Re: [exim] Greylisting

Top Page
Delete this message
Reply to this message
Author: Ian FREISLICH
Date:  
To: Marc Perkel
CC: exim-users
Subject: Re: [exim] Greylisting
Marc Perkel wrote:
> ok - that's interesting - but I think I'm already catching the spam that
> would be affected by that with ACL rules. And the initial delays would
> be an issue.


Here greylisting is optional. Each recipient can choose whether
to have it turned on or off. The deal is if it's on, don't complain
about delays, if it's off don't complian about spam. One thing I
found is that there is no shortage silly cofigurations on the net.
I temp fail for 4 minutes and keep the record for 4 hours if there
is no return or 36 days if there is a return. Some large ISPs here
only retry _12_hours_ later after the first temp fail. Go figure.
Their mail never gets through.

> What I'm thinking about is sort of a "sin" based greylisting where I can
> block message from a host for a period of time after receiving a few
> spams. That way I'm taking the load off of the ones who want to stay
> with me and keep pounding my domains with the same stuff. Once I
> determine the host is sending a lot of spam or doing a dictionary attack
> I can cut my load by ignoring them rather than processing the spam and
> rejectinng it.


I do this (after greylisting). I total up SpamAssassin scores where
the score is higher than 7 and lower than 0. When a client's score
breaches 60 it gets denied for the average score * 60 minutes. Each
record in the database persists for a year after the last update
even though the block is a much shorter poriod. A forged[1] HELO
buys you 60.1 points. These thresholds are arbitrary.

mail=# SELECT date_trunc('second', refresh) as "refresh",
date_trunc('second', expires) as "expires",host,count,
round(total_score::numeric,1) as "score"
from spam_hosts where host <<= '196.25.240.0/24';

      refresh        |      expires        |     host      | count | score 
---------------------+---------------------+---------------+-------+-------
 2005-02-09 15:49:46 | 2006-02-10 08:29:36 | 196.25.240.73 |    25 |   9.2
 2005-02-14 10:00:26 | 2006-02-14 09:48:14 | 196.25.240.74 |    58 |  29.6
 2005-02-09 14:43:01 | 2006-02-09 23:16:54 | 196.25.240.75 |    17 |  -1.1
 2005-02-14 12:16:31 | 2006-02-08 10:50:39 | 196.25.240.76 |     7 |  -2.5
 2005-02-14 09:19:17 | 2006-02-14 08:29:52 | 196.25.240.77 |    18 |  33.1
 2005-02-11 10:23:38 | 2006-02-11 10:02:33 | 196.25.240.78 |    38 |  23.8
 2005-02-10 13:40:00 | 2006-02-10 13:46:26 | 196.25.240.79 |    15 |   7.1
 2005-02-08 13:13:35 | 2006-02-10 00:38:12 | 196.25.240.80 |    15 |   9.6
(8 rows)


This is for one of the larger ISP mail servers here with a good mix
of spammy and hammy mail, but vastly more hammy than spammy. I've
not seen them blocked, which is my expectation. On the other hand,
there are loads of other spammers that get caught by this.

Ian

--
Ian Freislich

1.  If you give an IP literal as the HELO argument and that address
    happens to be in one of my nets, but your IP address is not.