Greylisting .. nice ..

DAve dave.list at pixelhammer.com
Tue Nov 7 20:51:25 GMT 2006


mikea wrote:
> On Tue, Nov 07, 2006 at 01:26:28PM -0600, Rob Poe wrote:
>>>>> My thoughts so far are this:  Why didn't I do this sooner.
>>>> Its going to be pointless soon, problem is, as more and more people
>> do
>>>> this, it wont be long before the common garden variety spammers
>> smtp
>>>> engine will also retry on 4xx errors, id give it a year tops (if
>> some of
>>>> them are not already doing it)
>>> My objection to it is not that it doesn't work, but that it makes all
>>> genuine mail servers work twice as hard to deliver mail.  I like
>> having an
>>
>> I agree, that the spammers MIGHT try to adapt to this, but at THIS
>> MOMENT, it works.  Computer tech is moment based.  Since when have we
>> used virus scanners on Microsoft OS'es that only scan on demand (real
>> time scanning).  Why?  Because the virus writers adapted.  The viruses
>> are far nastier.  Spam will get far, far nastier.
>>
>> I have a mailserver I admin that gets the following in spam statistics
>> .. for yesterday at midnight.
>>
>> 1040 blocked yesterday due to sendmail access.db blocks (the worst
>> subnet offenders from foreign countries)
>> 20,000 blocked for invalid recipient
>> 124 blocked by RBLs, of which I cannot use all of because their clients
>> host email servers on DSL / Cable modem connections.
>> 68 blocked by spamassassin for high spam score
>> 2000 greylist 1st attempts 
>> 204 greylist passes
>>
>> They STILL get spam .. but it's blocked almost ALL of the image based
>> spams, and almost ALL of the pharmaceutical messages, and most of the
>> nasty porn stuff.  And with the bayes poisioning they get, SA wasn't
>> touching it ..
>>
>> I agree, greylisting isn't the best thing since sliced bread .. but
>> with the wild state of things on the Internet, it sure comes close IMO. 
>> Not everyone has a 2.8ghz dual xeon with 4 gigs of ram to dedicate to
>> spamassassin with OCR recognition. 
>>
>> This email domain name is 10 years old.  It used to run Groupwise 5.2
>> (ok, so maybe it still does) which the GWIA is so horribly broken that
>> it will accept email to ANY user (doesn't relay it, but DOES accept it
>> even if invalid).  
>>
>> So the spammers have dictionary attacked it for SO long that they all
>> think that asuidewiuwer at thatdomainname is a vaild recipient, while it is
>> not.
> 
>>From my inbound mailfilter's logs, about 1030 local: 
> $ grep graylist /var/log/maillog | wc -l
>     2807
> $ grep "accepted for delivery" /var/log/maillog | wc -l
>     2308
> 
> Just now, at 1409 local:
> grep "accepted for delivery" /var/log/maillog | wc -l && grep graylist /var/log/maillog | wc -l
>     2642
>     3115
> 
> That's 500 or so mails that graylisting stopped at 10:30, minus the
> ones still in the graylisting delay when I pulled the sample. Probably
> about 480 mails actually had been stopped then. The difference still
> is about 500-ish, and that's mails that the later stages of the filter
> (MailScanner, SpamAssassin, and ClamAV) don't have to spend CPU on. 
> 
> That's in addition to extensive blacklists, a regular-expression-match
> milter, and some other stuff, and before the sendmail access database, 
> MailScanner, SpamAssassin, and ClamAV. 
> 
> Some days I'm more than a bit amazed that *anything* gets through.
> 

bash# cat /var/log/maillogs/maillog | grep 'stat=queued' | wc -l
    33384
bash# cat /var/log/maillogs/maillog | grep 'reject=451' | wc -l
    89036
bash# cat /var/log/maillogs/maillog | grep 'auto-whitelisted' | wc -l
     8833

That is just one server. I would be buried without Milter-Greylist, I 
would be looking for a job without MailScanner.

DAve


-- 
Three years now I've asked Google why they don't have a
logo change for Memorial Day. Why do they choose to do logos
for other non-international holidays, but nothing for
Veterans?

Maybe they forgot who made that choice possible.


More information about the MailScanner mailing list