Re: [exim] Greylisting algorithms after end of DATA

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Mike Cardwell
Date:  
À: exim-users
Sujet: Re: [exim] Greylisting algorithms after end of DATA
* on the Sun, Jan 21, 2007 at 08:58:46PM +0000, Graeme Fowler wrote:

>> My feeling is that the majority of all spam can be stopped early with HELO
>> checks and reliable DNSBLs like Spamhaus's. Where in the line of defence do
>> you people put greylisting and what percentage of all spam does it stop?
> I'm not using greylisting in any way; so for a balanced comparison (and
> my interest, I never bothered to analyse this before!) of my small
> two-domain personal system I have:


For my own personal mail, I use a custom written greylisting solution
using a mysql db so I can share it across each MX. I only apply it to mail
that doesn't pass my extensive whitelisting (*) and that has at least one
dodgy looking feature, eg non matching reverse dns, spf soft failures,
dynamic ips, connections from boxes that p0f thinks are running Windows ;),
failed sender callouts etc etc. It has so far been applied to 2335 email
attempts. 60 of those retried and got through, the rest never retried. I've
been regularly checking the greylist table in the db since this went live
and as far as I can see I've not had any false positives yet. This has been
running for 7 weeks now.

If a host passes greylisting, I don't bother applying it to any other
connection from that host regardless of the sender/recipient, as it's
already "proved" to retry. If a connection passes the greylisting, it's
remembered for 60 days. If it doesn't retry within 24 hours, it has
failed. All retries within the first 3 minutes since the initial attempt
are defered.

[snip info on Graemes other checks]

> Clearly I'm passing what many would feel to be too much through to
> SpamAssassin but given the available resources and the false negative
> rate, it's a pretty good system for me. I fail to see what greylisting
> would add here.


See my stats above :)

> For a system processing that many messages per hour (instead of per
> month) however, I might be persuaded otherwise.


Mike

(*) Whitelisting:
    1.) A static file with a list of sender networks
    2.) A static file with a list of sender domains
    3.) A static file with a list of sender email addresses
    4.) Dynamically generated list (in db) of addresses that have emailed me
        more than twice.
    5.) Dynamically generated list of addresses that I have sent email to at
        least once (using authenticated smtp)
    6.) query.bondedsender.org


I also have a condition for hosts that shouldn't be greylisted because
they're commonly used, and they're real servers:

${if match_domain{$sender_host_name}\
                 {*.google.com:*.hotmail.com:*.msn.com:*.lycos.com:*.yahoo.com}\
}


I could really do with spending some time expanding that list and
sticking it in a file lookup instead.