[Greylist-users] Up and running on the real sever - and I have some questions

[William Blunn]

Dennis Wynne wrote:
> I put the new anti-SPAM server in front of the real server yesterday 
> afternoon and things (to me) are humming right along.

A green-field, relay-only MTA. Complete freedom to install an MTA of 
your choosing.

> 1) What timeout period does everyone use? Anyone done a study about 
> the various times? If SPAMmers "never" retry then 5 minutes would be 
> long enough. Do you block more SPAM setting it to around an hour than 
> you do setting it for 5 minutes? Seems like if a SPAM box does any 
> retries at all it will get through and all you are doing is just 
> delaying legit mail.

1 minute.

> 2) I block all un-known users before relaydelay sees them, so the only 
> "to:" addresses that get looked up and inserted in MySQL are legit 
> users. Any thoughts to changing the scripts to run not against the 
> triplet of from:, to:, and IP to just from: and IP? This makes sense 
> to me, since if I routinely accept messages from bob at domain.com and I 
> ask him to e-mail a co-worker I would think it would be OK for bob's 
> mail to go through w/o a delay. Ditto for things like CNN news 
> e-mails. Once one of them to any user has been accepted, no need to 
> delay the others if they are all from the same IP - is there? Anyone 
> done this and can share the changes?

Your suggestion sounds dodgy because you will allow spam from spammers 
who send to more than one user at your site (which spammers often do).

There is a way to do what you're suggesting, which is what I already do. 
My system allows mail from any host/sender where there is a 
host/sender/recipient triple which has verified itself (i.e. where there 
has previously been a full triple match). So if a spammer writes to Bob 
and then to Jim, both messages get deferred. If a legit sender writes to 
Bob, and then later to Bob and Jim, both Bob and Jim will both get the 
second message *at the same time*.

Experience says that you *need to be getting this right*, otherwise you 
will get a steady trickle of people coming to you like Jim saying "Yeah, 
Bob got a message from Dave which was addressed to me, but I didn't 
receive it. I only found out when Bob replied to Dave, quoting the 
original message, and copying me. I guessed my e-mail was broken, so I 
got Dave to try to a different e-mail address / try it without the 
attachments. Is my e-mail broken? Have we stopped accepting attachments? 
Has the server gone down? When's it going to be fixed? All these 
problems - can't you even get e-mail right?".

My system does not use Evan's Sendmail-based greylisting stuff - it is a 
complete re-write originally designed to plug into Exim4 (although the 
programmatic interface is generic and could plug into any MTA).

> 3) Does anyone use a bypass method when an e-mail just "has to get 
> through" ? Say a customer has a mail server that never retries, or 
> does not retry for 4 hours and I NEED to let an e-mail though. Should 
> I configure a non-published username that I could let bypass 
> relaydelay and have the mail get through? I know some systems have a 
> "password" you can put in the subject line to bypass their SPAM 
> filters - but that would not work with the greylist.

If your greylister is hooked in to Exim4, then configuring this is easy; 
you just put a condition on your ACL to not greylist when a recipient 
appears in a given table. If you're using Sendmail, well, sorry, I threw 
that out years ago and never once regretted it for a second.

> 4) Does anyone have any reporting scripts that they can share? My 
> users would like me to give them a report of any mail that was seen, 
> but not passed (no retires in the allowed time) so they can see if 
> they missed anything.

If you've configured it with the double/triple allower, and a nice short 
retry then your users should get used to it pretty quickly, and will get 
on with what they're supposed to be doing rather than worrying about 
where their e-mail is.

Bill
-- 
The contents of this e-mail and any attachments are confidential and may 
be legally privileged.  If you have received this e-mail and you are not 
a named addressee, please inform us as soon as possible on 
+44 118 901 2999 and then delete the e-mail from your system.  If you 
are not a named addressee you must not copy, use, disclose, distribute, 
print or rely on this e-mail.  Any views expressed in this e-mail or any 
attachments may not necessarily reflect those of Tao's management.  
Although we routinely screen for viruses, addressees should scan this 
e-mail and any attachments for viruses.  Tao makes no representation or 
warranty as to the absence of viruses in this e-mail or any attachments.  
Please note that for the protection of our business, we may monitor and 
read e-mails sent to and from our server(s).