[Mimedefang] greylisting in filter_end after SA check?

Lucas Albers admin at cs.montana.edu
Tue Mar 16 14:07:35 EST 2004


Cahya Wirawan said:
> Currently I use greylisting in filter_begin with 4 minutes
> block time, it works fine and reduce most of the spams. But there
> are still few spams slip through with the score between 3 and 6
> (my score threshold is 6) . My idea is to reply the sender a temporary
> failure message if the score is between 3 and 6 and set the block time
> to an hour
You are in a sense implementing a floating blacklist with this policy.
The reason greylist has a short delay is so it is not noticed, with your
longer policy you will delay legitimate email.
False postives, including delay of legitimate email are worse then not
blocking some spam.
You should just try and can the persistent senders by logfile analysis.
You will never be able to block all the spam.
You can block repeat senders, and statistically signifigant senders.

Their are a few things you can do raise your accuracy withought blocking
legitimate email.
Use bayes.
Use network tests.
Use helo checks.
Use floating greylists for machines that re-attempt delivery within
1-2minutes of their first delivery attempt.
Analyze your logs for new relay addresses or sender address that have a
high average spam score.
Then blacklist their relay ip/sender address.
I'll post my spamscore-scan script when I finish it.
It also depends on what percentage of spam is slipping by, and what your
mail volume is.

-- 
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana



More information about the MIMEDefang mailing list