Re: Measuring "should I greylist?" false positive rate [was: greylisting on debian.org?]
On Tue, Jul 18, 2006 at 10:03:59AM +0200, Pierre Habouzit wrote:
> Le mar 18 juillet 2006 10:00, Lionel Elie Mamane a écrit :
>> On Mon, Jul 17, 2006 at 11:48:21PM +0200, Pierre Habouzit wrote:
>>> Le lun 17 juillet 2006 22:29, Lionel Elie Mamane a écrit :
>>> the discussion (...) was about enabling greylisting on *certain*
>>> *specificaly* *suspicious* hosts. a suspicious
>>> host is:
>>> * either listed on some RBL's (rbl listing "dynamic" blocks are a
>>> good start usually)
>>> * either having no reverse DNS set
>>> * either having curious EHLO lines (that one may catch too much
>>> good mail sadly, so it's to handle with care).
>>> * ...
>>> I apply greylisting on the two first criteriums on a quite used
>>> mail server (around 300.k mails per week, which is not very big,
>>> but should be representative enough).
>>> there is less than 50 mails a week over those that *may* be
>>> legitimate mails that are actually slowed down.
>> On second thought, I'm very interested in how you measured this false
>> positive rate.
> it's the number of mails that are beeing resubmited per week with my
> system. so in fact, in them, there is 49 spams.
Fascinating. Which RBL's do you use for that? Or do you have atypical
mail patterns? Exactly two of my 50-or-so mail users use greylisting,
based on RBLs *only*. They are kinda high-traffic mail users, but
still, they, on their own, push the greylisting "this triplet is
allowed" database entries to the thousands. The "this triplet tried
once, but not more, in the alloted time" database entries are more
numerous only by about an order of magnitude.