Re: [exim] Greylisting

Top Page

Reply to this message
Author: Marc Perkel
To: exim-users
Subject: Re: [exim] Greylisting
ok - that's interesting - but I think I'm already catching the spam that
would be affected by that with ACL rules. And the initial delays would
be an issue.

What I'm thinking about is sort of a "sin" based greylisting where I can
block message from a host for a period of time after receiving a few
spams. That way I'm taking the load off of the ones who want to stay
with me and keep pounding my domains with the same stuff. Once I
determine the host is sending a lot of spam or doing a dictionary attack
I can cut my load by ignoring them rather than processing the spam and
rejectinng it.

But - I'm going to look into this greylisting. Maybe I can adapt it.

WJCarpenter wrote:

>mp> I really haven't looked into greylisting yet - but I;ve seen the
>mp> term. So - how does it work? I had the idea that it slowed down
>mp> delivery until you are trusted or something? So - you really like
>mp> it do you?
>In the arms race that is spam today, there is seldom any news that is
>both good and dramatic. Well, greylisting is very good news. The bad
>news is that someday the spammers will figure out how to get around
>greylisting (it's not too hard), but in the meantime it's like having
>a bad cold for a long time and suddenly waking up feeling great one
>You can search around for "greylisting" (usually spelled with an "e"),
>but the two usual starting places for it are:
>In a nutshell, greylisting exploits the fact that most spam and email
>viruses are sent by quasi-retarded software on compromised computers
>all over the world. In contrast to real SMTP servers, the spambot
>software does a lot of goofy things that aren't up to spec. One thing
>in particular that someone noticed is that they don't usually retry in
>the face of errors. Spambots by and large never retry (or they
>immediately retry [no delay at all] a couple of times and then give
>up). There are lots of special cases, so go to those URLs and read
>about it.
>Greylisting keeps track of triplets of (recipient address, sender
>address, sending IP address). For a new combination, the SMTP server
>gives 4xx temporary failure for some small period (like an hour or 5
>minutes or whatever). After that small period, recipient validation
>moves past the greylisting stage to whatever else you have. You keep
>the records around for a while so that subsequent messages involving
>the same triplet aren't delayed at all. In the best case, it's only
>the first message from a new correspondent that gets delayed a little
>One bummer is that greylisting doesn't help at all with autoforwarded
>spam, bounce-back spam, and spam being sent by a real SMTP server for
>whatever reason. There's plenty of that around, but it's a small
>percentage of the spam traffic knocking on my door.
>There's all kinds of skepticism about greylisting because it's pretty
>easy to see how to overcome it. However, in the short term (who knows
>how short), it's nothing short of "freaking fantastic" (YMMV :-). For
>my personal mail flow, which includes all the postmaster and generic
>stuff, it changed overnight from 500-600 spam and virus emails per day
>to on the order of a dozen or so. The turnback rate for my users
>varies widely; the higher the volume, the more likely they are to have
>a high percentage of spam (at my site anyhow). I would estimated that
>I'm running SpamAssassin only 10-15% of what I used to run. It's very
>relaxing on my box right now.

Marc Perkel - marc@???

Spam Filter:
    My Blog:
My Religion:
~ "If it's real - we believe in it!" ~