On 11/29/2012 12:01, Ned Slider wrote:
Indeed. But do also play around with the delays in postgrey (--delay). A minimal delay of 60 seconds is enough to force a retry and is adequate - legit hosts will retry, non-legit hosts won't so a longer delay is generally unnecessary.
This is only one of the benefits of greylisting; it's one that spammers can trivially bypass by implementing a retry mechanism of their own.
The other benefit of greylisting is that you can defer (or re-check) DNSBLs before making the final decision to accept or decline, so a fresh zombie or new spam sender doesn't get a free bite at the inbox. Instead, fact-acting DNSBLs have a chance to get the new sender listed before a greylist retry period expires.
Here we do a combination of the two approaches, immediately whitelisting any address to which the user has sent mail in the past, as well as a fairly large list of known senders. After that, we only look at greylisting if the session or message is otherwise a bit suspicious, be it missing or mismatching rDNS, SPF softfail or worse, DK/DKIM failures, BAYES 70+ or SpamAssassin 4+, etc.
If it trips one of these normally-too-sensitive-to-use-for-blocking rules, it gets passed over to the greylisting subsystem and then can try again after a few minutes before getting through.
This has proved to work very well since it allows a majority of legitimate mail through without greylisting even on the first attempt, but still nets us most of the benefits of greylisting in the end.
-- Dave Warren http://www.hireahit.com/ http://ca.linkedin.com/in/davejwarren
