fighting spam with greylisting

At the NFG mail servers, we block about 10 spam messages for every valid email our customers receive. Even so, customers keep asking for more agressive spam filters.

Spam filtering requires a lot of system resources. Content filtering involves opening each message and matching its full contents against a database of spam patterns. This involves a lot of disk read/write actions and heavy number crunching.

mail server load graph

In the graph above, our mail server was flooded with more spam than it could adequately handle. Of course, we could allocate more system resources or try and tune the server some more. However, the solution turned out to be much simpler: greylisting.

how greylisting works

A mail server that uses greylisting, behaves like a grumpy old man. If you visit him for the first time, he says: "I don't know you. Why don't you go away and maybe return later?" Then he shuts the door. If you return later, he turns out to be quite a nice guy though.

A greylisting mail server that gets offered a new email, initially refuses to accept it. Decent sender mail servers that implement the SMTP mail protocol correctly, will return after a short time and try to deliver their message again. The message is accepted on the second delivery attempt and only then subjected to the full filtering procedure.

If this sounds like a very simple solution, that spammers can easily work around: it is. They only have to be a little more persistent and retry sending the same message. Yet they don't. This simple measure is hugely effective.

email queue graph

In this graph, you can see how we activated our greylisting postfix-policyd at around 14:00 hours. The red area shows the number of messages recognized as spam by our full pattern filter. The yellow area shows the number of messages immediately rejected without entering our server. Introducing greylisting cuts down our filter volume by a factor four. Spammers easily give up and our mail systems aren't overloaded anymore.

Posted by Guido Stevens in email at 16:51 | Permalink | Comments (0) | Trackbacks (0)

Defined tags for this entry: email

, greylisting

, postfix

, postfix-policyd

, spamfilter

Related entries by tags:
the spam arms race
spamonomics - the economics of spam fighting

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

No comments

Add Comment

Name
Email
Homepage
In reply to
Comment	Enclosing asterisks marks text as bold (word), underscore are made via _word_. Standard emoticons like :-) and ;-) are converted to images. E-Mail addresses will not be displayed and will only be used for E-Mail notifications To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry