Date: Fri, 27 Apr 2007 17:44:45 -0400 From: Christopher Hilton <chris@vindaloo.com> To: Ted Mittelstaedt <tedm@toybox.placo.com> Cc: User Questions <freebsd-questions@freebsd.org> Subject: Re: Greylisting -- Was: Anti Spam Message-ID: <46326ECD.8060604@vindaloo.com> In-Reply-To: <BMEDLGAENEKCJFGODFOCCEAECAAA.tedm@toybox.placo.com> References: <BMEDLGAENEKCJFGODFOCCEAECAAA.tedm@toybox.placo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ted Mittelstaedt wrote: [snip] >> When I scan my maillogs I find that 22% of the hosts that generate a >> greylisting entry retry the mail delivery and thus get whitelisted. The >> other 78% don't attempt redelivery within the greylisting window. > > That's probably par. > > However, the reason your putting so much faith in the delaying, is simply > that you aren't getting a lot of spam. > > I have published e-mail addresses. Without greylisting I got about > 1500-2000 mail messages a day to each of them. > > Greylisting isn't just about delaying. IIRC greylisting is filtering for spam/ham based on behaviour in the message originators MTA. My greylister is using two behavioural assumptions: Spamming MTA's don't have the capability to queue and retry mail. Asking them to queue and retry will cause them to drop the mail on the floor thus filtering spam. Spamming MTA's don't like to be tarpitted. Stuttering at them and sizing the TCP Windows so they must wait will result in them disconnecting before they can exchanged mail thus filtering spam. I may not receive as much spam as you but I do think that I receive "a lot of spam". For mail vindaloo.com is a small domain. I'm a mail reflector for a couple of .orgs and I have a handful of addresses for which I'm the endpoint. My greylister trapped 1907 connections from 1566 hosts on Tuesday. I assume that without my greylister this would have been 1566 delivered messages and nearly all of them would have been spam. In a nutshell here's my math: Tuesday's spam statistics: 1907 connections from 1566 hosts to the greylister. 1411 hosts hung up before getting to an SMTP RCPT TO. (rejected by Tarpitting) 121 hosts worked with pf-spamd and sent an SMTP RCPT TO generating a greylisting tuple. None of these hosts attempted redelivery. (rejected by delay/queue) 34 hosts worked with pf-spamd as above enough to generate a whitelist transaction. For roughly the next month these 34 hosts can deliver mail to me. Assuming that the each host wanted to send one message and that the one message was spam my greylister has achieved a rejection rate of 97.8% over 1566 messages. The real beauty of this is that it comes with little resource cost to me. Without Greylisting those 1566 messages would have to be scanned by Spam Assassin. I use SA's bayes filter. Last time I looked at it SA was averaging 2 ~ 4 seconds per message scanned. I'm not sure it would have to be done how well SA works when concurrently scanning messages but if I just do the simple math that's 1.3 hours of real time scanning messages for spam. Without greylisting I'd have to buy new hardware for my mailserver and that's just not worth it. -- Chris -- __o "All I was doing was trying to get home from work." _`\<,_ -Rosa Parks ___(*)/_(*)___________________________________________________________ Christopher Sean Hilton <chris | at | vindaloo.com> pgp key: D0957A2D/f5 30 0a e1 55 76 9b 1f 47 0b 07 e9 75 0e 14
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46326ECD.8060604>