Recently, I stumbled across this site at theinternetco detailing how to set up greylisting in an exim/mysql setup.

I took the plunge.

From Friday 1:28PM Central to Saturday 7:30AM Central

840 connection attempts greylisted
585 individual ip/domain pairs tried
505 unique ip connections

All of this is after the following two iptables rules:
/sbin/iptables -I INPUT -p tcp –dport 25 -i eth0 -m state –state NEW -m recent –set
/sbin/iptables -I INPUT -p tcp –dport 25 -i eth0 -m state –state NEW -m recent –update –seconds 60 –hitcount 1 -j DROP

(Basically, any given IP can only make one new connection per minute. Had a problem where spam bots would get greylisted and then would try to connect about 100 times in a row)
Nothing really needs to connect to my mail server more than once a minute, and any large transaction of e-mail would be ETRN’ed anyway.

I upgraded the Amavisd-new package, which also broke some of my config files. Basically, Amavis now comes out of the box with SpamAssassin and ClamD support disabled. I didn’t realize this until Monday when I noticed the logs didn’t have startup entries from Amavis for these two. Doh!

But all told, it looks like my spam count has dropped noticeably. I’ve been putting some manual entries in for google’s mail servers, but it’s a little harder to catch them when you have 3000 entries in the greylist tables, like I do right now. Maybe I’ll write a cron job to prune old entries later on. Greylist entries are only good for a week anyway.

I’m toying with the idea of automatically blacklisting certain senders based on a set of circumstances. A few years ago, I used an alias of my main mail account to make 2-3 posts to a mailing list. Even today I see spam mail come in for that mailbox. I’m looking at how to check for mail intended for that address and just blacklist the ip that sent it (again, via MySQL,) but I’m not sure if it would be worth the effort at this time.
If I could get a good system in place to blacklist country codes, I’m sure that would cut down on the spam significantly. I have a good blacklist file from work that could probably do the trick.

I suppose I could write a script to manually walk through my logs and spit out a list of people who attempted to e-mail the non-existant address. I could automate that as well and have it insert into a MySQL table. I might as well blacklist microsoft.com while I’m at it.