OT: Grey-listing?

Matt Kettler mkettler at EVI-INC.COM
Mon May 23 16:35:58 IST 2005 

    [ The following text is in the "UTF-8" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

James Gray wrote:
> Hi All,
>
> Whilst not entirely MailScanner related, I do consider most people on this
> list more sendmail savvy than myself, hence this message.  Apologies if it
> offends.
>
> I've started down the road of grey-listing and have configured but not
> "activated" the sendmail greylist-milter.  My questions to the group are
> both technical and political:
>
> 1. those who have used this milter; how effective is it in stemming the tide
> of spam compared to "just" sendmail + mailscanner + SA + RBL(OutBlaze,
> Razor etc)??
>
> 2. If anyone is using grey-listing (of any type), what impact is there to
> the sender and how has this been addressed politically within your
> organisation?

I use milter-greylist, 2.0rc1, and I take a slightly unusual approach to
greylisting that you might find interesting.

I have set up a "greylist instead of blacklist" style network using
milter-greylist's ACL feature. Using this, I greylist messages from hosts with
no RDNS, a RDNS that looks like a dynamic home user, and IP's in APNIC and
LANIC. Everything else goes through without greylist delay.

Here I can't afford to blacklist these hosts, even though many will outright
blacklist them. However, with a greylist the impact of a FP is minimal, the
message gets delayed, instead of rejected.

Even using this minimalistic approach I've had my inbound spam cut back by
almost 50%. I used to have about 2400 spams picked up by SA per day with peaks
just over 3000/day. Last week the peak was 1291 in a day, according to
mailscanner-mrtg. Since enabling the greylist I have not broken 1600 in a day.

Virus rates also appear lower, but those are harder to measure since virus rates
are erratic and heavily biased by breakout timing and the efficiency of the
virus itself. Drawing an eyball average it looks like I went from just over
30/day to about 10/day.

My FP rate is pretty low too. Since Sunday I have accepted 3780 messages with no
delay and greylisted 2726 messages (not counting retries) for a total of 6506
messages. During this same time 168 messages were delivered after greylisting,
and 139 of those were tagged as spam by SA. Of the 29, 25 appear to be SA FNs
from "brilliantmarketinginc" (ROKSO listed). That leaves approximately 4
messages that might be legitimate nonspam that got delayed. That's a 0.15% FP
rate on hits, and 0.06% FP rate vs overall mail volume.

This kind of "soft" approach to greylisting mitigates most of the negative
impacts of a greylist, while reaping many of the benefits.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list