On Tue, 2004-08-03 at 18:20, Ryan Thompson wrote: > Yeah. If SA wasn't already catching 99.96% of our spam, I'd have jumped > on greylisting weeks ago. :-)
> I know, the bandwidth savings are probably worth it. I've just been a > little loathe to deliberately add a non-deterministic delay to a small > but significant proportion of legitimate email, even with whitelisting. > Have not found the delay to be a problem so far. You get all the benefits of greylisting with a delay of a few minutes. From what I have seen most legit MTAs retry a message in the first 5 or 10 minutes. I need to do some formal analysis on the logs to see what the actual delays are. > Has anybody tried using SA's AWL as input to any greylisting > application? My gut reaction is that it would make for a good knob, > allowing the admin to automatically pass any message below a certain AWL > score, and greylist anything above that score. (And dump core for > anything that hits the score exactly, of course). > Interesting idea. > The catch-22 to this is that if greylisting works even half as well as > documented, the AWL will quickly decay and become skewed towards ham > (yet it might still be a somewhat useful tool for greylisting). Not to > mention Bayes, as well as any corpus testing and rule development that I > do that depends on a large sample of current spam. That's probably the > more compelling argument against greylisting, now that I think about it. > It works as good or better than documented. :) You may have to setup a special spamtrap domain that sits outside your other defenses. > Right now, I can't think of a way to maintain the accuracy of SA without > allowing the spam payloads into our network... which requires the same > bandwidth and processing overhead as our current scan+quarantine system. > I'm thinking in layers, here.. I don't want to compromise our best line > of defense just to save a little bit of bandwidth. Layers are good. At the moment I let greylisting deflect the bulk of the spam and then spamassassin does the cleanup and catches the rest. Since implementing this I have actually been able to get back to doing my other full time job of real work instead of fighting spam everyday. :) Even though spamassassin caught 99+% of the spam there was still a lot of time spent reviewing the spam bucket to make sure there were no false positives. With greylisting the number of spam in the bucket is small enough to not be a burden. Even after filtering for legit users there was still a significant amount left of the 3000 to 6000 spam a day we were seeing. Other than needing to write a script to get some delay stats I don't have to worry about spam as much as I did earlier this year. > > Thoughts? > > - Ryan -- Scot L. Harris <[EMAIL PROTECTED]>
