Community Discussions and Support
Greywall

[quote user="PaulW"]

[quote user="Thomas R. Stephenson"] I'm not saying that Graywall does not affect the level of spam received via SMTP, it does.  However it's getting less effective based on my data.[/quote]

How effective it is surely must be to do with how the spam is being sent.  For me greylisting is still very useful against botnets of compromised user machines, but it has never been much good at stopping open relays or compromised servers.  I get quite a bit of that type and since they *are* proper servers, they will retry and get around any greylisting software.  For that sort of spam, you have to trust in DNSBL or other methods.

[/quote]

Looking at the connecting IP addresses of the sending systems it is apparent to me that many of these are coming from a botnet machine.  Based on the IP address I would probably would be able to block many of these if I were to use a blacklist listing the randomly assigned IP addresses but that would block many SMTP servers as well sending good mail. 

Like I say it has reduced my level of spam coming in directly but there are more and more spam systems that retries as required by the RFC.  Also it appears that the spammers are sending their spam through the infected systems SMTP host as well and these systems always retry.

This is all pretty academic anyway, 99.8% of the spam never gets to the user mailboxes anyway since it's blocked by POPFileD. 

 

 

 


 

[quote user="PaulW"]<p>[quote user="Thomas R. Stephenson"] I'm not saying that Graywall does not affect the level of spam received via SMTP, it does.  However it's getting less effective based on my data.[/quote]</p> <p>How effective it is surely must be to do with how the spam is being sent.  For me greylisting is still very useful against botnets of compromised user machines, but it has never been much good at stopping open relays or compromised servers.  I get quite a bit of that type and since they *are* proper servers, they will retry and get around any greylisting software.  For that sort of spam, you have to trust in DNSBL or other methods.</p><p>[/quote]</p><p>Looking at the connecting IP addresses of the sending systems it is apparent to me that many of these are coming from a botnet machine.  Based on the IP address I would probably would be able to block many of these if I were to use a blacklist listing the randomly assigned IP addresses but that would block many SMTP servers as well sending good mail.  </p><p>Like I say it has reduced my level of spam coming in directly but there are more and more spam systems that retries as required by the RFC.  Also it appears that the spammers are sending their spam through the infected systems SMTP host as well and these systems always retry.</p><p>This is all pretty academic anyway, 99.8% of the spam never gets to the user mailboxes anyway since it's blocked by POPFileD. </p><p> </p><p> </p><p> </p><p>  </p>

Hi!

We are considering to use Greywall to reduce our spam volume.

What are your experiences about Greywall? How much false positives and false negatives?

 

Regards

Jyrki Aarni

Oulu, Finland
 

<p>Hi!</p><p>We are considering to use Greywall to reduce our spam volume. </p><p>What are your experiences about Greywall? How much false positives and false negatives?</p><p> </p><p>Regards</p><p>Jyrki Aarni</p><p>Oulu, Finland  </p>

[quote user="J_Aarni"]

Hi!

We are considering to use Greywall to reduce our spam volume.

What are your experiences about Greywall? How much false positives and false negatives?

 

Regards

Jyrki Aarni

Oulu, Finland

[/quote]

 

First of all if you have a MX host that is not under control then it may not help all that much since the spammers are not using the higher number MX host to send their spam.  You must always whitelist your MX host so graylisting does not help here at all.  I set the lowest and highest to the actual mercury/32 host running Graywall to catch the ones using the highest MX host. 

 If you are running without a MX host it can be quite effective blocking spam but a number of spammers are are now retrying within the limits you set so this may become less effective over time.

 
There are a number of broken SMTP systems out there that will not retry when they get a series 400 temporary error, these will cause you to use good mail unless whitelisted.

 The level of false positive and false negatives will be pretty much unique to your system.  If you know what IP addresses are of the broken SMTP hosts sending you mail the false positives are going to be very small.


That said, I am running Graywall on my system  and I have found it does limit a number of the spams.  I'm still getting about 60% of my spam via the MX host and 40% via direct connection where the spammers are retrying.

 

[quote user="J_Aarni"]<p>Hi!</p><p>We are considering to use Greywall to reduce our spam volume. </p><p>What are your experiences about Greywall? How much false positives and false negatives?</p><p> </p><p>Regards</p><p>Jyrki Aarni</p><p>Oulu, Finland </p><p>[/quote]</p><p> </p><p>First of all if you have a MX host that is not under control then it may not help all that much since the spammers are not using the higher number MX host to send their spam.  You must always whitelist your MX host so graylisting does not help here at all.  I set the lowest and highest to the actual mercury/32 host running Graywall to catch the ones using the highest MX host.  </p><p> If you are running without a MX host it can be quite effective blocking spam but a number of spammers are are now retrying within the limits you set so this may become less effective over time.</p><p>  There are a number of broken SMTP systems out there that will not retry when they get a series 400 temporary error, these will cause you to use good mail unless whitelisted.</p><p> The level of false positive and false negatives will be pretty much unique to your system.  If you know what IP addresses are of the broken SMTP hosts sending you mail the false positives are going to be very small. That said, I am running Graywall on my system  and I have found it does limit a number of the spams.  I'm still getting about 60% of my spam via the MX host and 40% via direct connection where the spammers are retrying.</p><p> </p>

 

Thank you for your answer.

I think we'll try Greywall.

 

Jyrki 

<p> </p><p>Thank you for your answer.</p><p>I think we'll try Greywall.</p><p> </p><p>Jyrki </p>

Many people said: "spammers are adopting...", but see the facts: graylist concept is known from year 2001. (At least I know it from year 2001) I know many discussions when concept is started. Lot of people (Include me!) said: "This cannot work, because spammers can adopt quickly!"

I start with testing of Graywall on end of year 2006. I have spam level 85% before. By Graywall I reduce my spam level to 18%! I not see higher spam level on my system in later months.

Is it courious? Spammers have at least 6 years for adopting, but many of them not done it yet! Why will spammers start with adopting to graylist concept now? Just becasue one minor server have graylist too? (In global range, Mercury is minor server...)


<p>Many people said: "spammers are adopting...", but see the facts: graylist concept is known from year 2001. (At least I know it from year 2001) I know many discussions when concept is started. Lot of people (Include me!) said: "This cannot work, because spammers can adopt quickly!"</p><p>I start with testing of Graywall on end of year 2006. I have spam level 85% before. By Graywall I reduce my spam level to 18%! I not see higher spam level on my system in later months.</p><p>Is it courious? Spammers have at least 6 years for adopting, but many of them not done it yet! Why will spammers start with adopting to graylist concept now? Just becasue one minor server have graylist too? (In global range, Mercury is minor server...) </p><p> </p>

[quote user="geby"]

Many people said: "spammers are adopting...", but see the facts: graylist concept is known from year 2001. (At least I know it from year 2001) I know many discussions when concept is started. Lot of people (Include me!) said: "This cannot work, because spammers can adopt quickly!"

I start with testing of Graywall on end of year 2006. I have spam level 85% before. By Graywall I reduce my spam level to 18%! I not see higher spam level on my system in later months.

Is it courious? Spammers have at least 6 years for adopting, but many of them not done it yet! Why will spammers start with adopting to graylist concept now? Just becasue one minor server have graylist too? (In global range, Mercury is minor server...)

[/quote]

I'm looking at the results everyday.  Spam is color coded to show how it comes into my system.  SMTP mail can be received eirther directly or via my MX host.  When I first started using Graywall almost 100% of the spam I was getting was coming in via  the MX host.  Now more and more of it is coming in directly and not via the MX host.  These are spammers that are sending directly, passing through Graywall, and being caught by either SpamHalter or POPFile.  Analysis of the headers shows that these are coming from a spammer that retries when they get a 400 series message.

 I'm not saying that Graywall does not affect the level of spam received via SMTP, it does.  However it's getting less effective based on my data.

 

[quote user="geby"]<p>Many people said: "spammers are adopting...", but see the facts: graylist concept is known from year 2001. (At least I know it from year 2001) I know many discussions when concept is started. Lot of people (Include me!) said: "This cannot work, because spammers can adopt quickly!"</p><p>I start with testing of Graywall on end of year 2006. I have spam level 85% before. By Graywall I reduce my spam level to 18%! I not see higher spam level on my system in later months.</p><p>Is it courious? Spammers have at least 6 years for adopting, but many of them not done it yet! Why will spammers start with adopting to graylist concept now? Just becasue one minor server have graylist too? (In global range, Mercury is minor server...)</p><p>[/quote]</p><p>I'm looking at the results everyday.  Spam is color coded to show how it comes into my system.  SMTP mail can be received eirther directly or via my MX host.  When I first started using Graywall almost 100% of the spam I was getting was coming in via  the MX host.  Now more and more of it is coming in directly and not via the MX host.  These are spammers that are sending directly, passing through Graywall, and being caught by either SpamHalter or POPFile.  Analysis of the headers shows that these are coming from a spammer that retries when they get a 400 series message.</p><p> I'm not saying that Graywall does not affect the level of spam received via SMTP, it does.  However it's getting less effective based on my data. </p><p> </p>

[quote user="Thomas R. Stephenson"] I'm not saying that Graywall does not affect the level of spam received via SMTP, it does.  However it's getting less effective based on my data.[/quote]

How effective it is surlely must be to do with how the spam is being sent.  For me greylisting is still very useful against botnets of compromised user machines, but it has never been much good at stopping open relays or compromised servers.  I get quite a bit of that type and since they *are* proper servers, they will retry and get around any greylisting software.  For that sort of spam, you have to trust in DNSBL or other methods.

<P>[quote user="Thomas R. Stephenson"] I'm not saying that Graywall does not affect the level of spam received via SMTP, it does.  However it's getting less effective based on my data.[/quote]</P> <P>How effective it is surlely must be to do with how the spam is being sent.  For me greylisting is still very useful against botnets of compromised user machines, but it has never been much good at stopping open relays or compromised servers.  I get quite a bit of that type and since they *are* proper servers, they will retry and get around any greylisting software.  For that sort of spam, you have to trust in DNSBL or other methods.</P>
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Pending draft ... Click to resume editing
Discard draft