They were talking about maRBL on the Postfix list so I wanted to see if I could get it installed and running on a Fedora Core 5 test machine. The concept seems like a good one and it appears this would be a good way to thwart spambots. It is designed to only greylist if the client is a Windows client or listed on a RBL. This is merely something to consider. The only thing I'm personally not sure about is if Exchange servers tend to be recognized as Windows clients. I have heard rumblings that they tend to false positive with p0f but I have not spent the time to see if this is true. Even if they do however, they would only be greylisted for one minute with my setup. Place p0f-analyzer.pl (supplied with amavisd-new) in /usr/sbin and make it executable. Get marbl 1.1, place it in /usr/sbin and make it executable. http://www.orangegroove.net/code/marbl/ Read the marbl file itself for installation instructions. I modified it to only look for Windows XP (and 2000) and to save time I only check a few good RBLs (and changed sbl-xbl to zen). Install sqlgrey and p0f and modules marbl requires: yum install sqlgrey p0f perl -MCPAN -e 'install Net::RBLClient' chkconfig --level 235 sqlgrey on Start marbl to see if it complains it needs something. In MySQL: CREATE DATABASE sqlgrey; GRANT ALL ON sqlgrey.* TO sqlgrey@localhost IDENTIFIED BY 'passwd'; FLUSH PRIVILEGES; The log gave me an error when sqlgrey tried to automatically create its tables, so I ran it manually (which should not be necessary): CREATE TABLE from_awl (sender_name varchar(64) NOT NULL, sender_domain varchar(255) NOT NULL, src varchar(39) NOT NULL, first_seen timestamp NOT NULL, last_seen timestamp NOT NULL, PRIMARY KEY (src, sender_domain, sender_name)); my personal /etc/sqlgrey/sqlgrey.conf: conf_dir = /etc/sqlgrey loglevel = 0 # after testing at level 3 user = sqlgrey group = sqlgrey inet = 2501 # bind to localhost:2501 pidfile = /var/run/sqlgrey.pid confdir = /etc/sqlgrey reconnect_delay = 1 # I think one minute is plenty max_connect_age = 12 # hours db_type = mysql db_name = sqlgrey db_host = localhost db_port = default db_user = sqlgrey db_pass = passwd db_cleandelay = 1800 # in seconds, how much time between database cleanups clean_method = sync # sync : cleanup is done in the main process, To order to stop sqlgrey from complaining these files don't exist, create them: touch /etc/sqlgrey/clients_fqdn_whitelist.local touch /etc/sqlgrey/clients_ip_whitelist.local Here is a sample of how you start up p0f/p0f-analyzer.pl/marbl once you are sure marbl, p0f and sqlgrey are operational (check mail log for marble errors): in /etc/rc.d/rc.local add something like these (search amavisd-new RELEASE_NOTES for p0f): /usr/sbin/p0f -l 'dst host and tcp dst port 25' 2>&1 | /usr/sbin/p0f-analyzer.pl 2345 & /usr/sbin/marbl Or modify (if necessary) and use this RedHat script to start p0f/p0f-analyzer.pl: http://postfix.state-of-mind.de/patrick.koetter/p0f Once everything is set up, I connect from a Windows 2000 machine: Dec 30 20:16:44 sfa postfix/smtpd[2273]: connect from unknown[192.168.1.41] Dec 30 20:16:44 sfa marbl: p0f query: 127.0.0.1 port=2345 192.168.1.41 43130150 Dec 30 20:16:44 sfa marbl: p0f collect: max_wait=0.050, 192.168.1.41 43130150 Windows XP/20... => Windows XP/2000 (RFC1323+, w+, tstamp-) [GENERIC] Signature: [10384:128:1:52:M1380,N,W1,N,N,S:.:Windows:?], (distance 0, link: GPRS, T1, FreeS/WAN) Dec 30 20:16:44 sfa marbl: Action for 192.168.1.41 (garyv@example.com => garyv@example.com): greylisting Dec 30 20:16:44 sfa sqlgrey: 2006/12/30-20:16:44 CONNECT TCP Peer: "127.0.0.1:40176" Local: "127.0.0.1:2501" Dec 30 20:16:44 sfa sqlgrey: optin: greylisting active for garyv@example.com Dec 30 20:16:44 sfa sqlgrey: grey: unknown RDNS: 192.168.1.41 Dec 30 20:16:44 sfa sqlgrey: grey: new: 192.168.1.41(192.168.1.41), garyv@example.com -> garyv@example.com Dec 30 20:16:44 sfa postfix/smtpd[2273]: NOQUEUE: reject: RCPT from unknown[192.168.1.41]: 450 4.7.1 : Recipient address rejected: Greylisted for 1 minutes; from= to= proto=ESMTP helo= Dec 30 20:16:44 sfa postfix/smtpd[2273]: disconnect from unknown[192.168.1.41]