[TriLUG] The seal remains unbroken... greylisting working quite well

Jon Carnes jonc at nc.rr.com
Mon Jan 29 19:29:14 EST 2007


Well it's been 19 hours now and greylisting has only let three spams
pass in - of which Spam Assassin (the open relay rbl) dropped two -
leaving one for me to delete by hand. Not bad :-) Much better than the
20 to 40 that I normally have to delete.

The mail server successfully passed/delivered 969 emails since midnight
and rejected 4157 emails (via greylisting).
A random sampling of the rejects that didn't retry (about 25) shows only
bad guys, and no good guys.

The greylist database is currently 392K, and if all things remain equal
then it should grow at about 1Mb every 3 days, and reach 120Mb in about
a year...
>From past experience I think the functional upper limit for the database
used by my greylist perl app should be about 24Mb. Once the database
gets up to that level, the app will start to slow down. and eat more
cycles. That means that if I setup a cron-job to wipe the database on
the first Saturday of every month, I'll be in good shape.

I would like to maintain the list of good folks, so I might write a
small app to pass through the database (or log files) and pull out the
good ones and whitelist them... or I could modify the greylist app to
automatically move those folks over to a second list when they reach a
certain level of passed mails -  a whitelist database, which I will keep
persistent.
 
Jon

On Mon, 2007-01-29 at 18:05, Cristóbal Palmer wrote:
> I'll second that.
> 
> SA is awesome--with tweaking. Even so, if you have a published address
> that gets a lot of mail and is an initial point of contact, eg.
> sales at foobar.com, you're still going to get a significant amount of
> spam unless you're willing to live with false positives and/or spend a
> lot of time tweaking. I'm itching to try greylisting, too.
> 
> Thanks,
> CMP
> 
> On 1/29/07, Magnus <magnus at trilug.org> wrote:
> > David McDowell wrote:
> > > In this thread we've seen some metrics and performance opinions on
> > > greylisting... what about the latest spamassassin working with
> > > sa-update?
> >
> >
> > I've actually not been too impressed.  Lots of spam gets through, and I
> > do maintain a corpus of manually sorted ham and spam that is updated
> > every 24 hours.
> >
> > I tend to err on the side of caution with my UCE controls, though,
> > because I've found repeatedly if I get much more aggressive I get false
> > positives.  Unacceptable.
> >
> > I'm between OpenBSD boxes right now (the new firewall isn't quite to my
> > liking yet) so I'm not getting as much pre-SA filtering as I would like.
> >
> > --
> > TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> > TriLUG Organizational FAQ  : http://trilug.org/faq/
> > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> >
> 




More information about the TriLUG mailing list