Greetpause seems very ineffective (Was: RE: Increased Volumes Of Spam)

Sat Jan 20 15:24:33 CET 2007

In my particular case I've had to turn off greylisting for a few  
servers because the owners would rather throw more resources at the  
problem (cpu, ram, etc.) to check mail after it's received. Most  
people I know get used to the additional delay after a while, but  
there are some users who are more... let's call it "recalcitrant".

In any case, GreetPause became a permanent addition to the "bat-belt"  
as soon as it came out. No cases of collateral damage so far, as with  
FPs in RBL's and so on, and it works not just against slammers but a  
lot of DOS situations as well.

If I had only one thing to pick to keep from my setup it would be  
GreetPause.

On Jan 19, 2007, at 7:52 PM, Scott Silva wrote:

> Durval Menezes spake the following on 1/19/2007 4:05 PM:
>> Hello folks,
>>
>> Scott Silva <ssilva at sgvwater.com> on Tue, Jan 16, 2007 at 10:24:11  
>> -0800, wrote:
>>> Greetpause does help a lot, as I probably drop 10 to 20% of the  
>>> spam with it
>>> alone. Five seconds is a good starting point, but probably not  
>>> over 30
>>> seconds.
>>
>> The first time I became aware of GreetPause, I dismissed it as  
>> probably
>> not very effective, because it would be very simple for spammers  
>> to adapt
>> by just stopping the slam; on the negative side, it would end up  
>> slowing
>> ALL traffic, including the legitimate (non-spam) emails.
>>
>> Then I came upon Scott's (and others) recommendations, as above,  
>> and I
>> wondered if my initial analysis was incorrect; today, I found the  
>> time
>> to configure one of my servers to use GreetPause, and measured its
>> efficiency using pause intervals of 1s, 5s and 10s. The numbers I
>> obtained are as follows:
>>
>> Pause:    GreetPause:  total connections:	pre-greet/conexoes:
>> 1s     		 14          645         	2.17%
>> 5s      	 19          383         	4.96%
>> 10s      	 36          535         	6.73%
>>
>> What's worse, about 80% of the connections blocked by GreetPause  
>> would
>> have been blocked anyway by the MTA using RBLs alone, so the  
>> *effective*
>> Greetpause improvement over using RBLs alone would be about 1% or  
>> less,
>> even with relativelly large (10s) pauses.
>>
>> I've rechecked my analysis and found no mistakes; are you folks  
>> *really*
>> measuring GreetPause efficiency and finding these 10-20% numbers,  
>> or are
>> you deriving these numbers more from "feeling" or something? What  
>> other
>> explanations for the above discrepancies can you think of?
>>
>> If anyone wants to sift through my logs, I can make then avalable;
>> just ask.
>>
>> Thanks in advance for any and all input.
>>
>> Best Regards,
> Many cannot use all the good blacklists, and greetpause does catch  
> some of the
> newer spammers that haven't hit the blacklists yet.
>
> -- 
>
> MailScanner is like deodorant...
> You hope everybody uses it, and
> you notice quickly if they don't!!!!
>
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!