[geeks] Greylisting?

[Michael Parson]

On Tue, Nov 22, 2005 at 03:53:09PM +0100, Sebastian Jaenicke wrote:
> Hi,
>
> On Tue, Nov 22, 2005 at 02:03:49AM -0600, Bill Bradford wrote:
>> Anybody here using greylisting to stop/slow spam?  Thoughts on it?
>>
>> My initial reaction was "that's just WRONG and bad and liable to lose
>> mail".. but tons of people seem to be using it.
>
> 'Tons of people' using something doesn't mean is must be good ;)

This is very true.

> I've seen this discussion many times and would have preferred not
> commenting on it again, but with all those pro-greylisting replies, I
> just cannot resist.
>
> While greylisting doesn't violate the SMTP protocol, it still
> (ab)uses some of its features in a way they weren't supposed to be
> used. First of all, it slows down reception of valid (i.e. non-spam)
> messages. Furthermore, it abuses other mail servers resources (queue
> space, cpu time, ..) where it wouldn't be necessary in the first place
> - after all, it's a valid message, it's addressed to _you_, so why
> refuse it?

It slows down the first message.  Proper greylisting also (temporarily)
whitelists messages once they've done their time on the greylist.  I
have mine set to 10 days.

> If it's spam, that's _your_ (i.e. the recipients) problem, and it's in
> the responsibility of your mail server to deal with that instead of
> imposing additional resource consumption on other people's servers.
>
> Yes, greylisting helps to reduce the amount of spam messages received
> by your mail server, but with all those side effects, I wouldn't
> consider using it.

Greylisting stops one type of mail, which is a very high-volume, thanks
to all the zombie nets and email worms and viruses out there, mail that
is sent once and forgotten, no retries.  I have my greylisting set to
30 seconds.  I also have an updating list of mail servers and domains
out there that do things that would cause their mail to never make
it through the greylisting, either due to bad software that doesn't
re-send, or because its always a new mail server that would attempt the
future deliveries.  You can't just install and forget, all mail server
administrators need to be diligent and responsible.

When I implemented greylisting, SPAM volumes dropped by 90%+.  It can
best be seen with a graph, provided by graphdefang:

http://www.bl.org/~jpk/spam/monthly_non-spamspamrejectgreylist-tempfailgreylist-whitelist_summary_line.png

I put greylisting in during June of 2004, about mid-graph.  In February
of 2005, I turned the greylisting down from 30 minutes to 30 seconds.

This is just for bl.org, not a large-volume site, to be sure, but this
has been my active email address for over 8 years, and a huge percentage
of that SPAM was winding up in *my* mailbox.  SpamAssassin prevented
it from showing up in my inbox, but I was still wasting cycles and
bandwidth with it.

I am using greymilter, which gives you enough flexibility with your
configuration.  If you have a user that just does not want *any* delay
in their email, you can do that.  If you don't want to greylist domains
that have valid SPF records, you can do that too.  You can set how long
to delay the message and how long to whitelist that tuplet once it does
make it through.

My current settings:

30s greylist
10 day whitelist
spf gets no special treatment

And entries from this list don't get greylisted:
http://greylisting.org/whitelisting.shtml

Plus a few others I don't want delayed, for personal reasons.

Does this abuse other people's mail servers?  I think the abuse level is
much lower than the abuse SPAM and viruses cause, and is much lower than
you made it out to be.

My whole anti-spam measures are:

5s delay greeting in SMTP banner
greylisting
spamassassin
procmail

Who knows how much tech-support time this has saved me too.

-- 
Michael Parson
mparson at bl.org