[COLUG] effectiveness of greylisting.

Duane duane at e164.org
Sat Nov 24 20:35:18 EST 2007 

Rob Funk wrote:

> With what MTA?

I'm guessing the same MTA as you, postfix.

> You really don't want to do it with amavis, since that requires receiving 
> the DATA section before giving the greylist decision, and you want to 
> have the greylist decision (and as many other decisions as possible) 
> after the RCPT information.

I'm split over this, yes there is benefit in greylisting as soon as
possible, however there is benefit in greylisting selectively only if
the mail seems even remotely spammy also.

In the end it comes down to personal preference, resources at hand etc
etc etc and at this stage I'm wanting to trail greylisting if
amavis/spamassassin says the message is > 0 score.

> Going by RBLs makes more sense, and I've seen it done.  (How depends on 
> your MTA of course.)  I'm rather strict about greylisting and RBLs 
> though; I have postfix check a list of RBLs (and local exception lists), 
> reject if an RBL says they're bad, then do greylisting as the very last 
> RCPT check.

I'm sure you will change your tune about RBLs if you ever get on one,
but out right rejecting connections because some RBL says they're bad
isn't always a wise thing to do, especially with how overly zealous some
lists are and how overly difficult it is to get off some of them.

I've had servers black listed because people were too lazy or stupid (or
both) to unsubscribe from lists they'd manually signed up with and so on
and so forth.

I much much much prefer to score the email, taking into consideration
any RBL information, rather then using it as an absolute measure, just
like in life there is no black and white cases of absolute when it comes
to security and what not, there shouldn't be on the net either.

I haven't found doing this increases the amount of spam getting in, or
the amount of load on the system.

I do on the other hand enforce strict RFC checking of connections and
reverse hostname lookups and such, it's amazing how much spam this stops
dead in its tracks. I've had very few instances of legit servers being
incorrectly configured, nothing a quick chat hasn't fixed anyway,
although the rejection message usually spells it out fairly clearly. :)

> I do still need to move my amavis checking into the SMTP conversation 
> rather than after the message has been accepted.

Depending on version of postfix/amavis there is a nice little gotcha
with the DSN stuff.

I'll save you some hair pulling:

# http://www.postfix.org/DSN_README.html
smtpd_discard_ehlo_keywords = silent-discard, dsn

I dislike the "suggested" way of handing off mail to amavis, because
then I can't reject spam/virus/whatever and am force to ditch the
message or bounce, and with all the bounce spam and stuff on the net
these days that I hate getting, I don't think it's responsible to be
sending it either.

-- 

Best regards,
 Duane

http://www.freeauth.org - Enterprise Two Factor Authentication
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://e164.org - Because e164.arpa is a tax on VoIP

"In the long run the pessimist may be proved right,
    but the optimist has a better time on the trip."

More information about the colug432 mailing list