greylist experimentation results
Here at work, we are averaging 66% of spam, which means that most of our users get twice as much spam as regular mails. I know some users who even gave up on email because they were getting 90% of spam. We use spamassassin and CRM114 so we tag every detected mail (we aren't allowed to delete mails, even if spamassassin scores it at 1000, security reasons). Still, users like to complain that they get too much spam.
Anyway.. we decided it was time to test greylisting to try to reduce the amount of pollution in users' mailboxes.
So, what is "greylisting" ? according to wikipedia:
Greylisting (sometimes spelled graylisting) is a method of defending electronic mail users against e-mail spam. A mail transfer agent which uses greylisting will "temporarily reject" any email from a sender it does not recognize. If the mail is legitimate, the originating server will try again to send it later, at which time the destination will accept it. If the mail is from a spammer, it will probably not be retried, and spam sources which re-transmit later are more likely to be listed in DNSBLs and distributed signature systems such as Vipul's Razor.
In fact, it's simple: we tell the remote server that we're having trouble and to re-emit the mail in a few minutes. Spammers won't bother resending the mails. But if the mail is re-emitted we decide to trust the remote smtp for 30 days and will accepted every mail coming from it. If the mail is re-emitted less than 5 minutes after the first one, we'll refuse it a 2nd time, after 3 re-emission in less than 15 minutes we blacklist the server for 15 minutes.
It was fairly easy to set up on our system (we use 5 MX which transmit the mails to a cluster of greylist servers which will tell them to delay or accept the mails). The difficulty came from our decision to let users choose if they want greylisting or not. I'll write another article later to explain how to set up opt-in with postfix & ldap.
We now have 372 users testing greylisting for us and here are the results for 50 days:
- 1.207.925 mails were subject to greylisting
- 844.409 were actually delayed
- 323.879 were actually delivered to the final recipient
- 742.266 were possible spams and weren't delivered
for the 323.879 delivered mails:
- 64.37% were accepted because the sending smtp was whitelisted (our own smtps, and some others we trust)
- 17.39% were accepted because mails from the remote smtp were already accepted before, therefore we trusted them
- 10.58% were accepted after being delayed once
That looks like outstanding performance to me: 90% of the mails that were delayed never returned! we even got thankfull mails from the very users who were complaining before!