On Wed, 23 Nov 2011, Christian Grunfeld wrote:
Greylists do great job stoping robots but there are spammers with well
configured MTAs who tries and tries and tries and bypass greylists.
Since the frequency of users checking quarantine has also been mentioned:
We've been running spamassassin for about 5 years (we used plain DNSBL
before and lately some people were complaining about FPs), with quarantine
in a daily global folder for all the institute (not per user), with a
crontab which sends to each user a list ("spam report") of apparent
originator and subject of the quarantined potential spam.
A few users did check this daily report, and very rarely (once per month
?) asked to release an odd FP. Other users (like me) felt the number of
information messages was excessive, I had a further personal filter which
scanned the spam report (which is anyhow archived for 7 weeks, but I
almost never check), counted the number of occurrences of the same subject
(high = potential spam, single = maybe FP) and told me of suspicious FPs.
They were so few I usually did not check the report or the condensed
report, but only checked the quarantine in the rare cases I did not
receive a reply I was expecting.
On the contrary the spam still passing through spamassassin was becoming
more and more (our fault, we do not update the server very often) for all
our users.
Since about 6 months we implemented greylists, with an initial whitelist
of several academic domain MXs which are our regular correspondent, and
that cut the amount of spam severely and very satisfactorily.
We still run spamassassin downstream of the greylisting, and the
information in the reports is now reduced to manageable size (but I've
taken the habit of not checking it), and the surviving spam is almost nil.
We run a crontab which reports (to me) the origin and destination of
messages which are autowhitelisted by the greylist after more than 30 min.
I scan those reports, and pick up the odd academic domain which requires
to be permanently whitelisted (I wait until I have a dozen of those to
tell the system manager to actually whitelist them). I notice that the
majority of the cases which pass through graylist after such a long delay
are (but for a few mail exploders) spammers, of the sort of bank or credit
card phishing I guess.
