Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 27 Apr 2007 17:44:45 -0400
From:      Christopher Hilton <chris@vindaloo.com>
To:        Ted Mittelstaedt <tedm@toybox.placo.com>
Cc:        User Questions <freebsd-questions@freebsd.org>
Subject:   Re: Greylisting -- Was: Anti Spam
Message-ID:  <46326ECD.8060604@vindaloo.com>
In-Reply-To: <BMEDLGAENEKCJFGODFOCCEAECAAA.tedm@toybox.placo.com>
References:  <BMEDLGAENEKCJFGODFOCCEAECAAA.tedm@toybox.placo.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Ted Mittelstaedt wrote:

[snip]

>> When I scan my maillogs I find that 22% of the hosts that generate a
>> greylisting entry retry the mail delivery and thus get whitelisted. The
>> other 78% don't attempt redelivery within the greylisting window.
> 
> That's probably par.
> 
> However, the reason your putting so much faith in the delaying, is simply
> that you aren't getting a lot of spam.
> 
> I have published e-mail addresses.  Without greylisting I got about
> 1500-2000 mail messages a day to each of them.
> 
> 

Greylisting isn't just about delaying. IIRC greylisting is filtering for 
spam/ham based on behaviour in the message originators MTA. My 
greylister is using two behavioural assumptions:

      Spamming MTA's don't have the capability to queue and retry mail. 
Asking them to queue and retry will cause them to drop the mail on the 
floor thus filtering spam.

      Spamming MTA's don't like to be tarpitted. Stuttering at them and 
sizing the TCP Windows so they must wait will result in them 
disconnecting before they can exchanged mail thus filtering spam.


I may not receive as much spam as you but I do think that I receive "a 
lot of spam". For mail vindaloo.com is a small domain. I'm a mail 
reflector for a couple of .orgs and I have a handful of addresses for 
which I'm the endpoint.

My greylister trapped 1907 connections from 1566 hosts on Tuesday. I 
assume that without my greylister this would have been 1566 delivered 
messages and nearly all of them would have been spam.

In a nutshell here's my math:

Tuesday's spam statistics:

1907 connections from 1566 hosts to the greylister.

1411 hosts hung up before getting to an SMTP RCPT TO. (rejected by 
Tarpitting)

  121 hosts worked with pf-spamd and sent an SMTP RCPT TO generating a 
greylisting tuple. None of these hosts attempted redelivery. (rejected 
by delay/queue)

   34 hosts worked with pf-spamd as above enough to generate a whitelist 
transaction. For roughly the next month these 34 hosts can deliver mail 
to me.

Assuming that the each host wanted to send one message and that the one 
message was spam my greylister has achieved a rejection rate of 97.8% 
over 1566 messages.

The real beauty of this is that it comes with little resource cost to 
me. Without Greylisting those 1566 messages would have to be scanned by 
Spam Assassin. I use SA's bayes filter. Last time I looked at it SA was 
averaging 2 ~ 4 seconds per message scanned. I'm not sure it would have 
to be done how well SA works when concurrently scanning messages but if 
I just do the simple math that's 1.3 hours of real time scanning 
messages for spam. Without greylisting I'd have to buy new hardware for 
my mailserver and that's just not worth it.

-- Chris

-- 
       __o          "All I was doing was trying to get home from work."
     _`\<,_           -Rosa Parks
___(*)/_(*)___________________________________________________________
Christopher Sean Hilton                    <chris | at | vindaloo.com>
         pgp key: D0957A2D/f5 30 0a e1 55 76 9b 1f 47 0b 07 e9 75 0e 14



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46326ECD.8060604>