[COLUG] effectiveness of greylisting.

William Yang wyang at gcfn.net
Sun Nov 25 17:04:46 EST 2007 

Duane wrote:
> Just came across this article today about some Swiss uni doing greylisting:
> 
> http://nic.phys.ethz.ch/news/1193043075/index_html
> 
> The article has some pretty graphs showing the amount of spam needing to
> be dealt with before and after turning on greylisting. They estimate it
> reduced their spam by a factor of 10.
> 

I use greylisting, and it does seem to be a great component of an
effective anti-spam stance.  I've had greylisting deployed for about 18
months, too.

I find these kinds of numbers to be questionable.  I am not doing a
particularly rigorous job of developing statistics about greylisting
(versus other defensive techniques) nowadays, but I did quite a bit of
work back when I deployed it and tested it to make sure I had good behavior.

I definitely saw a significant drop in spam volume (and delays of
legitimate mail) when we initially deployed greylisting at our primary
and secondary MXes.  However, the equilibrium point we've run into is
only about an overall 40% to 50% reduction in spam after 3 months of
operation.  We get a surprising number of retries.  Of message tuples
blocked by greylisting, we see about 70% of all tuples getting
autowhitelisted by a retry within the system (5d) window. Usually (75%
of the time or so), these tuples get re-used within 6 hours.

We also have some custom IP blocking in place to stop addresses that
don't respect greylisting (abusive retry tactics on the same tuple) or
that do bad protocol things (such as sending commands prior to status
responses in SMTP, or sending commands following a terminating error
such as a 471 or 571), and we coordinate those IP blocks between our
MXes as well.

I'm not sure what the best statistical way is to measure the
"effectiveness" of greylisting.  I like the tuple re-use measures,
because it's a pure protocol measurement issue.  I really don't like
"spam/ham" -- because it's completely unclear what they're doing to
determine spam/ham-ness and that's hard to reproduce when you don't
analyze every user's e-mail the same way.

	-Bill
-- 
William Yang
wyang at gcfn.net

More information about the colug432 mailing list