On 1/19/2011 8:06 AM, Lee Dilkie wrote:
On 1/19/2011 10:02 AM, David F. Skoll wrote:
On Wed, 19 Jan 2011 09:56:47 -0500
Lee Dilkie<l...@dilkie.com> wrote:
The second was that I've found that the other spam-catching filtering
is doing a much better job than it was years ago and turning off
greylisting didn't adversely affect the amount of spam that got
through.
That's possibly true, but look at this.
A greylisted message: mimedefang[17175]: p0I4xvRE017628: Filter time is 85ms
A scanned message: mimedefang[17175]: p0I50ACP017683: Filter time is 906ms
On a busy system, this can make a huge difference. SpamAssassin scanning
is by no means cheap.
Regards,
David.
Agreed there, I did have to install the compiled regex package to get SA
speeds up enough to handle the increased load (my server is not even
close to yours in performance but I did drop SA time from 10-30s to <3s).
Don't get me wrong, I liked GL but there are a number of big ISPs that
have quite long retry timeouts (for some reason, sympatico comes to
mind) and it got to be too annoying.
In our experience the large ISPs don't have long retry timeouts. What
they have are multiple outbound mailservers. They will try from 1
server and when they get the error 4xx they shift the outbound message
to another server. This happens until all of their outbound servers
have been greylisted for the one message, then it goes through.
In my opinion (we use greylist-milter) the greylist developers are
basically their own worst enemies here. They distribute a list of known
ISPs that round-robin outbound mail. But the list is very old and
isn't a quarter of the ones that actually do it.
So an admin inexperienced with greylisting installs it and gets the
experience your relating and then assumes that greylisting is no good.
Note that I am not assuming your inexperienced or that you don't already
know all about this problem. You just didn't mention it so I didn't
want others who might come across this posting who might not be
experienced with this to not know about it.
In our case greylisting is very cheap on CPU cycles. But the regex
matching and virus filtering is quite expensive. And worse, we have
to pass everything to the users including the spam that we have tagged,
so we cannot do the logical thing and put SA first and then just throw
away from further processing everything that is determined to be spam.
Instead we have to put the virus filtering first (because we are allowed
to toss virus-infected mail) which means everything gets both scanned
for spam (except viruses) and virus filtered.
So we prefilter with greylist-milter and it really does indeed
tremendously reduce the load on the server. But you really do have to
explain to your users what is going on for it to work, and you
have to thoroughly investigate every mail complaint to make sure that
it's not caused by a round-robin ISP that you don't have in your
exception list. And you have be alert for hosts like
craigslist.org because those bastards
fail mail delivery EVEN IF they get an error 4xx in violation of
the RFCs.
Ted
who knows, all the code is still there and I might switch it on again in
the future.
