[Greylist-users] Greylisting stats - even if spam software retries....

Bob Beck beck at bofh.cns.ualberta.ca
Mon Sep 26 10:04:22 PDT 2005 

	Hi Gang,

	Some stats for the list, which might be of interest, 
after seeing another post about "greylisting only helps till spam
software retries" - there are other things you can do.

	I run OpenBSD spamd for greylisting, in front of a relatively large
mail site at the U of A (I'm also the primary spamd author, so I'm a
bit biased :) We're making use of a couple of new features which I've
talked about in my talk that's linked from the greylisting.org site,
go there to find out more.

	the OpenBSD 3.7 spamd version allows for the specification of
spamtraps only for greylisted machines, so if a greylisted machine
attempts to send mail to a spamtrap address it will be blocked for 24
hours. 

	In OpenBSD 3.8 (the upcoming release) spamd does "initial stuttering"
on greylisted connections. This was the result of seeing many many
many spam generating programs disconnect quickly when tarpitted - no
real MTA cares if the net connection is a little slow. Initial
stuttering means that rather than talk full speed to greylisted hosts,
spamd mimics a tarput and talks 1 character per second for the first
10 seconds, then goes full speed for the rest of the smtp dialogue. 


	We've been using both features with great success here but I thought
I'd give you a little info on how well. 

	During a typical mid day hour, last week, from 1 to 2 pm. 
our main mx received 7500 real smtp connections - stuff that
was not greylisted. (we're always stable at about 110,000 whitelisted
hosts, with 36 day timeout)

	During the same hour, 4500 sessions were done to the point of
recieving the 450 greylisting message. As you all probably well know,
on an established server, 99% of these are probably junk, (and typically
do not come back) 

	During that same hour, 1800 connections were blacklisted and
tarpitted, as the result of the would-be-greylisted host having hit
a spamtrap address in the last 24 hours.

	During that same hour, however, 14500 connections disconnected
from the greylister before the inital 10 seconds were up. Of these,
13500 were at the 3 second mark :).  

	Net result, very roughly speaking, in terms of smtp connections,
we're looking at about a little more than a 2 to 1 ratio of certainly
crap, to "possibly real" smtp connections. 

	Cheers, 

	-Bob Beck

--
Bob Beck                                   			     AICT
beck at bofh.cns.ualberta.ca                           University of Alberta
True Evil hides its real intentions in its street address.

More information about the Greylist-users mailing list