Better Living Through Thinking

Milter-Greylist Rocks

Mon, 07 Jun 2004

I turned on milter-greylist today for my server and have noticed a remarkable decrease in spam. In fact, so far today I haven't receive any since it was turned on (I'm sure there will be some that will get through) but so far, so good.

Greylisting was something I invented, of course. I was sitting there thinking about the characteristics of SMTP conversations. There are really only three unique things for an SMTP conversation: the connecting IP address, the envelope sender (MAIL FROM) and the recipient (RCPT TO). The rest of the data will vary from message to message.

I realized that the SMTP protocol is a reliable protocol, which means that if there is a failure, the sending server should try again later (not indefinitely, but several times at least. Usually we're talking a week in most cases, but often longer).

I thought to myself, "Hey, I bet most spammers use hijacked Windows machines and that they won't bother queueing mail and trying again." I talked this over with a co-worker who agreed with the principle. I began working on a native sendmail solution, using sendmail's program K-map.

The idea is that when a server wants to connect to us, we reject them, but save the three unique connection items and put them in some Berkeley hash for later. The next time the host tries to deliver mail (same host, same sender, same recipient), we assume they're legitimate and let the mail pass on.

I spent a few hours futzing with it but didn't get anything very promising and gave up. Then about a week or so later (May 11), I came across this link which was written last August (2003). So much for my originality!

Anyhow, I've been using another greylist program called milter-greylist (it integrates with sendmail via its milter feature).

I have one domain that receives several thousand joe-job bounces a day which I had to whitelist in the greylist configuration file. By whitelisting it, the greylist milter is bypassed and my regular "user unknown" error message can kick in (versus greylisting and then sending the "user unknown" message, which fills up my greylist with bogus addresses).

Here's the histospam for the day:

20040526 => *************** (75)
20040527 => ********* (47)
20040528 => ***** (27)
20040529 => ******* (38)
20040530 => ******* (36)
20040531 => *********** (56)
20040601 => ****** (31)
20040602 => ******** (40)
20040603 => ********* (49)
20040604 => ****** (34)
20040605 => ******** (41)
20040606 => ******* (37)
20040607 => ****** (32)     <=== sendmail milter-greylist feature enabled on 7 June 2004:

A nice side effect of greylisting is that most viruses will also be rejected, since the virus MTA (mail transport agents) are primitive enough not to queue and retry (like a valid MTA should). That means less virus scanning generally, which is good for server resources. We're heading back to the good old days of mail!

Of course, it's only a matter of time that virus writers and spammers fix this problem by making their zombie computers behave more like legitimate MTAs, but that opens up new problems for them (namely, slower delivery and more vulnerable zombies).