** Noel noeldude@gmail.com [2014-03-07 17:23]:
On 3/7/2014 10:21 AM, Alan Chandler wrote:
One question I would be very interested in - and can't find much about it is how long do you greylist these people for?
Basically I only greylist people who fail the spf checks at the moment (that is specifically those who explicitly fail the spf check and those that have an spf record with a +all at the end)
I greylist a softfail for 4 hours and a hard fail or open for 12, but I plucked these figures out of the air.
Alan
A delay of 5..15 minutes is sufficient, a delay of hours unnecessarily delays legit mail without increasing the effectiveness. The vast majority of bots either don't retry, or retry once immediately.
It seems to me that greylisting based on spf would not be very effective since it appears many bot herders intentionally use domains without spf records.
Remember the purpose of greylisting is to reject bots, not delay "real" mail servers -- even if you don't want their mail. ** end quote [Noel]
That sounds about right. I'm blocking unknown hosts for 10 minutes before whitelisting them for 8 hours. If they don't retry with that time they are dropped from the whitelist, but if they do that whitelist is extended to 60 days. At least that's the way I'm reading the config. It's a pretty standard greylistd config combined with exim and dovecot. It's running on an Atom 330 based server, although that is protected to some extent via a similar setup on a lightweight VPS that routes mail in via the hubbed hosts config. I'm actually thinking of clustering the two boxes instead which may work better if my internet connection goes down (which it did for about a week thanks to BT line problems last year). Next is to improve my backup process which is untidy.
-- Paul Tansom | Aptanet Ltd. | http://www.aptanet.com/ | 023 9238 0001
Registered in England | Company No: 4905028 | Registered Office: Ralls House, Parklands Business Park, Forrest Road, Denmead, Waterlooville, Hants, PO7 6XP