What I think is happening, is that the initial mail attempt is made from Server 1 and the link is dropped and the IP added to the Greylist Cache.  The ISP tries again, but this time from Server 2.  Again the link is dropped and the second IP added to the Greylist Cache.  Sometimes, the mail is received from one of the current Greylist IPs andthis is then added to the accepted list and the mail is forwarded.  However if the ISP has many servers working in parallel, it never comes from the same IP twice and is never delivered.

 

Is anybody else experiencing this? or have I another problem I have not thought of?

Unfortunately that is one of the side-effects of using greylisting. Per RFC, if a server experiences a temporary failure code while sending an email (which is exactly what greylisting does), the RFC states that the server should retry delivery after a brief delay. Unfortunately large ISP often do not abide by the RFC, and in case of a temporary failure they will defer delivery to a different SMTP server on their network. This new server will have a new IP, and when this IP connects to SpamFilter (or any other anti-spam server that uses greylisting), this new IP will again be subjected to the greylist filter, causing the initial connection to be delayed. If the ISP then again violates RFC and defers delivery to a third of their mail servers, you see how this process will become an issue.

Eventually most IPs from the large ISPs will be cached by the greylist filters, but the more mail relays they use, the longer this will take, causing some initial mail delays.

This is why we ship SpamFilter with the greylist filter disabled by default. Greylisting is a great asset to stop spam, but it can cause delays with larger providers. You can manually add IPs/networks you wish to have excluded, just as I mentioned in the other posting saw today (http://www.logsat.com/SpamFilter/Forums/forum_posts.asp?TID=6942#14084), but admins will need to decide if it is better for their needs to enable or disable the greylist filter, knowing its downsides.

 

So what's your opinion, is it still worth to use the greylist filter with all the negative consequences that implies?

I mean the most spammers learned already to adapt and are using spam software that can identify the 4XX messages, and perform the retry operation.

 

Regards

Wayne

Actually most spambots so far do not retry the operation and just move on, as it's not worth for them to spend time retrying. Sometimes they still make it past the greylist filter as they have a large number of email addresses for one domain, so as they keep trying the other email addresses, eventually this will cause the initial 5-10 minute delay of the greylist filter to elapse and start accepting connection form the spambot. But in the meantime, hundreds of email attempts to other users have still been stopped.

Whether to implement it or not depends ont he admin and your customers. If they complain too much because of the initial delays that this filter causes, you may want to disable it. But if you're happy (and especially if your customers are happy) with the low spam that is allowed thru when using it, then you should enable it.

Have you manually added the IPs to the greylist filter as discussed in the other thread above? Spammers can (very) easily spoof the reverse DNS host name of an IP, and provide false information in the EHLO and MAIL FROM commands incorrectly identifying themselves as *.yahoo.com. Doing so would immediately render the greylist filter useless in such cases. This is why we solely rely on checking the IP addresses of the senders.

Please see new forum announcement at: