Loading ...
Sorry, an error occurred while loading the content.

Greylisting and Postfix

Expand Messages
  • Esquivel, Vicente
    Hello all, Is anyone using greylisting and how successful has it been for you? How difficult was it to implement on an existing postfix mail gateway server?
    Message 1 of 18 , May 31, 2006
    • 0 Attachment
      Hello all,
       
      Is anyone using greylisting and how successful has it been for you?  How difficult was it to implement on an existing postfix mail gateway server?
       
      Thanks all in advance!
       
      Vince
    • Marco Bertorello
      On Wed, 31 May 2006 11:49:40 -0500 ... Hi, ... I ve implemented greylisting successfully in a mailserver based on debian and postifx with postgrey tool. The
      Message 2 of 18 , May 31, 2006
      • 0 Attachment
        On Wed, 31 May 2006 11:49:40 -0500
        "Esquivel, Vicente" <Esquivelv@...> wrote:

        > Hello all,

        Hi,

        > Is anyone using greylisting and how successful has it been for you?

        I've implemented greylisting successfully in a mailserver based on
        debian and postifx with postgrey tool. The quantity of spam is reduced
        by ~80%.

        > How difficult was it to implement on an existing postfix mail gateway
        > server?

        No problems. I've installed postgrey and (like documentation say) I've
        added something like this, in main.cf:

        smtpd_recipient_restrictions =
        permit_mynetworks
        ...
        reject_unauth_destination
        check_policy_service inet:127.0.0.1:60000

        All works fine out-of-the-box :-)

        I'm very courious about SQLgrey (http://sqlgrey.sourceforge.net/), a
        fork of postgrey... Someone already use this tool?

        cheers,

        P.S. Sorry for my orrible english :)

        --
        Marco Bertorello
        System Administrator
        http://bertorello.ns0.it/
      • Stefan G. Weichinger
        ... I once also asked that question and was pointed to policyd, which is not only able to to greylisting but also some other very useful tricks . Installation
        Message 3 of 18 , May 31, 2006
        • 0 Attachment
          Marco Bertorello schrieb:

          > I'm very courious about SQLgrey (http://sqlgrey.sourceforge.net/), a
          > fork of postgrey... Someone already use this tool?

          I once also asked that question and was pointed to policyd, which is not
          only able to to greylisting but also some other very useful "tricks".

          Installation wasn't difficult and the success followed immediately.
          Have a try.

          Stefan
        • Michael Schwartzkopff
          ... Hi, greylisting reduces the amount of SPAM in the same order of magnitude as RBL. The rest (
          Message 4 of 18 , May 31, 2006
          • 0 Attachment
            Am Mittwoch, 31. Mai 2006 18:49 schrieb Esquivel, Vicente:
            > Hello all,
            >
            > Is anyone using greylisting and how successful has it been for you? How
            > difficult was it to implement on an existing postfix mail gateway
            > server?
            >
            > Thanks all in advance!
            >
            > Vince

            Hi,

            greylisting reduces the amount of SPAM in the same order of magnitude as RBL.
            The rest (<5%) can be done with bayesian filters. Implementaion is easy. Just
            read the documentation that comes together with postfix.

            One point to take care: Some big players have farms of mailservers. A mail is
            not nescesserily sent out from the same IP always and thus greylisted several
            times. Watch your logfiles and do some manual whitelisting if needed.

            Michael.
          • Brian Collins
            ... (failed to send this to the list first time) I m using it on our company mail filter. As a matter of fact just this morning I switched from postgrey to
            Message 5 of 18 , May 31, 2006
            • 0 Attachment
              > Is anyone using greylisting and how successful has it been for you? How
              > difficult was it to implement on an existing postfix mail gateway server?

              (failed to send this to the list first time)

              I'm using it on our company mail filter. As a matter of fact just this
              morning I switched from postgrey to sqlgrey. It was easy to set up
              postgrey, and it worked well. The switch to sqlgrey was simple and it also
              is working well. I've cut probably 80-90% of what spam I was getting. YMMV
              though.

              --Brian
            • Lance Dryden
              ... SQLgrey is in use on my end-station MTA (~4 accounts). It seems to do quite a good job for now. Might change when people s workstations have 128GB of
              Message 6 of 18 , May 31, 2006
              • 0 Attachment
                Marco Bertorello wrote:
                >
                > No problems. I've installed postgrey and (like documentation say) I've
                > added something like this, in main.cf:
                >
                > smtpd_recipient_restrictions =
                > permit_mynetworks
                > ...
                > reject_unauth_destination
                > check_policy_service inet:127.0.0.1:60000
                >
                > All works fine out-of-the-box :-)
                >
                > I'm very courious about SQLgrey (http://sqlgrey.sourceforge.net/), a
                > fork of postgrey... Someone already use this tool?

                SQLgrey is in use on my end-station MTA (~4 accounts). It seems to do
                quite a good job for now.

                Might change when people's workstations have 128GB of memory for storing
                transmission attempts, but for now it's all I use for UCE filtering.

                Yours, &c
                Lance Dryden
              • Covington, Chris
                ... I have been using policyd.sourceforge.net for 1 year now and it has worked flawlessly throughout. It s mysql-based, and always has been. ... Chris
                Message 7 of 18 , May 31, 2006
                • 0 Attachment
                  On Wed, May 31, 2006 at 11:49:40AM -0500, Esquivel, Vicente wrote:
                  > Hello all,
                  >
                  > Is anyone using greylisting and how successful has it been for you? How
                  > difficult was it to implement on an existing postfix mail gateway
                  > server?

                  I have been using policyd.sourceforge.net for 1 year now and it has
                  worked flawlessly throughout. It's mysql-based, and always has
                  been.

                  ---
                  Chris Covington
                  IT
                  Plus One Health Management
                  75 Maiden Lane Suite 801
                  NY, NY 10038
                  646-312-6269
                  http://www.plusoneactive.com
                • Lars Ringh
                  ... I ve only used it (cami s policyd) for about two weeks, and I can t really say I m seeing any difference in the amount of spam reaching through to our
                  Message 8 of 18 , May 31, 2006
                  • 0 Attachment
                    Esquivel, Vicente wrote:

                    > Is anyone using greylisting and how successful has it been for you? How
                    > difficult was it to implement on an existing postfix mail gateway
                    > server?

                    I've only used it (cami's policyd) for about two weeks, and I can't
                    really say I'm seeing any difference in the amount of spam reaching
                    through to our spamfilters at all.

                    I've set it up on the servers serving our private home customers but not
                    on those servicing our corporate customers, and the difference in the
                    amount of spam coming through to our spam-filter differs about as much
                    as it did before greylisting.

                    Implementing it, however, went really smooth. Not much you have to do
                    and exellent instructions easily found.

                    //maccall
                  • Esquivel, Vicente
                    ... Thanks all for you replies they have helped greatly! I have another question though and that is: I am thinking about running it on the same server that we
                    Message 9 of 18 , May 31, 2006
                    • 0 Attachment
                      > -----Original Message-----
                      > From: owner-postfix-users@...
                      > [mailto:owner-postfix-users@...] On Behalf Of Marco Bertorello
                      > Sent: Wednesday, May 31, 2006 12:04 PM
                      > To: postfix-users@...
                      > Subject: Re: Greylisting and Postfix
                      >
                      > On Wed, 31 May 2006 11:49:40 -0500
                      > "Esquivel, Vicente" <Esquivelv@...> wrote:
                      >
                      > > Hello all,
                      >
                      > Hi,
                      >
                      > > Is anyone using greylisting and how successful has it been for you?
                      >
                      > I've implemented greylisting successfully in a mailserver
                      > based on debian and postifx with postgrey tool. The quantity
                      > of spam is reduced by ~80%.
                      >
                      > > How difficult was it to implement on an existing postfix
                      > mail gateway
                      > > server?
                      >
                      > No problems. I've installed postgrey and (like documentation
                      > say) I've added something like this, in main.cf:
                      >
                      > smtpd_recipient_restrictions =
                      > permit_mynetworks
                      > ...
                      > reject_unauth_destination
                      > check_policy_service inet:127.0.0.1:60000
                      >
                      > All works fine out-of-the-box :-)
                      >
                      > I'm very courious about SQLgrey
                      > (http://sqlgrey.sourceforge.net/), a fork of postgrey...
                      > Someone already use this tool?
                      >
                      > cheers,
                      >
                      > P.S. Sorry for my orrible english :)
                      >
                      > --
                      > Marco Bertorello
                      > System Administrator
                      > http://bertorello.ns0.it/
                      >

                      Thanks all for you replies they have helped greatly!

                      I have another question though and that is:

                      I am thinking about running it on the same server that we run our third
                      party spam filtering application(puremessage) that uses postfix.

                      Is everyone running greylist on their main postfix gateway server or is
                      everyone running greylisting on a separate individual server? What
                      would be the pros and cons?



                      Thanks
                      Vince
                    • Brian Collins
                      ... I run it on my mail gateway. That same server runs antivirus & antispam (via amavisd-new). Actually I run that setup on 3 separate Postfix mail gateways
                      Message 10 of 18 , May 31, 2006
                      • 0 Attachment
                        > I have another question though and that is:
                        >
                        > I am thinking about running it on the same server that we run our third
                        > party spam filtering application(puremessage) that uses postfix.
                        >
                        > Is everyone running greylist on their main postfix gateway server or is
                        > everyone running greylisting on a separate individual server? What
                        > would be the pros and cons?

                        I run it on my mail gateway. That same server runs antivirus & antispam
                        (via amavisd-new). Actually I run that setup on 3 separate Postfix mail
                        gateways (2 run postgrey and one runs sqlgrey). No problems.

                        --Brian
                      • Andrew Diederich
                        ... I ve run sqlgrey with a postgres 8.0 backend which works pretty well. I have seen a memory leak between sqlgrey and the postgresql postmaster. Restarting
                        Message 11 of 18 , May 31, 2006
                        • 0 Attachment
                          On 5/31/06, Brian Collins <listbc@...> wrote:
                          > I run it on my mail gateway. That same server runs antivirus & antispam
                          > (via amavisd-new). Actually I run that setup on 3 separate Postfix mail
                          > gateways (2 run postgrey and one runs sqlgrey). No problems.

                          I've run sqlgrey with a postgres 8.0 backend which works pretty well.
                          I have seen a memory leak between sqlgrey and the postgresql
                          postmaster. Restarting sqlgrey daily works for me to avoid badness
                          for the memory leak. Note: when sqlgrey is down then incoming mail
                          will be rejected.

                          --
                          Andrew Diederich
                        • Alex Satrapa
                          ... The only machines that it makes sense to run greylisting on are those listed as MX servers for your domain (ie: where third parties will be sending mail
                          Message 12 of 18 , May 31, 2006
                          • 0 Attachment
                            On 1 Jun 2006, at 04:44, Esquivel, Vicente wrote:

                            > Is everyone running greylist on their main postfix gateway server
                            > or is
                            > everyone running greylisting on a separate individual server? What
                            > would be the pros and cons?

                            The only machines that it makes sense to run greylisting on are those
                            listed as MX servers for your domain (ie: where third parties will be
                            sending mail destined for your domain). Otherwise, the greylisting
                            will only be affecting transmission inside your network.

                            I implemented greylisting for our mail service, but spam slowed down.
                            The machines sending us spam just try again later (90% of the spam I
                            get comes from Microsoft Outlook, which is a "proper" mail sender).

                            Alex
                          • Michael J Wise
                            ... You ve been misled. It may LOOK like it came from Outlook, but it didn t. It came from a piece of software trying desperately to look like it is Outlook.
                            Message 13 of 18 , May 31, 2006
                            • 0 Attachment
                              On May 31, 2006, at 5:39 PM, Alex Satrapa wrote:

                              > (90% of the spam I get comes from Microsoft Outlook, which is a
                              > "proper" mail sender).

                              You've been misled.
                              It may LOOK like it came from Outlook, but it didn't.
                              It came from a piece of software trying desperately to look like it is
                              Outlook.

                              Aloha mai Nai`a!
                              --
                              "Please have your Internet License http://kapu.net/~mjwise/
                              and Usenet Registration handy..."
                            • Alex Satrapa
                              ... Walks like a duck, quacks like a duck, therefore it is a duck. ... versus ... How do I distinguish the spam from the ham? The spam is the first one, the
                              Message 14 of 18 , Jun 1, 2006
                              • 0 Attachment
                                On 1 Jun 2006, at 16:13, Michael J Wise wrote:

                                > On May 31, 2006, at 5:39 PM, Alex Satrapa wrote:
                                >
                                >> (90% of the spam I get comes from Microsoft Outlook, which is a
                                >> "proper" mail sender).
                                >
                                > You've been misled.
                                > It may LOOK like it came from Outlook, but it didn't.
                                > It came from a piece of software trying desperately to look like it
                                > is Outlook.

                                Walks like a duck, quacks like a duck, therefore it is a duck.

                                Compare these two sets of headers:

                                > Received: from sjq ([203.160.26.197]) by localhost (8.13.4/8.13.4)
                                > with SMTP id k4V8wIth066131; Wed, 31 May 2006 01:58:18 -0700
                                > X-Greylist: delayed 302 seconds by postgrey-1.21 at franklin; Tue,
                                > 30 May 2006 18:56:51 EST
                                > Message-Id: <001701c6848f$fc5a8c18$c51aa0cb@sjq>
                                > Mime-Version: 1.0
                                > Content-Type: multipart/related; type="multipart/alternative";
                                > boundary="----=_NextPart_000_0013_01C684CA.A8B963B8"
                                > X-Priority: 3
                                > X-Msmail-Priority: Normal
                                > X-Mailer: Microsoft Outlook Express 6.00.2800.1106
                                > X-Mimeole: Produced By Microsoft MimeOLE V6.00.2800.1106

                                versus

                                > Received: from DNA05 (unknown [192.168.2.205]) by smtp.apf.edu.au
                                > (Postfix) with ESMTP id AEBBC8A80A3 for <alex@apf>; Tue, 9 May
                                > 2006 16:52:32 +1000 (EST)
                                > Message-Id: <003701c67334$e5774390$cd02a8c0@DNA05>
                                > Mime-Version: 1.0
                                > Content-Type: text/plain; charset="us-ascii"
                                > Content-Transfer-Encoding: 7bit
                                > X-Mailer: Microsoft Office Outlook 11
                                > X-Mimeole: Produced By Microsoft MimeOLE V6.00.2900.2869

                                How do I distinguish the spam from the ham? The spam is the first
                                one, the ham is the second. The machine sending the spam tried again
                                5 minutes later. From the perspective of the MTA, the spam was sent
                                by something claiming to be "Microsoft Outlook Express" and behaving
                                very much like "Microsoft Outlook Express" would be expected to
                                behave - does it really matter what software was actually responsible
                                for sending the message? That is only a philosophical discussion at
                                best.

                                But back to the original topic - as you can see, the spam still gets
                                through with greylisting, because the software sending the spam is
                                intelligent enough to respond appropriately to my server faking a
                                temporary failure.

                                When I raise the greylist delay to half an hour (enough time for the
                                ISP to start getting complaints of spam originating from their
                                clients, and shut the client out), I start receiving complaints from
                                people whose mail servers send them messages saying, "I couldn't
                                deliver this message after half an hour, I'm still trying though."

                                Alex
                              • Michael J Wise
                                ... You are completely missing the point. It isn t a case of Looks Like , it s a case of what is on the other end of the wire. ... External address. No
                                Message 15 of 18 , Jun 1, 2006
                                • 0 Attachment
                                  On May 31, 2006, at 9:19 PM, Alex Satrapa wrote:
                                  > On 1 Jun 2006, at 16:13, Michael J Wise wrote:
                                  >> On May 31, 2006, at 5:39 PM, Alex Satrapa wrote:
                                  >>
                                  >>> (90% of the spam I get comes from Microsoft Outlook, which is a
                                  >>> "proper" mail sender).
                                  >>
                                  >> You've been misled.
                                  >> It may LOOK like it came from Outlook, but it didn't.
                                  >> It came from a piece of software trying desperately to look like it
                                  >> is Outlook.
                                  >
                                  > Walks like a duck, quacks like a duck, therefore it is a duck.
                                  >
                                  > Compare these two sets of headers:

                                  You are completely missing the point.
                                  It isn't a case of "Looks Like", it's a case of what is on the other
                                  end of the wire.

                                  >> Received: from sjq ([203.160.26.197])

                                  External address.
                                  No reverse DNS.
                                  Currently no DNSBLs of any consequence.

                                  >> X-Greylist: delayed 302 seconds by postgrey-1.21 at franklin; Tue,
                                  >> 30 May 2006 18:56:51 EST

                                  You might want to greylist it for a bit longer....
                                  Bottom line is, mail servers and local addresses shouldn't be
                                  greylisted.
                                  But *unknown* connects should be for quite some time.
                                  302 seconds doesn't cut it.
                                  86400 seconds might.
                                  This is, of course, only MHO.

                                  > versus
                                  >
                                  >> Received: from DNA05 (unknown [192.168.2.205])

                                  Local address.

                                  > How do I distinguish the spam from the ham?

                                  That's your problem, Sir.
                                  And this isn't the list for it.

                                  > does it really matter what software was actually responsible for
                                  > sending the message?

                                  Yes.

                                  > That is only a philosophical discussion at best.

                                  Oh no, it's quite practical.
                                  You see... sometimes, they make misteaks.
                                  And those misteaks become a sign.

                                  Aloha mai Nai`a!
                                  --
                                  "Please have your Internet License http://kapu.net/~mjwise/
                                  and Usenet Registration handy..."
                                • Alex Satrapa
                                  ... This was from a phishing attempt (trying to get me to enter my paypal account details into their website). Note that they reconnected after a couple of
                                  Message 16 of 18 , Jun 1, 2006
                                  • 0 Attachment
                                    On 1 Jun 2006, at 17:19, Alex Satrapa wrote:

                                    > When I raise the greylist delay to half an hour (enough time for
                                    > the ISP to start getting complaints of spam originating from their
                                    > clients, and shut the client out), I start receiving complaints
                                    > from people whose mail servers send them messages saying, "I
                                    > couldn't deliver this message after half an hour, I'm still trying
                                    > though."

                                    And here's why greylisting doesn't work:

                                    > Received: from optkmv.ru (opttorg.cust.kmv.ru [217.13.208.17])
                                    > (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No
                                    > client certificate requested) by smtp.apf.edu.au (Postfix) with
                                    > ESMTP id 88F6D8A80A3 for <alex.satrapa@...>; Thu, 1 Jun
                                    > 2006 19:54:31 +1000 (EST)
                                    > Received: from optkmv.ru (localhost [127.0.0.1] (may be forged))
                                    > by optkmv.ru (8.13.5/8.13.5) with ESMTP id k517X9rF003136 for
                                    > <alex.satrapa@...>; Thu, 1 Jun 2006 11:33:09 +0400
                                    > Received: (from diana@localhost) by optkmv.ru (8.13.5/8.13.5/
                                    > Submit) id k517X7sY003130; Thu, 1 Jun 2006 11:33:07 +0400
                                    > X-Sieve: CMU Sieve 2.2
                                    > X-Greylist: delayed 8422 seconds by postgrey-1.21 at franklin;
                                    > Thu, 01 Jun 2006 19:54:32 EST
                                    > Message-Id: <200606010733.k517X7sY003130@...>
                                    > Content-Type: text/html

                                    This was from a phishing attempt (trying to get me to enter my paypal
                                    account details into their website).

                                    Note that they reconnected after a couple of hours, and used TLS
                                    encryption. Their hostname is valid, and doing a resolution on the
                                    name derived from a reverse lookup on the IP address results in the
                                    IP address.

                                    Is there anything else here that could have indicated to my mail
                                    server that this was not legitimate mail?
                                  • Michael J Wise
                                    ... % query-dnsbl 217.13.208.17 SPAMCOP opttorg.cust.kmv.ru Greylisting should never be one s only line of defense. Greylisting buys one time for a
                                    Message 17 of 18 , Jun 1, 2006
                                    • 0 Attachment
                                      On Jun 1, 2006, at 3:01 PM, Alex Satrapa wrote:

                                      > And here's why greylisting doesn't work:
                                      >
                                      >> Received: from optkmv.ru (opttorg.cust.kmv.ru [217.13.208.17])

                                      % query-dnsbl 217.13.208.17
                                      SPAMCOP opttorg.cust.kmv.ru

                                      Greylisting should never be one's only line of defense.
                                      Greylisting buys one time for a given IP address to make a fool of
                                      itself elsewhere before it gets to dump crap into your system.
                                      Or at least, that is my understanding of its purpose.

                                      > Note that they reconnected after a couple of hours, ...

                                      Not surprised at all.
                                      It's almost certainly a compromised machine ... in Mother Russia!
                                      Listening on port 22, btw.
                                      Probably user 'diana' had a trivial password ('password' or 'diana',
                                      for example), and ... poof, in they went.

                                      > Is there anything else here that could have indicated to my mail
                                      > server that this was not legitimate mail?

                                      Um, how about the fact that the server was in Russia?

                                      :)

                                      Aloha mai Nai`a!
                                      --
                                      "Please have your Internet License http://kapu.net/~mjwise/
                                      and Usenet Registration handy..."
                                    • mouss
                                      ... so what? spamcop isn t designed for smtp level rejection. it should ony be used in score based system. ... use a spam filter. There are many to choose
                                      Message 18 of 18 , Jun 4, 2006
                                      • 0 Attachment
                                        Michael J Wise wrote:
                                        > On Jun 1, 2006, at 3:01 PM, Alex Satrapa wrote:
                                        >
                                        >> And here's why greylisting doesn't work:
                                        >>
                                        >>> Received: from optkmv.ru (opttorg.cust.kmv.ru [217.13.208.17])
                                        >
                                        > % query-dnsbl 217.13.208.17
                                        > SPAMCOP opttorg.cust.kmv.ru
                                        so what? spamcop isn't designed for smtp level rejection. it should ony
                                        be used in score based system.
                                        >
                                        > Greylisting should never be one's only line of defense.
                                        > Greylisting buys one time for a given IP address to make a fool of
                                        > itself elsewhere before it gets to dump crap into your system.
                                        > Or at least, that is my understanding of its purpose.
                                        >
                                        >> Note that they reconnected after a couple of hours, ...
                                        >
                                        > Not surprised at all.
                                        > It's almost certainly a compromised machine ... in Mother Russia!
                                        > Listening on port 22, btw.
                                        > Probably user 'diana' had a trivial password ('password' or 'diana',
                                        > for example), and ... poof, in they went.
                                        >
                                        >> Is there anything else here that could have indicated to my mail
                                        >> server that this was not legitimate mail?
                                        use a spam filter. There are many to choose from. if you don't like
                                        choosing, try spamassassin...
                                        >
                                        > Um, how about the fact that the server was in Russia?
                                        There may be more spam servers in the US than in Russia. Again, you can
                                        use such arguments in a score based filter, not in
                                        smtpd_recipient_restrictions...
                                      Your message has been successfully submitted and would be delivered to recipients shortly.