You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Scot L. Harris" <we...@cfl.rr.com> on 2004/07/11 17:48:12 UTC
greylisting results
This past week I implemented greylisting on the main email server. Here
are the results so far. The table below shows the number of spam
received and average scores each day. Greylisting was implemented on
Friday.
I have to say I am amazed at the results.
2-Jul 4574 15.6
3-Jul 4890 14.5
4-Jul 3293 13.7
5-Jul 2746 14.6
6-Jul 6481 14.9
7-Jul 6208 15.3
8-Jul 3797 15
9-Jul 3162 14.9
10-Jul 3 13.3
11-Jul 4 9
And yes the last two days there have been 7 spam messages that got
through where previously I would have seen 6000 to 7000 spam messages.
In combination with spamassassin this should remove spam as one of my
major time sinks for a while at least. :)
Thanks again for everyones suggestions and input on this.
--
Scot L. Harris
webid@cfl.rr.com
radiosity depletion
Re: greylisting results
Posted by "Scot L. Harris" <we...@cfl.rr.com>.
On Mon, 2004-07-12 at 00:58, John Andersen wrote:
> On Sunday 11 July 2004 07:48 am, Scot L. Harris wrote:
> > This past week I implemented greylisting on the main email server. Here
> > are the results so far. The table below shows the number of spam
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > received and average scores each day. Greylisting was implemented on
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > Friday.
> >
> > I have to say I am amazed at the results.
> >
These numbers are results from messages marked as spam by spamassassin
that were received each day.
Date #spam Average score
> > 2-Jul 4574 15.6
> > 3-Jul 4890 14.5
> > 4-Jul 3293 13.7
> > 5-Jul 2746 14.6
> > 6-Jul 6481 14.9
> > 7-Jul 6208 15.3
> > 8-Jul 3797 15
> > 9-Jul 3162 14.9
> > 10-Jul 3 13.3
> > 11-Jul 4 9
>
> Column headers would be nice for those of us new to
> the subject...
--
Scot L. Harris
webid@cfl.rr.com
Houdini escaping from New Jersey!
Film at eleven.
Re: greylisting results
Posted by John Andersen <js...@pen.homeip.net>.
On Sunday 11 July 2004 07:48 am, Scot L. Harris wrote:
> This past week I implemented greylisting on the main email server. Here
> are the results so far. The table below shows the number of spam
> received and average scores each day. Greylisting was implemented on
> Friday.
>
> I have to say I am amazed at the results.
>
> 2-Jul 4574 15.6
> 3-Jul 4890 14.5
> 4-Jul 3293 13.7
> 5-Jul 2746 14.6
> 6-Jul 6481 14.9
> 7-Jul 6208 15.3
> 8-Jul 3797 15
> 9-Jul 3162 14.9
> 10-Jul 3 13.3
> 11-Jul 4 9
Column headers would be nice for those of us new to
the subject...
--
_____________________________________
John Andersen
Re: greylisting results
Posted by "Scot L. Harris" <we...@cfl.rr.com>.
On Tue, 2004-07-13 at 09:55, Tom Meunier wrote:
> Scot L. Harris wrote:
>
> >
> >In the last 24 hours only had 8 spam messages get through greylisting.
> >And some of those I believe are actually commercial mailing lists
> >someone signed up for and no longer want. In comparison I was receiving
> >3000 to 6000 spam messages a day.
> >
> >Again thanks for all who provided advice on this.
> >
> >
> The thing that scares me about greylisting is that the CEO's stockbroker
> might be running Groupwise 1.0 or Exchange 4.0 or BillyBob's Very Good
> Mailserver 2003 which may not handle the retry smoothly.
>
> I guess that falls into the old RBL debate about whether collateral
> damage is acceptable.
That is a legitimate concern. It is also why I have continued to
monitor things very carefully looking for any indication that ham is
being blocked or dropped. Probably in a another week if there are no
indications of any missing email then I will relax.
I did take the step of identifying known email servers and whitelisted
those up front. Have added a handful since this was implemented. So
the collateral damage can be minimized by scanning valid email and
generating a whitelist prior to implementation. That combined with a
much shorter delay period should minimize any potential problem while
still gaining virtually all of the benefits.
Of course now I am faced with not having a steady supply of spam to feed
to spamassassin. But some how I think I can live with that problem. :)
--
Scot L. Harris
webid@cfl.rr.com
Lots of people drink from the wrong bottle sometimes.
-- Edith Keeler, "The City on the Edge of Forever",
stardate unknown
Re: greylisting results
Posted by Jonas Eckerman <jo...@frukt.org>.
On Tue, 13 Jul 2004 08:55:14 -0500, Tom Meunier wrote:
> The thing that scares me about greylisting is that the CEO's
> stockbroker might be running Groupwise 1.0 or Exchange 4.0
Ah. Novells stupid mailserver that can't handle temporary failures in
answers to RCPT TO. :-(
Here we've had to delay the greylisting stuff until after DATA because
of this. This takes up more resources but is just as effective at
stopping spam.
Regards
/Jonas
--
Jonas Eckerman, jonas_lists@frukt.org
http://www.fsdb.org/
Re: greylisting results
Posted by Tom Meunier <to...@mvps.org>.
Scot L. Harris wrote:
>
>In the last 24 hours only had 8 spam messages get through greylisting.
>And some of those I believe are actually commercial mailing lists
>someone signed up for and no longer want. In comparison I was receiving
>3000 to 6000 spam messages a day.
>
>Again thanks for all who provided advice on this.
>
>
The thing that scares me about greylisting is that the CEO's stockbroker
might be running Groupwise 1.0 or Exchange 4.0 or BillyBob's Very Good
Mailserver 2003 which may not handle the retry smoothly.
I guess that falls into the old RBL debate about whether collateral
damage is acceptable.
Re: greylisting results
Posted by "Scot L. Harris" <we...@cfl.rr.com>.
On Tue, 2004-07-13 at 09:19, Bob Apthorpe wrote:
> One note about greylist delay times - the original purpose of using a
> delay time of one hour was that it gave blacklists time to catch up to a
> spam run. Since most spam is sent by spamware via proxies rather than
> from proper MTAs, you get roughly the same GL protection with a 5-10
> minute delay as with an hour delay but your secondary defenses are
> allegedly more effective with a longer delay, as are certain blacklists
> you might be using upstream of greylisting.
>
> In either case, it's not clear that the increased effectiveness of
> blacklists outweighs the inconvience of the additional delay.
>
> But I agree, defense-in-depth is the way to go.
>
> -- Bob
I lowered the delay time yesterday and am seeing the same kind of
results as with the longer delay. Still collecting data to analyze but
the combination of greylisting and Spamassassin have really turned the
tied on this problem.
In the last 24 hours only had 8 spam messages get through greylisting.
And some of those I believe are actually commercial mailing lists
someone signed up for and no longer want. In comparison I was receiving
3000 to 6000 spam messages a day.
Again thanks for all who provided advice on this.
--
Scot L. Harris
webid@cfl.rr.com
The human race is a race of cowards; and I am not only marching in that
procession but carrying a banner.
-- Mark Twain
Re: greylisting results
Posted by Bob Apthorpe <ap...@cynistar.net>.
Hi,
On Mon, 12 Jul 2004 12:47:13 -0400 "Scot L. Harris" <we...@cfl.rr.com> wrote:
> On Mon, 2004-07-12 at 11:25, Jack L. Stone wrote:
> > Scot, I agree with your same assessment of using greylisting as an advance
> > guard against spam. By itself, it is not adequate, but with SpamAssassin
> > (and spamass-milter) waiting at the next level, these programs make an
> > excellent team. GL is still rather new and I expect it only to get better
> > with time. So, SA remains an important barrier and I look forward to the
> > ver-3.0 production release.
> >
> > Also, agree with an earlier post that using a long delay time for GL is not
> > useful, whereas just a few minutes does the job just as well or better.
> Yes a layered defense is always better. Have not looked at regex yet.
> Sounds promising.
One note about greylist delay times - the original purpose of using a
delay time of one hour was that it gave blacklists time to catch up to a
spam run. Since most spam is sent by spamware via proxies rather than
from proper MTAs, you get roughly the same GL protection with a 5-10
minute delay as with an hour delay but your secondary defenses are
allegedly more effective with a longer delay, as are certain blacklists
you might be using upstream of greylisting.
In either case, it's not clear that the increased effectiveness of
blacklists outweighs the inconvience of the additional delay.
But I agree, defense-in-depth is the way to go.
-- Bob
Re: greylisting results
Posted by "Scot L. Harris" <we...@cfl.rr.com>.
On Mon, 2004-07-12 at 11:25, Jack L. Stone wrote:
> Scot, I agree with your same assessment of using greylisting as an advance
> guard against spam. By itself, it is not adequate, but with SpamAssassin
> (and spamass-milter) waiting at the next level, these programs make an
> excellent team. GL is still rather new and I expect it only to get better
> with time. So, SA remains an important barrier and I look forward to the
> ver-3.0 production release.
>
> Also, agree with an earlier post that using a long delay time for GL is not
> useful, whereas just a few minutes does the job just as well or better.
>
> Moreover, I have also added the Sendmail plugin milter-regex which is also
> catching quite a bit of the viruses at the front door, thus avoiding the
> need to use up those heavier resources later with a scanner. I've seen my
> virus snags drop sharply using regex as with GL for the spam.
>
> Then Procmail filters await beyond spamassassin.....!!!
>
> Best regards,
> Jack L. Stone,
> Administrator
Yes a layered defense is always better. Have not looked at regex yet.
Sounds promising.
Thanks.
--
Scot L. Harris
webid@cfl.rr.com
Life is like an analogy.
Re: greylisting results
Posted by "Jack L. Stone" <ja...@sage-american.com>.
At 09:25 AM 7.12.2004 -0400, Scot L. Harris wrote:
>On Mon, 2004-07-12 at 01:16, Keith C. Ivey wrote:
>> Scot L. Harris <we...@cfl.rr.com> wrote:
>
>And I will be adding legit sites to a whitelist as they are identified.
>This will eliminate the delay for regular daily communications from
>those sources.
>
>The problem we had with using just spamassassin was that it still took
>someones time to review those messages marked as spam to make sure there
>were no false positives. And with such a large amount of spam it was
>becoming difficult to sort through that many messages. So far it
>appears that legit email still gets through, with a slight delay, but
>the vast bulk of spam is turned away.
>
>One side benefit is that in the last month I have found our server on
>occasion running with very high load averages handling spam bursts.
>Can't say yet if that problem is solved but I suspect I won't find a 20
>load average on this box for some time to come.
>
>I am going to spend a little time this week to try and get better stats
>on the number of messages delayed vs. delivered.
>
>At this point for my use this method is going to save me time and system
>resources that can be put to better more productive use than sorting
>through thousands of spam messages. As such I feel it is very
>valuable. YMMV.
>
>--
>Scot L. Harris
>webid@cfl.rr.com
>
>There's no sense in being precise when you don't even know what you're
talking
Scot, I agree with your same assessment of using greylisting as an advance
guard against spam. By itself, it is not adequate, but with SpamAssassin
(and spamass-milter) waiting at the next level, these programs make an
excellent team. GL is still rather new and I expect it only to get better
with time. So, SA remains an important barrier and I look forward to the
ver-3.0 production release.
Also, agree with an earlier post that using a long delay time for GL is not
useful, whereas just a few minutes does the job just as well or better.
Moreover, I have also added the Sendmail plugin milter-regex which is also
catching quite a bit of the viruses at the front door, thus avoiding the
need to use up those heavier resources later with a scanner. I've seen my
virus snags drop sharply using regex as with GL for the spam.
Then Procmail filters await beyond spamassassin.....!!!
Best regards,
Jack L. Stone,
Administrator
Sage American
http://www.sage-american.com
jacks@sage-american.com
Re: greylisting results
Posted by "Scot L. Harris" <we...@cfl.rr.com>.
On Mon, 2004-07-12 at 01:16, Keith C. Ivey wrote:
> Scot L. Harris <we...@cfl.rr.com> wrote:
>
> > And yes the last two days there have been 7 spam messages that
> > got through where previously I would have seen 6000 to 7000 spam
> > messages.
>
> Sounds good, but how many legitimate messages were delayed by
> hours, and how many were never delivered at all? Those numbers
> (especially the second) are more difficult to determine, but
> they're essential to judging the value of the method.
Very true. At this site the volume of legitimate email is actually very
low. The spam we were receiving far outpaced it. From my initial
examination of the logs those MTAs that retry general take about 1
hour. I currently have the milter setup to delay for 30 minutes but
will most likely drop that to a few minutes. What I generally see is a
legit MTA will retry several times in the first few minutes then back
off for a longer period of time. Spambots appear to try once only.
And I will be adding legit sites to a whitelist as they are identified.
This will eliminate the delay for regular daily communications from
those sources.
The problem we had with using just spamassassin was that it still took
someones time to review those messages marked as spam to make sure there
were no false positives. And with such a large amount of spam it was
becoming difficult to sort through that many messages. So far it
appears that legit email still gets through, with a slight delay, but
the vast bulk of spam is turned away.
One side benefit is that in the last month I have found our server on
occasion running with very high load averages handling spam bursts.
Can't say yet if that problem is solved but I suspect I won't find a 20
load average on this box for some time to come.
I am going to spend a little time this week to try and get better stats
on the number of messages delayed vs. delivered.
At this point for my use this method is going to save me time and system
resources that can be put to better more productive use than sorting
through thousands of spam messages. As such I feel it is very
valuable. YMMV.
--
Scot L. Harris
webid@cfl.rr.com
There's no sense in being precise when you don't even know what you're talking
about.
-- John von Neumann
Re: greylisting results
Posted by "Keith C. Ivey" <kc...@cpcug.org>.
Scot L. Harris <we...@cfl.rr.com> wrote:
> And yes the last two days there have been 7 spam messages that
> got through where previously I would have seen 6000 to 7000 spam
> messages.
Sounds good, but how many legitimate messages were delayed by
hours, and how many were never delivered at all? Those numbers
(especially the second) are more difficult to determine, but
they're essential to judging the value of the method.
--
Keith C. Ivey <kc...@cpcug.org>
Washington, DC