Yahoo Groups archive

Milter-greylist

Index last updated: 2026-04-28 23:32 UTC

Message

My ultimate anti-spam setup (for now...)

2006-12-21 by reschauzier

After starting the anti-spam war a couple a months ago, I can now
safely say that I won the first battle (with the war of course still
going on...). Since my setup, revolving for a great part around
milter-greylist, is both simple and effective I wanted to share it
with my brothers in arms around the world.

First, the results. On my modest-scale mail server, I used to receive
about 400 - 500 spam messages per day (!). Spamassassin, with the
proper Bayes training, will have 5 - 10 of these come through. This
may not sound like much, but it can be very annoying, especially for
quiet accounts, which quickly fill up with unwanted messages.

The full setup with milter-greylist yet has to pass its first spam
message in the past week. And what's more, none of the legitimate
email messages have been delayed or otherwised touched during this
time, which was a prerequisite. Delays on the order of hours on normal
messages are not acceptable to my users.

The setup:

Sendmail:
dnsrbl based on zen.spamhaus.com
milter-greylist (dynamic IPs only)

Content filtering:
MailScanner w/ Spamassassin

Very simple as you can see. The real trick is to greylist _only_
messages from dynamic IP addresses. This accounts for >90% of the spam
delivered to my server. No need to include static IPs in the
greylisting, as it turns out spam from static IPs are usually caught
quite effectively by the zen.spamhaus.com dnsrbl anyway.

Note that most mailers on the internet will use static IP addresses,
so 99.9% of the legitimate email is passed without delay.

The configuration detects dynamic IP addresses by inspection of the
reverse DNS entry of the mailer, in combination with the DUHL-SORBS
blackhole list of dynamic IP addresses. This combination is needed, as
DUHL-SORBS by itself seems to miss quite some IPs.

In order to investigate the name of the connecting mailer, I use the
client name that Sendmail passes to milter-greylist. This is the
reverse DNS resolution of the connecting IP name. It turns out that if
the IP address is from a dynamic pool (cable, dial-up or dsl) this
will usually clearly show in the name. Tell tail signs are the use of
the words cable, dial, dsl, etc. in the rDNS name, but also IP number
combinations such as 39-185-34-2 or 45.67.231.51 and twelve digit
numbers (decimal IP address without separators).

The combination of DUHL-SORBS and rDNS matching is amazingly
effective. Almost no dynamic addresses go unidentified, with very
little false positive. And even if a false positive occurs, the
corresponding message still comes through, allbeit with a 1 hour delay.

No need to say my users are very happy, as am I, being able to take
some shore leave ;)

See below for my /etc/grey.conf file:

######################################################################
#
# Greylisting config file
#

# Do not tell spammer how long they have to wait
quiet

# Greylisting your own MTA is a very bad idea: never
# comment this line, except for testing purposes.
acl whitelist addr 127.0.0.0/8

# If you use IPv6, uncomment this.
#acl whitelist addr ::1/128

# You will want to avoid greylisting your own clients
# as well, by filtering out your IP address blocks.
acl whitelist addr 192.168.1.0/24

# Use extended regular expressions instead of basic
# regular expressions.
extendedregex

# It is also possible to whitelist sender
# machines using their DNS names.
list "dynamic" domain {		\
	/dsl/			\
	/DSL/			\
	/dhcp/			\
	/DHCP/			\
	/cable/			\
	/CABLE/			\
	/dial/			\
	/DIAL/			\
	/pool/			\
	/POOL/			\
	/dyn/			\
	/DYN/			\
	/ppp/			\
	/PPP/			\
	/catv/			\
	/CATV/			\
	/[0-9]+([^0-9])[0-9]+\1[0-9]+\1[0-9]+/	\
	/[0-9]{12,}/		\
}
acl greylist list "dynamic"

# Use dnsrbl for greylisting
dnsrbl "SORBS DUN" dnsbl.sorbs.net 127.0.0.10
acl greylist dnsrbl "SORBS DUN"

# How often should we dump to the dumpfile (0: on each change, -1: never).
dumpfreq 1d

#
# All of the following options have command-line equivalents.
# See greylist.conf(5) for the exact equivalences.
#

# How long a client has to wait before we accept
# the messages it retries to send. Here, 1 hour.
# May be overridden by the "-w greylist_delay" command line argument.
greylist 1h

# How long does auto-whitelisting last (set it to 0
# to disable auto-whitelisting). Here, 3 days.
# May be overridden by the "-a autowhite_delay" command line argument.
autowhite 30d

# Specify the netmask to be used when checking IPv4 addresses
# in the greylist.
# May be overridden by the "-L cidrmask" command line argument.
subnetmatch /24

# Specify the netmask to be used when checking IPv6 addresses
# in the greylist.
# May be overridden by the "-M prefixlen" command line argument.
#subnetmatch6 /64

# You can specify a file where milter-greylist will
# store its PID.
# May be overridden by the "-P pidfile" command line argument.
#pidfile "/var/run/milter-greylist.pid"

# You can specify the socket file used to communicate
# with sendmail.
# May be overridden by the "-p socket" command line argument.
socket "/var/run/milter-greylist/milter-greylist.sock"

# The dumpfile location.
# May be overridden by the "-d dumpfile" command line argument.
#dumpfile "/var/lib/milter-greylist/db/greylist.db"

# The user the milter should run as.
# May be overridden by the "-u username" command line argument.
user "grmilter"

# Make sure we allow anybody else
acl whitelist default
######################################################################

Attachments

  • No local attachments were found for this message.

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.