I just noticed that Google provides this same technique on a Google Apps help page. Here is the link:
http://www.google.com/support/a/bin/answer.py?hl=en&answer=60764
--------
In the ever escalating arms race between spammers and hosting providers, the technique of greylisting was, at one a point, an extremely effective weapon against spam. These days, greylisting is not as effective, because spamming hosts now correctly handle the temporary error condition used by a greylisting server. But it still is a good tool and first line of defense when used correctly.
Of course, one of the biggest problems with greylisting comes from large email hosting providers, like Gmail, Yahoo, Hotmail, etc. These services use multiple servers to deliver their mail (they have to), and as such, when a message is returned as a temporary failure, it's not guaranteed that the same sending server will attempt to deliver the message a second time.
As such, the only thing to do is whitelist the servers used by these large hosting providers. Due to, I'm sure, Google's ever growing infrastructure, Gmail is particularly difficult to keep up on which servers belong to the Gmail cloud.
I just stumbled upon a pretty decent way, however, to easily learn all of Gmail's outgoing mail server IP addresses. This information is readily available in their SPF records for their service.
Here is a link which describes which type of SPF record should be added to a domain which has email routed through Google Apps: http://www.google.com/support/a/bin/answer.py?hl=en&answer=33786
You can see that Google specifies an "include" directive which is aspmx.googlemail.com. So, now we can do a TXT query on this domain, which gives us:
]$ host -t txt aspmx.googlemail.com
aspmx.googlemail.com descriptive text "v=spf1 redirect=_spf.google.com"
The same query against googlemail.com and gmail.com returns the same information, too. So, following the redirect:
]$ host -t txt _spf.google.com
_spf.google.com descriptive text "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ?all"
Obviously we can infer from this the following ip address ranges:
216.239.32.0/19
64.233.160.0/19
66.249.80.0/20
72.14.192.0/18
209.85.128.0/17
66.102.0.0/20
74.125.0.0/16
I don't know if Google has officially published all their mail servers to help us who use greylisting. However, the above technique seemed to be a pretty slick way to determine which IP address ranges should be considered for whitelisting Gmail.
Well anyway, it was one of those "oh duh" type moments for me. Hopefully this helps someone else too.
4 comments:
thanks a bunch, this is the only valuable information i've found on the subject.
Hello, first thanks for this awesome post, but what if i want to do the same with hotmail, yahoo.com, AOL.com email services , or if you have a whitelist provider not "SORBS" because sorbs is closing, cause i need a reliable one, Thanks
Very useful, thanks.
Just curious: what makes you think that greylisting is less effective? I am still stopping a huge number of rogue mail servers with it.
@Colin
Yes, it still stops a good number of servers. I have found, however, that many spamming servers are now correctly handling the temporary error message and redelivering the email a few minutes later.
This shouldn't be surprising. Greylisting is (was) a very effective technique. But, in the escalating battle of against spam, it's an relatively easy thing for the offending spambot to be a little more standards compliant by handling the temporary error condition correctly.
I have personally just favored moving entirely over to Google Apps for email. They (Google) have the best spam filter available on the market, and it's free to use. Well worth them having the ability to scan my inbox, if you ask me.
Post a Comment