From owner-freebsd-questions@FreeBSD.ORG Fri Apr 27 15:01:50 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9261316A408 for ; Fri, 27 Apr 2007 15:01:50 +0000 (UTC) (envelope-from tedm@toybox.placo.com) Received: from mail.freebsd-corp-net-guide.com (mail.web-strider.com [65.75.192.90]) by mx1.freebsd.org (Postfix) with ESMTP id 3F3D613C45B for ; Fri, 27 Apr 2007 15:01:50 +0000 (UTC) (envelope-from tedm@toybox.placo.com) Received: from TEDSDESK (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130]) by mail.freebsd-corp-net-guide.com (8.13.8/8.13.8) with SMTP id l3RF1lu9044610; Fri, 27 Apr 2007 08:01:49 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Christopher Sean Hilton" , "User Questions" Date: Fri, 27 Apr 2007 08:03:23 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <4630CDA4.30201@vindaloo.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1896 Importance: Normal X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (mail.freebsd-corp-net-guide.com [65.75.192.90]); Fri, 27 Apr 2007 08:01:49 -0700 (PDT) Cc: Subject: RE: Greylisting -- Was: Anti Spam X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Apr 2007 15:01:50 -0000 > -----Original Message----- > From: Christopher Sean Hilton [mailto:chris@vindaloo.com] > Sent: Thursday, April 26, 2007 9:05 AM > To: Ted Mittelstaedt; User Questions > Subject: Re: Greylisting -- Was: Anti Spam > > > Ted Mittelstaedt wrote: > > [snip...] > > >> Greylisting works because many, and I'd like to say most, spam programs > >> never retry message delivery. > > > > Actually, no. Greylisting works because it delays the spam injector > > long enough that the injector will get blacklisted by the time that the > > greylist opens the door for the mail to come in. Greylisting alone > > by itself is getting less and less effective every day. > Spammers are now > > starting to setup spam injectors to retry. If you think about it, it is > > very easy to program. Simply create a list of victims, iterate through > > the list once, deleting all the victims that accept, then wait several > > hours and iterate through the list again. It didn't take a > rocket scientist > > to figure that one out. > > > > Since SA has a lot of the major blacklist servers as score-feeders, the > > spam that gets past the greylist just gets tagged by SA. > > > > When I scan my maillogs I find that 22% of the hosts that generate a > greylisting entry retry the mail delivery and thus get whitelisted. The > other 78% don't attempt redelivery within the greylisting window. That's probably par. However, the reason your putting so much faith in the delaying, is simply that you aren't getting a lot of spam. I have published e-mail addresses. Without greylisting I got about 1500-2000 mail messages a day to each of them. With greylisting alone that drops down to about 400-500. The thing is, that spam is a numbers game. Someone who is only getting for example 50-100 spams a day to their mailbox is going to think greylisting is virtually 100% effective, simply because when they institute it, their spam goes from 50-100 down to 1-5 spams. So they are going to probably conclude that someone getting ten times the amount of spam as them will have their spam drop down to the same 1-5 after greylisting. But, spammers are perfectly willing to send 1000 spams to a single mailbox if they think that doing so will get 1 spam past the filters on that box. I do have customers with -unpublished- e-mail addresses that are perfectly satisfied with greylisting alone - simply because they don't get a lot of spam in the first place. But, that's like saying that injecting a can of stop-leak into a leaking tire is a fix for it. Stop-leak will reduce the rate that air leaks out down to an undetectable amount if the initial leak was small, but the tire still is leaking. Ted