From owner-freebsd-questions@FreeBSD.ORG Thu Apr 26 16:04:54 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B2FD616A401 for ; Thu, 26 Apr 2007 16:04:54 +0000 (UTC) (envelope-from chris@vindaloo.com) Received: from corellia.vindaloo.com (corellia.vindaloo.com [64.51.148.100]) by mx1.freebsd.org (Postfix) with ESMTP id 8362313C448 for ; Thu, 26 Apr 2007 16:04:54 +0000 (UTC) (envelope-from chris@vindaloo.com) Received: from [172.24.145.68] (dagobah.vindaloo.com [172.24.145.68]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by corellia.vindaloo.com (Postfix) with ESMTP id 621825CBB; Thu, 26 Apr 2007 12:04:53 -0400 (EDT) Message-ID: <4630CDA4.30201@vindaloo.com> Date: Thu, 26 Apr 2007 12:04:52 -0400 From: Christopher Sean Hilton User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: Ted Mittelstaedt , User Questions References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: Greylisting -- Was: Anti Spam X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Apr 2007 16:04:54 -0000 Ted Mittelstaedt wrote: [snip...] >> Greylisting works because many, and I'd like to say most, spam programs >> never retry message delivery. > > Actually, no. Greylisting works because it delays the spam injector > long enough that the injector will get blacklisted by the time that the > greylist opens the door for the mail to come in. Greylisting alone > by itself is getting less and less effective every day. Spammers are now > starting to setup spam injectors to retry. If you think about it, it is > very easy to program. Simply create a list of victims, iterate through > the list once, deleting all the victims that accept, then wait several > hours and iterate through the list again. It didn't take a rocket scientist > to figure that one out. > > Since SA has a lot of the major blacklist servers as score-feeders, the > spam that gets past the greylist just gets tagged by SA. > When I scan my maillogs I find that 22% of the hosts that generate a greylisting entry retry the mail delivery and thus get whitelisted. The other 78% don't attempt redelivery within the greylisting window. The reason that I'm using greylisting is to reduce the load on SA so I can continue to use spam bayes. Quite honestly spam bayes is either the most or second most effective spam filtering technique that I'm using but its a CPU hog. If I had to rank the effectiveness of the filtering that I'm doing I would say that greylisting is probably the most effective. I'm using spamd with tarpitting and that alone is responsible for filtering 90% of my spam. Spam bayes is probably second but I haven't counted the number of messages that are getting filed as spam based on the bayes classifier. Some numbers from crunching my combined maillogs (primary and secondary mx) from Apr 24th 20:00:00 ~ Apr 25th 20:00:00. 1566 hosts generated 1907 connections to my primary and secondary MXers. 155 hosts generated 192 greylisting entries on either one or both of my mailservers. 34 hosts attempted to retry mail generating 40 whitelist transactions on one or both of my mailservers. -- Chris __o "All I was doing was trying to get home from work." _`\<,_ -Rosa Parks ___(*)/_(*)___________________________________________________________ Christopher Sean Hilton chris | at | vindaloo.com pgp: f5:30:0a:54:e1:55:76:9b:1f:47:0b:07:e9:75:0e:14