Greylisting -- Was: Anti Spam
chris at vindaloo.com
Fri Apr 27 21:44:47 UTC 2007
Ted Mittelstaedt wrote:
>> When I scan my maillogs I find that 22% of the hosts that generate a
>> greylisting entry retry the mail delivery and thus get whitelisted. The
>> other 78% don't attempt redelivery within the greylisting window.
> That's probably par.
> However, the reason your putting so much faith in the delaying, is simply
> that you aren't getting a lot of spam.
> I have published e-mail addresses. Without greylisting I got about
> 1500-2000 mail messages a day to each of them.
Greylisting isn't just about delaying. IIRC greylisting is filtering for
spam/ham based on behaviour in the message originators MTA. My
greylister is using two behavioural assumptions:
Spamming MTA's don't have the capability to queue and retry mail.
Asking them to queue and retry will cause them to drop the mail on the
floor thus filtering spam.
Spamming MTA's don't like to be tarpitted. Stuttering at them and
sizing the TCP Windows so they must wait will result in them
disconnecting before they can exchanged mail thus filtering spam.
I may not receive as much spam as you but I do think that I receive "a
lot of spam". For mail vindaloo.com is a small domain. I'm a mail
reflector for a couple of .orgs and I have a handful of addresses for
which I'm the endpoint.
My greylister trapped 1907 connections from 1566 hosts on Tuesday. I
assume that without my greylister this would have been 1566 delivered
messages and nearly all of them would have been spam.
In a nutshell here's my math:
Tuesday's spam statistics:
1907 connections from 1566 hosts to the greylister.
1411 hosts hung up before getting to an SMTP RCPT TO. (rejected by
121 hosts worked with pf-spamd and sent an SMTP RCPT TO generating a
greylisting tuple. None of these hosts attempted redelivery. (rejected
34 hosts worked with pf-spamd as above enough to generate a whitelist
transaction. For roughly the next month these 34 hosts can deliver mail
Assuming that the each host wanted to send one message and that the one
message was spam my greylister has achieved a rejection rate of 97.8%
over 1566 messages.
The real beauty of this is that it comes with little resource cost to
me. Without Greylisting those 1566 messages would have to be scanned by
Spam Assassin. I use SA's bayes filter. Last time I looked at it SA was
averaging 2 ~ 4 seconds per message scanned. I'm not sure it would have
to be done how well SA works when concurrently scanning messages but if
I just do the simple math that's 1.3 hours of real time scanning
messages for spam. Without greylisting I'd have to buy new hardware for
my mailserver and that's just not worth it.
__o "All I was doing was trying to get home from work."
_`\<,_ -Rosa Parks
Christopher Sean Hilton <chris | at | vindaloo.com>
pgp key: D0957A2D/f5 30 0a e1 55 76 9b 1f 47 0b 07 e9 75 0e 14
More information about the freebsd-questions