On Sun, 2007-01-21 at 20:33 +0100, Magnus Holmgren wrote:
> My feeling is that the majority of all spam can be stopped early with HELO
> checks and reliable DNSBLs like Spamhaus's. Where in the line of defence do
> you people put greylisting and what percentage of all spam does it stop?
I'm not using greylisting in any way; so for a balanced comparison (and
my interest, I never bothered to analyse this before!) of my small
two-domain personal system I have:
1. a set of HELO checks (no outright rejections here)
2. a set of "restricted character" rejections at RCPT time which reject
each violating RCPT.
3. a local list of banned sender domains (small) which reject at RCPT
time.
4. a MIME extension check which rejects outright for certain extensions.
5. a set of rejections after DATA which:
5a. reject for 2 out of 3 (or more) DNSBL hits
5b. reject for HELO violations from (1)
5c. reject broken MIME
5d. reject viruses detected by one or more AV scanners
5e. SpamAssassin check, which reject over locally defined threshold.
5f. reject messages getting this far which break RFC2821 sec 3.3 (the
RCPT TO syntax).
6. Accept.
In the four weeks to 00:00GMT today, I have the following rejection
counts:
1. 0 (no straight rejections, see 5b)
2. 56
3. 0
4. 464
5a. 2009
5b. 462
5c. 0
5d. 505
5e. 5496
5f. 9
6. 3841
And of (6), 15 were false negatives. As far as I can determine, no false
positives.
Clearly I'm passing what many would feel to be too much through to
SpamAssassin but given the available resources and the false negative
rate, it's a pretty good system for me. I fail to see what greylisting
would add here.
For a system processing that many messages per hour (instead of per
month) however, I might be persuaded otherwise.
Graeme
