[Mimedefang] greylisting stats

Jonas Eckerman jonas_lists at frukt.org
Wed Dec 10 16:44:05 EST 2003 

On Wed, 10 Dec 2003 16:21:48 +0000, Tyler wrote:

> We recently implemented David's code for greylisting and have had
> tremendous results.

Greylisting is good. :-)

> number of emails thwarted from greylisting, but doesn't necessarily
> mean that they were all spam.  There could be valid, mis-configured email
> servers in there, servers that haven't resent, etc and this will

I would guess that a very large majority of the connections that never got through was from spam and worms.

I do know that I've got a few, 3 I think, mails blocked that should've been let through. This was because of the mud I had in my brain when I configured my system to reset a triplet whenever a spam with a certain score (or higher) got through. This reseting can work, but not when you only use the domain part of the sender. Stupid me. (And yes, I only want to use the domain part, because some big mailing list servers (Yahoo's for example) changes the user part of the sender for each mail.) The reset might still work, but it should require a certain number consecutive spams or something like that, and currently my greylist does not have such a counter.

> What are people's thoughts on this or what are others doing?

If you check
http://whatever.frukt.org/graphdefang/?view=hourly#hourly_510_greylist_events.png
and
http://whatever.frukt.org/graphdefang/?view=_totals_#Current_500_Greylist_Contents.png
you can see my greylist stats.

The values in the event graphs are from the mail log:
White triplet: a mail connection was accepted because it's white-listed.
Black triplet: a mail connection was rejected because it was in its 10 minute black list period.
New triplet: a mail connection was rejected because the triplet was not in the database.
Old triplet: a mail connection was rehected because the last accepted time stamp for the triplet was either more that 36 days ago, or the no connection was accepted in the 36 hour - 10minutes grace period, or the triplet had been reset.

The values in the content graph show what the greylist database contains:
Accepted: A triplet for wich mail has been accepted and that has never been reset
Blocked: A triplet for wich no connection has ever been accepted
Reset: A triplet for wich 1 or more connections has been accepted but wich has been reset

Note that the script that creates the content graph has no idea a to what time limits are used for the list, so it does not show the actual status of triplets as they will be used by the filter. Some day I'll probably tell it how to do that, as that would be nice to see.

As you might guess my database contains some time stamps. Actually, it contains the following timestamps:
created
last modified
reset
accepted
The last modified stamp is used for periodical cleaning of the list.
The reset and accepted stamps are the ones that decide how to handle a connection.

Each triplet also has a count of accepted connections.

/Jonas
-- 
Jonas Eckerman, jonas_lists at frukt.org
http://www.fsdb.org/

More information about the MIMEDefang mailing list