[Mimedefang] Re: Pre-greeting traffic.

Fri Apr 13 07:29:55 EDT 2007

Hello again,

On Fri, 13 Apr 2007 Jan-Pieter Cornet wrote:

> > > At the moment about half of the spam sources I see send pre-greeting
> > > traffic (I'm using sendmail's greet_pause feature), but blocking on
> > > that basis alone does give false positives, which I'd like to avoid.
> >
> > Really?  I haven't had any complaints...
>
> ... when we installed the greetpause, we got rejects on it from
> "known good" gmail and yahoo ... one call from a system in Turkey
> ... never investigated ... the only exceptions seen - from around 10
> million mails per day.
>
> On another note: I looked briefly at the sendmail code involved and
> if pre-greeting traffic could set a flag, but it required deep patches
> to the sendmail source itself. I wouldn't recommend it...

All useful, thanks.  I looked at the sendmail code too, and decided
there would most likely be more profitable ways of spending my time.
We saw a few gmail and yahoo mails get caught as well as mac, but it
wasn't a big issue and I'm thinking that I probably shouldn't worry
about it so much given your statistics on much higher traffic.

On Fri, 13 Apr 2007 John Rudd wrote:

> You tweaked the rules, or you added them to your access file with a
> 0 second pause?

The latter, sorry for the careless phrasing.

> When I had a friend working at mac.com's server group, she fixed
> their greet_pause problem.  And then she left that job, and on their
> next update they went back to misbehaving.

Heh, we noticed.

> Though, since I switched to using Spamhaus Zen, and my anti-botnet
> rules, I haven't needed to have any host with more than a 3 second
> pause.

Tell me more about anti-botnet rules?

> Zen, botnet, and an aggressive greet_pause (15 or more seconds) all
> seem to catch the same hosts (with each one catching a small number
> that the others didn't).

My experience too.  I tend to be less tolerant, I use a _very_ long
greetpause.  I won't say how long in case our spammers are reading...

> I used to be a huge proponent of aggressive greet_pause magnitudes,
> I am using a pretty flat arrangement: 3 seconds default, 0 seconds
> for machines I administrate, no exceptions.  Then Zen catches a
> bunch (I delay checks, so it catches them during check_rcpt).

...even so that seems to be the way I'm drifting too.

> I could raise the greet_pause, to lighten the load on DNS checks and
> SA checks, but that increases the administrative load I have on
> maintaining an exception list.  I suppose if my DNS load or SA load
> were high enough, I might make that trade off, but right now it's fine.

Swings and roundabouts again.  I'm finding that some shall we say less
carefully configured mailsevers that use sender verify aren't waiting
long enough for us to do our DNS checks.  Sheesh.

--

73,
Ged.