Greylisting .. nice ..

mikea mikea at mikea.ath.cx
Tue Nov 7 20:12:18 GMT 2006 

On Tue, Nov 07, 2006 at 01:26:28PM -0600, Rob Poe wrote:
> >> > My thoughts so far are this:  Why didn't I do this sooner.
> > 
> >> Its going to be pointless soon, problem is, as more and more people
> do
> >> this, it wont be long before the common garden variety spammers
> smtp
> >> engine will also retry on 4xx errors, id give it a year tops (if
> some of
> >> them are not already doing it)
> 
> >My objection to it is not that it doesn't work, but that it makes all
> >genuine mail servers work twice as hard to deliver mail.  I like
> having an
> 
> I agree, that the spammers MIGHT try to adapt to this, but at THIS
> MOMENT, it works.  Computer tech is moment based.  Since when have we
> used virus scanners on Microsoft OS'es that only scan on demand (real
> time scanning).  Why?  Because the virus writers adapted.  The viruses
> are far nastier.  Spam will get far, far nastier.
> 
> I have a mailserver I admin that gets the following in spam statistics
> .. for yesterday at midnight.
> 
> 1040 blocked yesterday due to sendmail access.db blocks (the worst
> subnet offenders from foreign countries)
> 20,000 blocked for invalid recipient
> 124 blocked by RBLs, of which I cannot use all of because their clients
> host email servers on DSL / Cable modem connections.
> 68 blocked by spamassassin for high spam score
> 2000 greylist 1st attempts 
> 204 greylist passes
> 
> They STILL get spam .. but it's blocked almost ALL of the image based
> spams, and almost ALL of the pharmaceutical messages, and most of the
> nasty porn stuff.  And with the bayes poisioning they get, SA wasn't
> touching it ..
> 
> I agree, greylisting isn't the best thing since sliced bread .. but
> with the wild state of things on the Internet, it sure comes close IMO. 
> Not everyone has a 2.8ghz dual xeon with 4 gigs of ram to dedicate to
> spamassassin with OCR recognition. 
> 
> This email domain name is 10 years old.  It used to run Groupwise 5.2
> (ok, so maybe it still does) which the GWIA is so horribly broken that
> it will accept email to ANY user (doesn't relay it, but DOES accept it
> even if invalid).  
> 
> So the spammers have dictionary attacked it for SO long that they all
> think that asuidewiuwer at thatdomainname is a vaild recipient, while it is
> not.

>From my inbound mailfilter's logs, about 1030 local: 
$ grep graylist /var/log/maillog | wc -l
    2807
$ grep "accepted for delivery" /var/log/maillog | wc -l
    2308

Just now, at 1409 local:
grep "accepted for delivery" /var/log/maillog | wc -l && grep graylist /var/log/maillog | wc -l
    2642
    3115

That's 500 or so mails that graylisting stopped at 10:30, minus the
ones still in the graylisting delay when I pulled the sample. Probably
about 480 mails actually had been stopped then. The difference still
is about 500-ish, and that's mails that the later stages of the filter
(MailScanner, SpamAssassin, and ClamAV) don't have to spend CPU on. 

That's in addition to extensive blacklists, a regular-expression-match
milter, and some other stuff, and before the sendmail access database, 
MailScanner, SpamAssassin, and ClamAV. 

Some days I'm more than a bit amazed that *anything* gets through.

-- 
Mike Andrews, W5EGO
mikea at mikea.ath.cx
Tired old sysadmin

More information about the MailScanner mailing list