June 15, 2004

Greylisting Enabled

I upgraded our Postfix installation today to the latest-n-greatest, primarily so we can make use of a great new technique in spamfighting: greylisting.

Here's how it works: there's a program called postgrey running on hexogen, which gets consulted by postfix everytime someone from the outside world tries to send us an email. Postgrey maintains a little database of (sending IP, sender address, recipient address) triples, along with the time each combination was seen. If the current message is a new triple, which either doesn't exist or was added very recently, postfix tells the sender to try again later (with a '450' SMTP error); if the triple already exists and is more than five minutes old, the mail is accepted.

"But how does this block spam?" you may ask. The whitepaper states (and my own observations have shown this to be true):

[.. The] vast majority of spam appears to be sent from applications designed specifically for spamming. These applications appear to adopt the "fire-and-forget" methodology. That is, they attempt to send the spam to one or several MX hosts for a domain, but then never attempt a true retry as a real MTA would ... In addition, with the recent rampant proliferation of email-based viruses, Greylisting has been shown to be extremely effective in blocking these viruses, as they also do not tend to retry deliveries.
I don't have hard stats yet -- I'll update when I do -- but so far it looks like the trend shown in this graph from the postgrey page applies to us, too..

Posted by eric at June 15, 2004 02:13 PM

Post a comment