Here is a quick update on how greylisting has been working for us. We've been running with it for 3 months now, and have been extremely happy. Greylisting is low-maintenance, highly effective, but as far as I know we have never had a false positive with it. I've recently had SysAdmin magazine accept a proposal to write an article on Greylisting, so I collected some statistics on our mail server operation with it. See the article, to be published in February, for many more details.
This data is for our mail server over a period of 4 days (Sunday morning through Wednesday evening), handling e-mail for 5 users with around 686 messages per day delivered to users.
We get roughly 30,627 SMTP connections per day which result in 7,069 good recipients (“RCPT TO” in SMTP-speak). This number is so large because we have one domain which is pointed at that mail server which regularly gets dictionary attacks, and have just started rejecting all mail to that domain.
86% of these recipient attempts are blocked by greylisting. 10 legitimate messages per day are delayed per day because they are not already on the greylist.
As far as I know there have been no false positives in the 3 months we've been using greylisting. In other words, greylisting has never blocked a message which was legitimate. I know that this is possible with greylisting, but I've never seen it. I also set up a white-list for the places which I know have problems with greylisting, so that is probably part of it.
Those are some pretty good numbers. Obviously, with 86% effectiveness it's not useful as your only line of defense. Greylisting is fairly cheap, though, and when you're rejecting 6 out of 7 incoming messages you have the cycles to be able to run more expensive operations such as Bayesian analysis, Spam Assassin, Razor lookups, etc…
To finish off with a rant, I'd like to remind people that spam is an attack on the Internet. I'm convinced that we will only achieve lasting results after we start thinking of it as such. I can't think of any other protocol where we'd consider a 7-fold increase in traffic to not be a denial of service attack. With e-mail, we can hardly make a dent in it – in fact it's just getting worse.comments powered by Disqus