[Greylist-users] Up and running on the real sever - and I have some questions

Wayne Walker wwalker at bybent.com
Wed Feb 15 09:55:57 PST 2006 

On Wed, Feb 15, 2006 at 11:39:00AM -0600, Dennis Wynne wrote:
> I put the new anti-SPAM server in front of the real server yesterday 
> afternoon and things (to me) are humming right along.  One thing I noticed 
> is the SPAMmers don't pick up on the change to the MX records and keep 
> sending a good bit to the old server - while legit servers quickly started 
> using the new server.  In a few days if this keeps up I will just block all 
> outside connections to the old server. Between the time I changed the MX 
> records and this morning I got about 20 SPAMs (a really low count for me) 
> and NONE - ZERO - of them came through the new server.
> 
> I am getting some push-back from some of the users so I have some questions.
> 
> 1) What timeout period does everyone use?  Anyone done a study about the 
> various times?  If SPAMmers "never" retry then 5 minutes would be long 
> enough. Do you block more SPAM setting it to around an hour than you do 
> setting it for 5 minutes?  Seems like if a SPAM box does any retries at all 
> it will get through and all you are doing is just delaying legit mail.
I use 2 minutes on one server and 3 on the other.  Doesn't seem to let
any more spam through when it was switched from the original default
(20? 58??) a long time ago.

> 2) I block all un-known users before relaydelay sees them, so the only "to:" 
> addresses that get looked up and inserted in MySQL are legit users.  Any 
> thoughts to changing the scripts to run not against the triplet of from:, 
> to:, and IP to just from: and IP?  This makes sense to me, since if I 
> routinely accept messages from bob at domain.com and I ask him to e-mail a 
> co-worker I would think it would be OK for bob's mail to go through w/o a 
> delay. Ditto for things like CNN news e-mails. Once one of them to any user 
> has been accepted, no need to delay the others if they are all from the same 
> IP - is there?  Anyone done this and can share the changes?

I've thought of this before too, but this will fail.  If spammer send to Bob
at noon then to Phil at 12:15, then we approve the spammer because
without the triplet, it looks like the spammer is a real MTA retrying.

> 3) Does anyone use a bypass method when an e-mail just "has to get through" 
> ?  Say a customer has a mail server that never retries, or does not retry 
> for 4 hours and I NEED to let an e-mail though.  Should I configure a 
> non-published username that I could let bypass relaydelay and have the mail 
> get through?  I know some systems have a "password" you can put in the 
> subject line to bypass their SPAM filters - but that would not work with the 
> greylist.
I assume you are using relaydelay?  Get xlist.pl (in CVS for relaydelay
but not in the tar.gz last time I looked.  Then:

xlist.pl white ip 2.3.4 # if that were say, sw airlines who have broken MTAs...

xlist.pl white to mary at foo.com # because Mary likes spam, can't afford
	any delayed emails, or just pissed you off

-- 

Wayne Walker

www.unwiredbuyer.com - when you just can't be by the computer

wwalker at bybent.com                    Do you use Linux?!
http://www.bybent.com                 Get Counted!  http://counter.li.org/
Perl - http://www.perl.org/           Perl User Groups - http://www.pm.org/
Jabber:  wwalker at jabber.gnumber.com   AIM:     lwwalkerbybent
IRC:     wwalker on freenode.net

More information about the Greylist-users mailing list