Greylisting .. nice ..
mikea at mikea.ath.cx
Tue Nov 7 20:12:18 GMT 2006
On Tue, Nov 07, 2006 at 01:26:28PM -0600, Rob Poe wrote:
> >> > My thoughts so far are this: Why didn't I do this sooner.
> >> Its going to be pointless soon, problem is, as more and more people
> >> this, it wont be long before the common garden variety spammers
> >> engine will also retry on 4xx errors, id give it a year tops (if
> some of
> >> them are not already doing it)
> >My objection to it is not that it doesn't work, but that it makes all
> >genuine mail servers work twice as hard to deliver mail. I like
> having an
> I agree, that the spammers MIGHT try to adapt to this, but at THIS
> MOMENT, it works. Computer tech is moment based. Since when have we
> used virus scanners on Microsoft OS'es that only scan on demand (real
> time scanning). Why? Because the virus writers adapted. The viruses
> are far nastier. Spam will get far, far nastier.
> I have a mailserver I admin that gets the following in spam statistics
> .. for yesterday at midnight.
> 1040 blocked yesterday due to sendmail access.db blocks (the worst
> subnet offenders from foreign countries)
> 20,000 blocked for invalid recipient
> 124 blocked by RBLs, of which I cannot use all of because their clients
> host email servers on DSL / Cable modem connections.
> 68 blocked by spamassassin for high spam score
> 2000 greylist 1st attempts
> 204 greylist passes
> They STILL get spam .. but it's blocked almost ALL of the image based
> spams, and almost ALL of the pharmaceutical messages, and most of the
> nasty porn stuff. And with the bayes poisioning they get, SA wasn't
> touching it ..
> I agree, greylisting isn't the best thing since sliced bread .. but
> with the wild state of things on the Internet, it sure comes close IMO.
> Not everyone has a 2.8ghz dual xeon with 4 gigs of ram to dedicate to
> spamassassin with OCR recognition.
> This email domain name is 10 years old. It used to run Groupwise 5.2
> (ok, so maybe it still does) which the GWIA is so horribly broken that
> it will accept email to ANY user (doesn't relay it, but DOES accept it
> even if invalid).
> So the spammers have dictionary attacked it for SO long that they all
> think that asuidewiuwer at thatdomainname is a vaild recipient, while it is
>From my inbound mailfilter's logs, about 1030 local:
$ grep graylist /var/log/maillog | wc -l
$ grep "accepted for delivery" /var/log/maillog | wc -l
Just now, at 1409 local:
grep "accepted for delivery" /var/log/maillog | wc -l && grep graylist /var/log/maillog | wc -l
That's 500 or so mails that graylisting stopped at 10:30, minus the
ones still in the graylisting delay when I pulled the sample. Probably
about 480 mails actually had been stopped then. The difference still
is about 500-ish, and that's mails that the later stages of the filter
(MailScanner, SpamAssassin, and ClamAV) don't have to spend CPU on.
That's in addition to extensive blacklists, a regular-expression-match
milter, and some other stuff, and before the sendmail access database,
MailScanner, SpamAssassin, and ClamAV.
Some days I'm more than a bit amazed that *anything* gets through.
Mike Andrews, W5EGO
mikea at mikea.ath.cx
Tired old sysadmin
More information about the MailScanner