Am 02.08.2016 um 18:55 schrieb Bill Cole:
Combined, this is why Sendmail and other MTA greeting delays are less spectacularly effective than they used to be and less effective than postscreen. The resource cost of prolonging every session to 6s is untenable for busy machines, so bots that have adapted can get through. Back in the early days of Sendmail's GreetPause a value of 3s would catch most bots but over the years some bots have adapted by doing their own hard delays and others have learned to wait for anything from the server. Few (if any) have adapted by actually parsing the greeting and making sure that they've seen the end of a multi-line greeting before talking
in fact most bots have a timeout around 10 seconds
postscreen_greet_wait = ${stress?3}${stress:11}s
and you will see a massive drop down of rejected mails in mailgraph
because they all hang up after 10 seconds and since this result in
postscreen is cached a legit client must only pass it one time while the
bot not passing the tests hang forever there
well, and that greet_wait is also a good thing for all the scored dnsbl/dnswl because if there are some slow repsonding they don't get skipped and so the bot sits there useless waiting 11 seconds to get a "blocked using highest scored DNSBl"
postscreen other than smtpd is a single process, dnsbl/dnswl requests are done by extra, shared processes and so postscreen is unbeatable for years now if it comes to a inbound MX
after that you have 200-800 rejected mails in your contentfilters and smtpd-restricitions compared ot many thousands without
signature.asc
Description: OpenPGP digital signature
