Greylist any good?
- Thread starter pluk
- Start date
nobaloney
NoBaloney Internet Svcs - In Memoriam †
This company uses exim.conf and greylisting (among other things), and the owner, Marc Perkel, is helping me with some wonderful ideas for future versions of SpamBlocker exim.conf.
Now all I need is time
.
Jeff
Now all I need is time
.Jeff
This config seems near mines. Vey good explanation on the website !
I don't have the second fake mx (is that a great idea ?)
I don't use greylisting which wast more time and ressources, just add a delay on each reject message rule in exim (delay=60s).
I limit connection per ip (smtp_accept_max_per_host = 2)
So my spam score is near 1.5% from total, good mail 20%, rest is rejected at smtp time.
I don't have the second fake mx (is that a great idea ?)
I don't use greylisting which wast more time and ressources, just add a delay on each reject message rule in exim (delay=60s).
I limit connection per ip (smtp_accept_max_per_host = 2)
So my spam score is near 1.5% from total, good mail 20%, rest is rejected at smtp time.
Wow Jeff! You rock! Hope to hear some news on it. Any solution that can filter SPAM to near all, it will be the best. Right now, with a modify suggested exim.conf file, some SPAM are taken wrongly. Some of my hosted users are only few people and can't allow a person internally to check on SPAM for good emails.
jlasman said:This company uses exim.conf and greylisting (among other things), and the owner, Marc Perkel, is helping me with some wonderful ideas for future versions of SpamBlocker exim.conf.
Now all I need is time
Jeff
I have idea also
What do you think blocking email addresss with :
1. Sender address which has 5 consecutive consonants.
Ex. [email protected] (jkgtd)
2. Sender address which has 4 consecutive vowels.
Ex. [email protected] (aieu)
I got this idea after examining the log. A lot of spams use randomize sender address which is very hard to be remembered by human. Thus, it most probably a spam.
Last edited:
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Consonants, sure; figure it out yourself though .
Vowels? Only if you don't do business with Hawaii
Jeff
.Vowels? Only if you don't do business with Hawaii
Jeff
icepick
Verified User
working
Anyone got this running as yet? I tried a version but exim that comes with DA is not compiled with MySQL and I don't know the implications of adding it.
Anyone got this running as yet? I tried a version but exim that comes with DA is not compiled with MySQL and I don't know the implications of adding it.
icepick
Verified User
greylistd
So, this has helped reduce load of CPU from 30-50% to 5-8%. It has stopped 97% of email with non retries so is probably all spam
== Get greylistd ==
cd /tmp
wget http://ftp.debian.org/debian/pool/main/g/greylistd/greylistd_0.8.3.2.tar.gz
tar -zxvf greylistd_0.8.3.2.tar.gz
cd greylistd-0.8.3.2/
== Make the folders ==
mkdir /etc/greylistd/
mkdir /var/run/greylistd/
mkdir /var/lib/greylistd/
Provided you are still in the greylistd-0.8.3.2 folder, copy the files:
cp config/* /etc/greylistd/
cp program/greylist* /usr/sbin/
Edit the config at /etc/greylistd/config
== Change permissions ==
chown -R mail:mail /etc/greylistd/
chown -R mail:mail /var/run/greylistd/
chown -R mail:mail /var/lib/greylistd/
chown -R mail:mail /usr/sbin/greylist*
== Run greylistd in the background ==
su mail
/usr/sbin/greylistd &
exit
or /usr/sbin/greylistd
== Edit the exim.conf ==
Now (as root) open /etc/exim.conf and search for the following section:
# accept mail to [email protected], regardless of source
# accept local_parts = errors
# domains = example.com
Add the following below it:
#GREYLIST
defer message = $sender_host_address is greylisted
log_message = greylisted.
hosts = !+relay_hosts
domains = +relay_domains
!senders = : postmaster@*
set acl_m6 = $sender_host_address $sender_address $local_part@$domain
set acl_m6 = ${readsocket{/var/run/greylistd/socket}{$acl_m6}{5s}{}{}}
condition = ${if eq {$acl_m6}{grey}{true}{false}}
# authenticated = *
Restart exim
/usr/local/etc/rc.d/exim restart
== Check everything works ==
root@sophia:~# greylist stats
Statistics since Mon Nov 27 11:45:38 2006 (2 hours and 46 minutes ago)
----------------------------------------------------------------------
186 items, matching 198 requests, are currently whitelisted
0 items, matching 0 requests, are currently blacklisted
2237 items, matching 2319 requests, are currently greylisted
Of 186 items that were initially greylisted:
- 186 (100.0%) became whitelisted
- 0 ( 0.0%) expired from the greylist
Check the log:
root@sophia:~# tail -f /var/log/maillog | grep greylist
Nov 27 14:32:17 sophia exim: 2006-11-27 14:32:17 H=xx.ct.comcast.net [24.2.xx.xx] F=<[email protected]> temporarily rejected RCPT <[email protected]>: greylisted.
Nov 27 14:32:20 sophia exim: 2006-11-27 14:32:20 H=smtp3.clear.net.nz [203.97.33.64] F=<[email protected]> temporarily rejected RCPT <[email protected]>: greylisted.
Nov 27 14:32:20 sophia exim: 2006-11-27 14:32:20 H=smtp3.clear.net.nz [203.97.33.64] F=<[email protected]> temporarily rejected RCPT <[email protected]>: greylisted.
== Add to startup ==
Provided everything is working, add the following to your startup:
pico /etc/rc.local
/usr/bin/su mail -c /usr/sbin/greylistd &
So, this has helped reduce load of CPU from 30-50% to 5-8%. It has stopped 97% of email with non retries so is probably all spam
== Get greylistd ==
cd /tmp
wget http://ftp.debian.org/debian/pool/main/g/greylistd/greylistd_0.8.3.2.tar.gz
tar -zxvf greylistd_0.8.3.2.tar.gz
cd greylistd-0.8.3.2/
== Make the folders ==
mkdir /etc/greylistd/
mkdir /var/run/greylistd/
mkdir /var/lib/greylistd/
Provided you are still in the greylistd-0.8.3.2 folder, copy the files:
cp config/* /etc/greylistd/
cp program/greylist* /usr/sbin/
Edit the config at /etc/greylistd/config
== Change permissions ==
chown -R mail:mail /etc/greylistd/
chown -R mail:mail /var/run/greylistd/
chown -R mail:mail /var/lib/greylistd/
chown -R mail:mail /usr/sbin/greylist*
== Run greylistd in the background ==
su mail
/usr/sbin/greylistd &
exit
or /usr/sbin/greylistd
== Edit the exim.conf ==
Now (as root) open /etc/exim.conf and search for the following section:
# accept mail to [email protected], regardless of source
# accept local_parts = errors
# domains = example.com
Add the following below it:
#GREYLIST
defer message = $sender_host_address is greylisted
log_message = greylisted.
hosts = !+relay_hosts
domains = +relay_domains
!senders = : postmaster@*
set acl_m6 = $sender_host_address $sender_address $local_part@$domain
set acl_m6 = ${readsocket{/var/run/greylistd/socket}{$acl_m6}{5s}{}{}}
condition = ${if eq {$acl_m6}{grey}{true}{false}}
# authenticated = *
Restart exim
/usr/local/etc/rc.d/exim restart
== Check everything works ==
root@sophia:~# greylist stats
Statistics since Mon Nov 27 11:45:38 2006 (2 hours and 46 minutes ago)
----------------------------------------------------------------------
186 items, matching 198 requests, are currently whitelisted
0 items, matching 0 requests, are currently blacklisted
2237 items, matching 2319 requests, are currently greylisted
Of 186 items that were initially greylisted:
- 186 (100.0%) became whitelisted
- 0 ( 0.0%) expired from the greylist
Check the log:
root@sophia:~# tail -f /var/log/maillog | grep greylist
Nov 27 14:32:17 sophia exim: 2006-11-27 14:32:17 H=xx.ct.comcast.net [24.2.xx.xx] F=<[email protected]> temporarily rejected RCPT <[email protected]>: greylisted.
Nov 27 14:32:20 sophia exim: 2006-11-27 14:32:20 H=smtp3.clear.net.nz [203.97.33.64] F=<[email protected]> temporarily rejected RCPT <[email protected]>: greylisted.
Nov 27 14:32:20 sophia exim: 2006-11-27 14:32:20 H=smtp3.clear.net.nz [203.97.33.64] F=<[email protected]> temporarily rejected RCPT <[email protected]>: greylisted.
== Add to startup ==
Provided everything is working, add the following to your startup:
pico /etc/rc.local
/usr/bin/su mail -c /usr/sbin/greylistd &
adriaanpenning
New member
- Joined
- Feb 9, 2007
- Messages
- 2
So, this has helped reduce load of CPU from 30-50% to 5-8%. It has stopped 97% of email with non retries so is probably all spam
== Get greylistd ==
Hi,
I have a mailserver running with postfix + postgrey + whitelister. I don't have experience with Exim, only Postfix.
Conditional greylisting is (in my experience) much better than only plain greylisting because some MTA's (notably MS Exchange and some Qmail servers) interpret the SMTP 450 greylisting code as a fatal error, so the sender gets back a bounced e-mail. Also, legitimate e-mail is sometimes delayed for quite some time, depending on the sending MTA.
When using whitelister, the greylisting is only applied to hosts that are in a DNSRBL.
This is also possible with Exim as is explained here:
http://attenuate.org/~simon/wiki/Exim,_ClamAV,_SpamAssassin_and_greylisting
I'd be very happy having a copy&paste conditional greylisting HOWTO for Directadmin Exim.
Could you adjust your mini HOWTO to the "Greylisting based on DNSBL result" section that website?
regards,
Adriaan
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Adriaan, why would we want to greylist based on listings in DNSRBL? We now block based on DNSRBLs. That seems a lot more efficient to me.
Or are you suggesting we offer it as an option to those folk who don't want to block on DNSRBL?
I'm working now on the next version of DA's SpamBlocker exim.conf file (SpamBlocker3) so I'm happy to see your link, and will see if I can integrate that.
Are you saying that Exchange servers don't retry if a server says it's busy? That's what greylisting does.
Note we've been testing nolisting (using a lowest-cost MX record pointing to a server that doesn't answer on port 25) for some time now and it works well with Exchange servers.
Jeff
Or are you suggesting we offer it as an option to those folk who don't want to block on DNSRBL?
I'm working now on the next version of DA's SpamBlocker exim.conf file (SpamBlocker3) so I'm happy to see your link, and will see if I can integrate that.
Are you saying that Exchange servers don't retry if a server says it's busy? That's what greylisting does.
Note we've been testing nolisting (using a lowest-cost MX record pointing to a server that doesn't answer on port 25) for some time now and it works well with Exchange servers.
Jeff
adriaanpenning
New member
- Joined
- Feb 9, 2007
- Messages
- 2
Greylisting only blacklisted hosts does not really hurt antispam performance, but takes away the bad side effects of plain greylisting:
1) when a legitimate remote user that is not yet known to the greylisting daemon tries to send an e-mail, s/he gets greylisted. This will delay the e-mail for a period between the greylisting period itself (maybe 60 seconds) to several hours. It happened to me several times, e.g. when e new e-mailaccount is created at a business partner, or somebody has not sent mail for longer than the greylisting triplets database is kept.
2) some servers don't get SMTP 450 right.
In both cases, people start picking up their phones
Yes, that's exactly what happens. There seems to be a version of Exchange that has the wrong default setting. It does NOT retry after a 450, but bounces the e-mail.
I only experienced the 450 problem with 2 servers (2 companies), 1 was running Exchange, the other one Qmail. So I guess it's a rare problem, but the annoying thing is that the problem will come back to you after a few months, when the greylisting database expires.
Another reason the nolisting thing should work well, even with badly configured MTA's, is that legitimate hosts will just use the highest priority MX (lowest number) by default.
This site, (in Dutch) also mentions this problem of not responding correctly: http://www.vacsin.com/450error
regards
Adriaan
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Can you point me to an English Language post on how I'd use exim to greylist only after checking blocklists? I don't mind testing it but I'd like some direction on how others are ding it.
Jeff
Jeff
nobaloney
NoBaloney Internet Svcs - In Memoriam †
According to RFCs. It tries again, within a few seconds.
Jeff
Jeff