Yahoo Groups archive
Thread
2005-10-24 by Raul Dias
Hi, I am wondering why the greylist_delay time is 30m by default. Everybody keeps this way or change to something better? Is there any spammer retrying/queueing the 4xx messages for a later retry, but giving up before 30 minutes? Does this happen? So lowering this value I would get more spam and raising it less spam (as opposed to keep users happy ;-). Thanks, Raul Dias
2005-10-24 by Matt Kettler
Raul Dias wrote:
> Hi,
>
> I am wondering why the greylist_delay time is 30m by default.
> Everybody keeps this way or change to something better?
>
> Is there any spammer retrying/queueing the 4xx messages for a later
> retry, but giving up before 30 minutes?
>
> Does this happen? So lowering this value I would get more spam and
> raising it less spam (as opposed to keep users happy ;-).
I keep mine set at 1 minute...
Last week 10530 connections were greylisted by my acl's. 584 of those ultimately
retried and delivered mail.
I'd say at present even a very short greylist is reasonably effective (94.4%).
I can't say how many of that 584 would give up with a longer greylist, but I'd
speculate most would continue for an extended period of time.
For reference, here's the grep commands I used to generate the counts:
# zgrep "delayed for 00:01:00" /var/log/maillog.1.gz |wc -l
10530
# zgrep "X-Greylist: Delayed for" /var/log/maillog.1.gz |wc -l
584
Also, for what it's worth, I only greylist selective hosts.. Hosts with no
reverse DNS, RDNS name that looks like dsl/cable/ppp pools, etc.
Because of my ACLs, the *vast* majority of mail matching my greylist in the
first place is spam. This will greatly bias my numbers (only 71 of the 584 made
it past spamassassin).
However, the bias in my numbers is somewhat useful, as it lets you observe
results on a sample set which is 99+% spam.
Thus, from my numbers you can estimate that approximately 94.4% of spammers
never try again at all, not even with a 1m greylist. An additional 4.8% of spam
messages do retry (at least within 1m), and 0.67% of the sample set appears to
be nonspam (usually small companies who don't know what PTR records are).2005-10-24 by Dennis Willson
I set mine at 2m and it seems to work fine. I could probably set it at 1m. I see a few Spammers retry a couple of times real fast (<30sec) but super little after that. I do however see lots of real email retry in the 3-10 minute range. Dennis Raul Dias wrote:
> Hi, > > I am wondering why the greylist_delay time is 30m by default. > Everybody keeps this way or change to something better? > > Is there any spammer retrying/queueing the 4xx messages for a later > retry, but giving up before 30 minutes? > > Does this happen? So lowering this value I would get more spam and > raising it less spam (as opposed to keep users happy ;-). > > Thanks, > > Raul Dias > > > > > > > Yahoo! Groups Links > > > > > >
2005-10-25 by fredrik.pettai@vattenfall.com
> > Also, for what it's worth, I only greylist selective hosts.. Hosts with no > reverse DNS, RDNS name that looks like dsl/cable/ppp pools, etc. > That sounds very smart! Most of spam coming to us, uses those type of machines... But how do you do that (in greylist.conf)? Is it some sort of advanced regexp with "domain" clause? Would you be kind enough to share your knowledge? Thanks, /P
2005-10-25 by Will Aoki
On Mon, Oct 24, 2005 at 05:16:20PM -0200, Raul Dias wrote: > I am wondering why the greylist_delay time is 30m by default. > Everybody keeps this way or change to something better? > > Is there any spammer retrying/queueing the 4xx messages for a later > retry, but giving up before 30 minutes? I regularly see individual spam sources send out bursts spread over about eight minutes. When I used a two-minute greylist delay, I'd still get several copies of the spams. At my site, a ten-minute delay cuts pretty much everything that greylisting could cut. -- William Aoki KD7YAF waoki@... 5-1924