Saturday, February 11, 2006

Greylisting with postgrey - a spam fighter

Hi there! A couple of days ago, I have setup postgrey. It eliminated 99.9999% of spams entering my users' mailbox. The implementation of greylisting is done at MTA level (postfix) reducing my mailserver load (especially my spam filter). It is like the front-end spam filter before the spams got filtered by anti-spam if they can pass through. It is designed as a complement to existing defenses against spam, and not as a replacement. So far so good. For time being, I guess no spam ever reach my users' mailbox as I went through a couple of test accounts.

*Note: There's one caveat - Greylisting delays all unknown e-mail, not just spam.

The source came with contributed script for reporting. Check it out to see whether your policy really works.

For those new to this, read below:

Your question : What in the hell is postgrey?
My Answer : Postgrey is a Postfix policy server implementing greylisting

Your question : What in the hell is greylisting?
My answer : (see below - taken from here )

Greylisting is a new method of blocking significant amounts of spam at the mailserver level, but without resorting to heavyweight statistical analysis or other heuristical (and error-prone) approaches. Consequently, implementations are fairly lightweight, and may even decrease network traffic and processor load on your mailserver.

Greylisting relies on the fact that most spam sources do not behave in the same way as normal mail systems. Although it is currently very effective by itself, it will perform best when it is used in conjunction with other forms of spam prevention. For a detailed description of the method, see the Whitepaper.

The term Greylisting is meant to describe a general method of blocking spam based on the behavior of the sending server, rather than the content of the messages. Greylisting does not refer to any particular implementation of these methods. Consequently, there is no single Greylisting product. Instead, there are many products that incorporate some or all of the methods described here.

Your question : How does it work actually?
My answer : (see below - taken from wikipedia)

Typically, a server that utilizes greylisting will record the following three pieces of information (known as a triplet) for each incoming mail message:

  • The IP address of the connecting host.
  • The envelope sender address.
  • The envelope recipient address.

This is checked against the mail server's internal whitelist. If any of this information has never been seen before, the email is greylisted for a set period of time (how much time is dependent on the server configuration), and it is refused with a temporary rejection. The assumption is that since temporary failures are built into the RFC specifications for e-mail delivery, a legitimate server will attempt to connect again later on to deliver the e-mail. Don't forget there's still many mailservers do not conform to the RFC.

Greylisting is effective because many mass e-mail tools utilized by spammers are not set up to handle deferrals (they will never bother to retry a failed delivery), so the spam is never delivered.

More information can be obtained here

Your question : Can I use Greylisting on my personal mail account?

My answer : Because Greylisting methods are designed to work at the mail server level, unless you have control of your own mail server, or your ISP has installed a Greylisting implementation for you, you will not be able to take advantage of Greylisting.

Resources:

  1. postgrey home
  2. postfix greylisting policy
  3. What is greylisting?

*UPDATE: I just found a better greylisting solution : sqlgrey.

No comments: