'll give a try to your compiled list, but the fact you maintain
it manually is a bit discouraging.

Best regards,
Chris

Reply | Threaded
Open this post in threaded view
|

Re: spamd and google smtp ips

Peter N. M. Hansteen-3
On 10/30/18 8:46 PM, Chris Narkiewicz wrote:

> W dniu 30/10/2018 o 19:31, Peter N. M. Hansteen pisze:
>> yes, a well-known problem, and it's what nospamd (hinted at in the spamd
>> man pages) is for.
>>
>> To some extent it helps to whitelist IP addresses and networks that
>> domains list in their SPF info.
>
> Yeah, I hoped there are some reputable sources of validated mail
> sources based on SPF and DKIM.
>
> I'll give a try to your compiled list, but the fact you maintain
> it manually is a bit discouraging.

Fortunately MX records and by extension SPF info per domain changes
infrequently enough that a semi-manually maintained list will be mostly
right, most of the time.

But you're right in principle -- I *should* really take the time out to
recreate the list of domains that went into it and just re-generate with
smtpctl spf walk something like once per day or once per week.

All the best,
Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply | Threaded
Open this post in threaded view
|

Re: spamd and google smtp ips

Gilles Chehade-7
On Tue, Oct 30, 2018 at 08:59:07PM +0100, Peter N. M. Hansteen wrote:

> On 10/30/18 8:46 PM, Chris Narkiewicz wrote:
> > W dniu 30/10/2018 o??19:31, Peter N. M. Hansteen pisze:
> >> yes, a well-known problem, and it's what nospamd (hinted at in the spamd
> >> man pages) is for.
> >>
> >> To some extent it helps to whitelist IP addresses and networks that
> >> domains list in their SPF info.
> >
> > Yeah, I hoped there are some reputable sources of validated mail
> > sources based on SPF and DKIM.
> >
> > I'll give a try to your compiled list, but the fact you maintain
> > it manually is a bit discouraging.
>
> Fortunately MX records and by extension SPF info per domain changes
> infrequently enough that a semi-manually maintained list will be mostly
> right, most of the time.
>
> But you're right in principle -- I *should* really take the time out to
> recreate the list of domains that went into it and just re-generate with
> smtpctl spf walk something like once per day or once per week.
>

Like this ?

https://github.com/Mailbrix/lists

:-)

--
Gilles Chehade

https://www.poolp.org                                          @poolpOrg

Reply | Threaded
Open this post in threaded view
|

Re: spamd and google smtp ips

Mario Theodoridis
In reply to this post by Chris Narkiewicz


On 30.10.2018 20:46, Chris Narkiewicz wrote:

> W dniu 30/10/2018 o 19:31, Peter N. M. Hansteen pisze:
>> yes, a well-known problem, and it's what nospamd (hinted at in the spamd
>> man pages) is for.
>>
>> To some extent it helps to whitelist IP addresses and networks that
>> domains list in their SPF info.
>
> Yeah, I hoped there are some reputable sources of validated mail
> sources based on SPF and DKIM.
>
> I'll give a try to your compiled list, but the fact you maintain
> it manually is a bit discouraging.
I ran into this problem as well.
I ended up writing a script that parses the SPF entries out of the
greylist and if reasonable, whitelists those ranges and removes the grey
list entries. It runs every 15 minutes.

This works with the following rules
pass in quick on $extIf proto tcp from <spfwhite> to $pubIp port smtp \
     rdr-to $mailsrv
pass in quick on $extIf proto tcp from !<spamd-white> to $pubIp port smtp \
     rdr-to 127.0.0.1 port $spamdPort

The trapping function when it goes to the wrong recipient works for me
and probably does not scale.
The spamdb -Gd calls to remove the greylist entries are something i
patched into spamd, but it seems that functionality has somehow made it
into the regular binary.

The script is fairly debugged and has run for me over a year with good
results, but seriously lacks tests of any kind.
Your mileage may vary.

--
Mit freundlichen Grüßen/Best regards

Mario Theodoridis


scanSpam.py (9K) Download Attachment
spamd.patch (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: spamd and google smtp ips

Scott Seekamp-2
In reply to this post by Peter N. M. Hansteen-3
On 30.10.2018 13:59, Peter N. M. Hansteen wrote:

> On 10/30/18 8:46 PM, Chris Narkiewicz wrote: W dniu 30/10/2018 o 19:31, Peter N. M. Hansteen pisze: yes, a well-known problem, and it's what nospamd (hinted at in the spamd
> man pages) is for.
>
> To some extent it helps to whitelist IP addresses and networks that
> domains list in their SPF info.
> Yeah, I hoped there are some reputable sources of validated mail
> sources based on SPF and DKIM.
>
> I'll give a try to your compiled list, but the fact you maintain
> it manually is a bit discouraging.

Fortunately MX records and by extension SPF info per domain changes
infrequently enough that a semi-manually maintained list will be mostly
right, most of the time.

But you're right in principle -- I *should* really take the time out to
recreate the list of domains that went into it and just re-generate with
smtpctl spf walk something like once per day or once per week.

All the best,
Peter

I regenerate once an hour at least and still get burned by some major
domains changing SPF IP's constantly. It's pretty frustrating, but once
you get an update process in place it settles down and doesn't require
much handholding.

Thanks

Scott
Reply | Threaded
Open this post in threaded view
|

Re: spamd and google smtp ips

Stuart Henderson
In reply to this post by Chris Narkiewicz
On 2018-10-30, Chris Narkiewicz <[hidden email]> wrote:

> Hi,
>
> I'm configuring spamd and I noticed that when I send an e-mail from
> GMail, each time the e-mail is submitted by a different IP address.
>
> Here is spamdb output after sending a test email to myself:
>
> GREY|209.85.219.182|mail-yb1-f182.google.com|...
> GREY|209.85.219.177|mail-yb1-f177.google.com|...
> GREY|209.85.219.176|mail-yb1-f176.google.com|...
> GREY|209.85.219.172|mail-yb1-f172.google.com|...
> GREY|209.85.219.180|mail-yb1-f180.google.com|...
> GREY|209.85.219.175|mail-yb1-f175.google.com|...
> GREY|209.85.219.173|mail-yb1-f173.google.com|...
> GREY|209.85.219.179|mail-yb1-f179.google.com|...
> GREY|209.85.208.46|mail-ed1-f46.google.com|...
> GREY|209.85.161.52|mail-yw1-f52.google.com|...
> ... snip ...
>
> Of course they are not whitelisted, as each submission
> attempt is done by a different node and I guess google has A LOT of
> them. I see 2 issues with that:
>
> 1) e-mail delivery takes a lot of time (as google uses exponential
> backoff and stops frequent retries after few failures)
>
> 2) whitelisted IPs are more likely being expired, as my server is
> not getting a lot of gmail traffic
>
> I suppose different big e-mail providers will
> have similar issues.
>
> I'm also running BGP server to download a whitelist,
> but it does not contain google servers.
>
> Are there any solutions get around this problem? Ideally I'd like
> to just whitelist reputable mail providers as I see little chance
> that any spammer will outsmart Google/Yahoo/Microsoft/etc.

Opinions definitely vary, but my 2p:

I haven't run spamd myself for years, I got fed up with delayed and
lost mails. My opinion is that unless you have a really busy mail system
behind spamd you're unlikely to get a good set of hosts kept in the
whitelist without a bunch of work. It's not just office365 and gmail
(which are a pain but can be mostly dealt with by iterating through
SPF records and figuring out the addresses of the outgoing mail
servers), it's also "transactional" email. Password resets, email
address verification, information about orders, tickets, etc. In
the past I've particularly noticed this as a problem on mail sent
directly from webservers which are often quite poorly setup,
sometimes they haven't retried at all, sometimes they've been
on a VERY slow retry schedule.

Funnily enough the majority of spam that makes it to my inbox is
received forwarded from a box that *is* running spamd. Maybe spamd
would stop some junk but I get the impression it's likely to be
junk that would be fairly easily blockable by other methods anyway
and the pain isn't worth it for me.


Reply | Threaded
Open this post in threaded view
|

Re: spamd and google smtp ips

Craig Skinner-3
In reply to this post by Chris Narkiewicz
On Tue, 30 Oct 2018 18:54:43 +0000 Chris Narkiewicz wrote:
> Are there any solutions get around this problem? Ideally I'd like
> to just whitelist reputable mail providers ...

Yes Chris, see: http://web.Britvault.Co.UK/products/ungrey-robins/

Cheers,
--
Craig Skinner | http://linkd.in/yGqkv7

Reply | Threaded
Open this post in threaded view
|

Re: spamd and google smtp ips

Thuban
In reply to this post by Stuart Henderson
* Stuart Henderson <[hidden email]> le [30-10-2018 23:39:23 +0000]:

> On 2018-10-30, Chris Narkiewicz <[hidden email]> wrote:
> > Hi,
> >
> > I'm configuring spamd and I noticed that when I send an e-mail from
> > GMail, each time the e-mail is submitted by a different IP address.
> >
> > Here is spamdb output after sending a test email to myself:
> >
> > GREY|209.85.219.182|mail-yb1-f182.google.com|...
> > GREY|209.85.219.177|mail-yb1-f177.google.com|...
> > GREY|209.85.219.176|mail-yb1-f176.google.com|...
> > GREY|209.85.219.172|mail-yb1-f172.google.com|...
> > GREY|209.85.219.180|mail-yb1-f180.google.com|...
> > GREY|209.85.219.175|mail-yb1-f175.google.com|...
> > GREY|209.85.219.173|mail-yb1-f173.google.com|...
> > GREY|209.85.219.179|mail-yb1-f179.google.com|...
> > GREY|209.85.208.46|mail-ed1-f46.google.com|...
> > GREY|209.85.161.52|mail-yw1-f52.google.com|...
> > ... snip ...
> >
> > Of course they are not whitelisted, as each submission
> > attempt is done by a different node and I guess google has A LOT of
> > them. I see 2 issues with that:
> >
> > 1) e-mail delivery takes a lot of time (as google uses exponential
> > backoff and stops frequent retries after few failures)
> >
> > 2) whitelisted IPs are more likely being expired, as my server is
> > not getting a lot of gmail traffic
> >
> > I suppose different big e-mail providers will
> > have similar issues.
> >
> > I'm also running BGP server to download a whitelist,
> > but it does not contain google servers.
> >
> > Are there any solutions get around this problem? Ideally I'd like
> > to just whitelist reputable mail providers as I see little chance
> > that any spammer will outsmart Google/Yahoo/Microsoft/etc.


To solve this problem, I use two methods :

## whitelist from bsdly.net (thaniks again peter : )

In /etc/pf.conf

        table <nospamd> persist file "/etc/mail/nospamd"
        pass in on egress proto tcp from <nospamd> to any port smtp

/in /etc/weekly.local :

        echo "update nospamd file"
        ftp -o /etc/mail/nospamd http://www.bsdly.net/~peter/nospamd


## whitelist from spf walk :

In /etc/mail/spamd.conf :


        all:\
                        :nixspam:bgp-spamd:bsdlyblack:whitelist:

        ...

        whitelist:\
                        :white:\
                        :method=file:\
                        :file=/etc/mail/whitelist.txt


In /etc/weekly.local :

        /usr/local/bin/domain-white-spamd

In /usr/local/bin/domain-white-spamd, adjust with domins you need  :

        TMP=$(mktemp)

        WHITELIST=/etc/mail/whitelist.txt

        DOMAINS='outlook.com
        gmail.com
        google.com
        hotmail.com
        yahoo.com
        yahoo.fr
        live.fr
        mail-out.ovh.net
        mxb.ovh.net
        gandi.net
        laposte.net
        github.com
        protonmail.com
        '


        for d in $DOMAINS; do
                        echo "$d" | smtpctl spf walk >> "$TMP"
        done
        mv "$TMP" "$WHITELIST"
        exit 0




--
    thuban

Reply | Threaded
Open this post in threaded view
|

Re: spamd and google smtp ips

Kevin Chadwick-4
In reply to this post by Mario Theodoridis
On 10/30/18 8:05 PM, Mario Theodoridis wrote:
> I ran into this problem as well.
> I ended up writing a script that parses the SPF entries out of the greylist and
> if reasonable, whitelists those ranges and removes the grey
> list entries. It runs every 15 minutes.

smtpctl now has an spf walk function that may shorten your script?

Reply | Threaded
Open this post in threaded view
|

Re: spamd and google smtp ips

Mario Theodoridis

On 31.10.2018 17:09, Kevin Chadwick wrote:
> On 10/30/18 8:05 PM, Mario Theodoridis wrote:
>> I ran into this problem as well.
>> I ended up writing a script that parses the SPF entries out of the greylist and
>> if reasonable, whitelists those ranges and removes the grey
>> list entries. It runs every 15 minutes.
>
> smtpctl now has an spf walk function that may shorten your script?

Thanks Kevin.
That'd be one less wheel to invent.

--
Mit freundlichen Grüßen/Best regards

Mario Theodoridis

Reply | Threaded
Open this post in threaded view
|

Re: spamd and google smtp ips

Chris Narkiewicz
In reply to this post by Stuart Henderson
W dniu 30/10/2018 o 23:39, Stuart Henderson pisze:
> I haven't run spamd myself for years, I got fed up with delayed and
> lost mails.


Thanks. That was probably the tipping comment for me - I decided to search
for alternative spam protection.

It's the lost e-mails bing the the thing I cannot afford and in absence
of *reliable* whitelist, I decided not to go this route.

Best regards,
Chris

Reply | Threaded
Open this post in threaded view
|

Re: spamd and google smtp ips

Peter N. M. Hansteen-3
In reply to this post by Chris Narkiewicz
On 10/30/18 8:46 PM, Chris Narkiewicz wrote:

> W dniu 30/10/2018 o 19:31, Peter N. M. Hansteen pisze:
>> yes, a well-known problem, and it's what nospamd (hinted at in the spamd
>> man pages) is for.
>>
>> To some extent it helps to whitelist IP addresses and networks that
>> domains list in their SPF info.
>
> Yeah, I hoped there are some reputable sources of validated mail
> sources based on SPF and DKIM.
>
> I'll give a try to your compiled list, but the fact you maintain
> it manually is a bit discouraging.

I've replaced the manually maintained list with a generated one -
basically what you'll find at that URL now is the result of running
'smtpctl spf walk' over a list of interesting domains. I run this now at
quasi-random intervals at bsdly.net.

I took a look at the old list over last few days and did find some odd
sediments such as addresses that no longer had a reverse lookup. I've
preserved the old sedimentary collection at
https://www.bsdly.net/~peter/nospamd.preserved_20181103.txt for
reference. The file at https://www.bsdly.net/~peter/nospamd is now the
generated version, without those artifacts.

The script that generates the new version provides information about the
domains in a more consistent fashion. The script is as you can imagine
truly trivial (you should be able to recreate it from just reading the
output), but I might put it somewhere accessible if there's interest (or
if I can make a writeup that I can make interesting enough to accompany it).

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply | Threaded
Open this post in threaded view
|

Re: spamd and google smtp ips

Peter N. M. Hansteen-3
A final followup on this issue - I wrote a (relatively) short piece on
greylisting vs domains with multiple outbound SMTP servers, which
includes the little script I use to create a nospamd from a list of
domains, of course by feeding to 'smtpctl spf walk'.

You can find the article at
https://bsdly.blogspot.com/2018/11/goodness-enumerated-by-robots-or.html
- TL;DR: don't download *my* nospamd, use smtpctl to generate your own :)

All the best,
Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply | Threaded
Open this post in threaded view
|

Re: spamd and google smtp ips

Mik J
 Hello Peter,

Thank you for this article.
Do you know why, and particularly Microsoft, use very random IPs to send mails.
In that way, they make greylisting not as reliable as it should be. We could all use greylisting if google or microsoft would use the same 4 or 5 IPs to retry sending the mails.
Google and Microsoft don't help to fight against spam.

    Le dimanche 4 novembre 2018 à 21:56:35 UTC+1, Peter N. M. Hansteen <[hidden email]> a écrit :  
 
 A final followup on this issue - I wrote a (relatively) short piece on
greylisting vs domains with multiple outbound SMTP servers, which
includes the little script I use to create a nospamd from a list of
domains, of course by feeding to 'smtpctl spf walk'.

You can find the article at
https://bsdly.blogspot.com/2018/11/goodness-enumerated-by-robots-or.html
- TL;DR: don't download *my* nospamd, use smtpctl to generate your own :)

All the best,
Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

 
Reply | Threaded
Open this post in threaded view
|

Re: spamd and google smtp ips

Peter N. M. Hansteen-3
On 11/4/18 11:25 PM, Mik J wrote:

> Do you know why, and particularly Microsoft, use very random IPs to send mails.
> In that way, they make greylisting not as reliable as it should be. We could all use greylisting if google or microsoft would use the same 4 or 5 IPs to retry sending the mails.
> Google and Microsoft don't help to fight against spam.

The larger providers such as the ones you mention seem to have concluded
that they need to send their mail from a large number of different IP
addresses.

As long as they actually use only addresses they have published as valid
senders via their SPF info, we can let them bypass greylisting as
described in the article (or referenced material) and determining
whether any given message was spam becomes the task of other software
such as your favorite content filtering.

I would personally have preferred a clarification of the retry
requirement to specify 'retry from the same IP address', which would
have made greylisting *a lot* easier, but unfortunately that did not
happen (cf
https://bsdly.blogspot.com/2008/10/ietf-failed-to-account-for-greylisting.html).

Cheers,
Peter

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply | Threaded
Open this post in threaded view
|

Re: spamd and google smtp ips

OpenBSD lists
In reply to this post by Mik J
On 11/4/2018 2:25 PM, Mik J wrote:
>   Hello Peter,
>
> Thank you for this article.
> Do you know why, and particularly Microsoft, use very random IPs to send mails.
> In that way, they make greylisting not as reliable as it should be. We could all use greylisting if google or microsoft would use the same 4 or 5 IPs to retry sending the mails.
> Google and Microsoft don't help to fight against spam.
>

In my experience Google and Microsoft are the source of most of my spam.
About 80% of it comes from a hijacked gmail, live.com, or outlook.com
accounts.  The rest from yahoo and gmx.com addresses with a sprinkling
of one-off spam domains making up the last percentage points.

Reply | Threaded
Open this post in threaded view
|

Re: spamd and google smtp ips

Mik J
 Thank you Peter for this opinion.

Misc User, these gmail, live, yahoo spams you're talking about are really comming from IP addresses that belong to them ? Because on my side it seems it's not the case.

In my greylist right now I have [hidden email] but if I check the IP that originated the spam it's from China Unicom Henan province network. I check a second one and it's also from that ISP.

On the other hand if spam is coming from gmail, live, outlook we can blame them for not filtering out these spams and high volume sent mails.
With google you cannot send mails to more than 500 people within 24h
 

    Le dimanche 4 novembre 2018 à 23:49:47 UTC+1, Misc User <[hidden email]> a écrit :  
 
 On 11/4/2018 2:25 PM, Mik J wrote:
>  Hello Peter,
>
> Thank you for this article.
> Do you know why, and particularly Microsoft, use very random IPs to send mails.
> In that way, they make greylisting not as reliable as it should be. We could all use greylisting if google or microsoft would use the same 4 or 5 IPs to retry sending the mails.
> Google and Microsoft don't help to fight against spam.
>

In my experience Google and Microsoft are the source of most of my spam.
About 80% of it comes from a hijacked gmail, live.com, or outlook.com
accounts.  The rest from yahoo and gmx.com addresses with a sprinkling
of one-off spam domains making up the last percentage points.
 
Reply | Threaded
Open this post in threaded view
|

Re: spamd and google smtp ips

William Ahern-2
In reply to this post by OpenBSD lists
On Sun, Nov 04, 2018 at 02:49:44PM -0800, Misc User wrote:

> On 11/4/2018 2:25 PM, Mik J wrote:
> >   Hello Peter,
> >
> > Thank you for this article.
> > Do you know why, and particularly Microsoft, use very random IPs to send mails.
> > In that way, they make greylisting not as reliable as it should be. We could all use greylisting if google or microsoft would use the same 4 or 5 IPs to retry sending the mails.
> > Google and Microsoft don't help to fight against spam.
> >
>
> In my experience Google and Microsoft are the source of most of my spam.
> About 80% of it comes from a hijacked gmail, live.com, or outlook.com
> accounts.  The rest from yahoo and gmx.com addresses with a sprinkling
> of one-off spam domains making up the last percentage points.

I recently learned of the Email Blocklist project,

  https://msbl.org/ebl.html

It's a DNSBL for drop boxes at GMail, etc. You query the RBL using the
hash of the canonicalized sender address (e.g. Reply-To). I haven't tried it
yet; am curious about false positive rate.

12