Re: Problem with grey listing

[Chad M Stewart]

On Nov 15, 2006, at 1:47 PM, Eric Merkel wrote:

My greylisting system has been running fine for about a month but
recently run I've into a problem with greylisting. I had someone tell
me that an email they sent to me bounced. Looking at the log file
(shown below) it appears that their email server retried three times
every half hour so I am not sure why they were not whitelisted.
I am running spamd with the following options spamd_flags="-v -G  
5:4:864".

I think you're being very generous here, using 5 minutes for  
passtime, RFCs stipulate 30 minutes between retries.  Anything less  
than 30 minutes between different Internet hosts is not being net  
friendly or honoring the RFCs.   I use the default (25 minutes) and  
things work very nicely.  Of course YMMV.


The only thing that looked a little suspicious is I think I may be
hitting the upper end of the pf table size. Is it possible just no
more IP's can be added to spamd-white?

#  pfctl -t spamd-white -T show | wc -l
 499785
# pfctl -t spamd -T show | wc -l
     18
# pfctl -t spamd-mywhite -T show | wc -l
    175


Maybe I'm being naive but 499785 in spamd-white, seems very large to  
me, perhaps this is related to my comments above.  I've watched  
spammers come back in > 5 but < 30.


I have "set limit table-entries 500000" so do I just need to increase
the table-entries even higher? What is the highest value this can be
set to?

Search the pf list, there are some threads on there about it.


-Chad


# zcat daemon.*.gz | grep 66.192.70.179
Nov 14 17:33:02 mx-fw1 spamd[14875]: 66.192.70.179: connected (755/1)
Nov 14 17:33:09 mx-fw1 spamd[14875]: (GREY) 66.192.70.179:
<[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>
Nov 14 17:33:13 mx-fw1 spamd[14875]: 66.192.70.179: disconnected  
after 11
seconds.
Nov 14 16:02:49 mx-fw1 spamd[14875]: 66.192.70.179: connected (749/3)
Nov 14 16:03:00 mx-fw1 spamd[14875]: (GREY) 66.192.70.179:
<[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>
Nov 14 16:03:00 mx-fw1 spamd[14875]: 66.192.70.179: disconnected  
after 11
seconds.
Nov 14 15:35:31 mx-fw1 spamd[14875]: 66.192.70.179: connected (483/0)
Nov 14 15:35:43 mx-fw1 spamd[14875]: (GREY) 66.192.70.179:
<[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>
Nov 14 15:35:43 mx-fw1 spamd[14875]: 66.192.70.179: disconnected  
after 12
seconds.
Nov 14 15:35:31 mx-fw1 spamd[14875]: 66.192.70.179: connected (483/0)
Nov 14 15:35:43 mx-fw1 spamd[14875]: (GREY) 66.192.70.179:
<[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>


Any thoughts?

-Eric