Monday, August 16, 2004

Effectiveness of greylisting and SPF.

Last week I implemented SPF checking and greylisting on my inbound SMTP connections, and I've seen a huge effect on my incoming spam.

The greylisting daemon looks at the incoming IP address, and the envelope sender/recipient. For each unique instance of those three values, it blocks the email for five minutes with a temporary rejection. A normal mail server keeps trying, and the email is successfully delivered. Spammers usually just move on to the next target.

SPF is a way to check for email address forgery. When an email claims to be from a domain that supports SPF, I can tell whether it's legitimate.

My old content filtering mechanisms are still in place, but with a lot less work to do. My last line of defense is TMDA, which places the emails it blocks into a pending queue. I looked at how many messages it held each day in the last two weeks, and this is what I found:
Aug  2:  919

Aug 3: 609
Aug 4: 1718
Aug 5: 1025
Aug 6: 1194
Aug 7: 1274
Aug 8: 600
Aug 9: 733
Aug 10: 721
Aug 11: 957
Aug 12: 393

Aug 13: 115
Aug 14: 76
Aug 15: 67
August 11 and 12 is when I was making the changes. The sharp drop at August 8 is because I wrote something to drop duplicate messages.

None of this does anything to stop backscatter, but that has died down to only about 500 per day, and they're easy to detect anyway. Perhaps enough other sites are moving to SPF now that either spammers have decided to stop using my (SPF-enabled) domain on their emails, or a lot more of their spam is getting blocked by the SPF-aware recipients. Either way, I'm glad for the low tide.
Post a Comment