[Mimedefang] Re: Pre-greeting traffic.

Thu Apr 12 18:14:56 EDT 2007

G.W. Haywood wrote:
> Hi there,
> 
> On Thu, 12 Apr 2007 Mark G. Thomas wrote:
> 
>> On Wed, Apr 04, 2007 at 07:31:55PM +0100, G.W. Haywood wrote:
>>> My mail system automatically firewalls spam sources.  Depending on a
>>> variety of factors, the block is either for a few hours or indefinite.
>>>
>>> At the moment about half of the spam sources I see send pre-greeting
>>> traffic (I'm using sendmail's greet_pause feature), but blocking on
>>> that basis alone does give false positives, which I'd like to avoid.
>> Really?  I haven't had any complaints about blocking any non-spam sources
>> due to pre-greeting traffic, and we're handling about a million messages
>> per week.  Right now we're using a greet_pause setting of 5000 (5 secs)
>> and blocking about 45,000 connections per week with this rule.
> 
> One such non-spam source was mac.com - I tweaked the rules to give no pause.
> 
> But apparently there are no takers for my question?  That is, paraphrasing,
> does anyone have a way to log the actual pre-greeting traffic for analysis?
> Other than sniffing the TCP connection, of course.
> 

You tweaked the rules, or you added them to your access file with a 0 
second pause?  The former seems like a colossally bad idea, where the 
latter is pretty easy to do, easy to maintain, and doesn't require you 
to potentially re-write rules on every software update.

When I had a friend working at mac.com's server group, she fixed their 
greet_pause problem.  And then she left that job, and on their next 
update they went back to misbehaving.  Since then, I've had apple's 
servers on a 2 or 3 second pause (their threshold is around 10 seconds 
IIRC).

Most legitimate systems with problems are happy with a 5 second pause. 
In fact, I can't think of any that I had to give less than a 5 second 
pause (when I make an exception, I don't give them a 0 second pause, I 
give them a pause that is smaller than the default).

Though, since I switched to using Spamhaus Zen, and my anti-botnet 
rules, I haven't needed to have any host with more than a 3 second 
pause.  Zen, botnet, and an aggressive greet_pause (15 or more seconds) 
all seem to catch the same hosts (with each one catching a small number 
that the others didn't).

So, these days, even though I used to be a huge proponent of aggressive 
greet_pause magnitudes, I am using a pretty flat arrangement: 3 seconds 
default, 0 seconds for machines I administrate, no exceptions.  Then Zen 
catches a bunch (I delay checks, so it catches them during check_rcpt). 
  My botnet code used to reject in filter_sender, but these days it's a 
Spam Assassin plugin, and it just adds to the SA score (and I reject 
messages whose SA score is >= 10, so a message whose score without the 
anti-botnet code is 5 <= score <= 10 may get pushed over the edge with 
the anti-botnet code).

I could raise the greet_pause, to lighten the load on DNS checks and SA 
checks, but that increases the administrative load I have on maintaining 
an exception list.  I suppose if my DNS load or SA load were high 
enough, I might make that trade off, but right now it's fine.