Author: Marc Perkel Date: To: exim users Subject: Re: [exim] Connection age feature?
On 7/14/2010 10:20 PM, W B Hacker wrote: > Marc Perkel wrote:
>
>> On 7/14/2010 11:41 AM, Graeme Fowler wrote:
>>
>>> On Wed, 2010-07-14 at 09:02 -0700, Marc Perkel wrote:
>>>
>>>
>>>> Is there a variable that returns the number of seconds the connection
>>>> has been open?
>>>>
>>>>
>>> No.
>>>
>>> However in the connect ACL you could set a connection variable to hold
>>> the value of $tod_epoch (or one of the variants) and then check against
>>> that when the connection is closed.
>>>
>>> Note that this is unlikely to be reliable, because all manner of things
>>> could cause the connection to be open for a long time - and at least 50%
>>> of those reasons are at your end.
>>>
>>> Graeme
>>>
>>>
>>
>> It works. And most everything that takes more than 30 seconds to reach
>> the data acl is spam (that not a large message and when load levels are
>> normal) It does seem to be somewhat useful in detecting spam in
>> combination with other factors.
>>
>>
>>
> Interesting.
>
> Maybe.
>
> *Why* does it take so long?
>
> Are your own content-scanning delays a significant contributor, perhaps?
>
> NB: *Excluding* any penalty delays WE impose, but *including* SA and ClamAV,
> even spam is generally handled here in sub two seconds end to end, so....
>
> 'Curious'
>
> Bill
>
>
>
No - not my content scanning because I do it before Spam Assassin or
Clam. And I also exclude large messages. A Windows virus infected spam
bot doesn't send out spam one at a time. They connect to several servers
at once and they are pumping spam as fast as the connection can handle
it. Thus it takes longer to deliver a message than usual.
How to use this information is tricky. One thing someone could do is to
conditionally grey list based on this. What I'm doing is adding a point
if there are also other spam indicators like bad helo, dynamic ip space,
etc.