I recommend the 120 sec tarpitting for taRgrey mode as this result.
November 14, 2006 (lastupdate April 18, 2012)
taRgrey is a patch that makes postgrey into a tarpitting policy server.
Tarpitting means response delay for blocking spam.
taRgrey is designed to decrease false positives.
I had used greylisting combined with the S25R anti-spam system on my mail server.I named this system Rgrey. S25R defines reverse FQDN patterns to presume clients to have a dynamic IP address.
After that, I had used tarpitting combined with S25R. I named this
system Starpit.
note: (July 2007 in Japan)
I recommend the 120 sec tarpitting for taRgrey mode as this result.
However, Starpit still caused false positives. Most of them were caused
in case of email magazine and email news. taRgrey solves this problem.
It accepts mail by greylisting when it is resent after blocked by
tarpitting.
We set parameters for taRgrey so that anti-greylisting spam cannot pass through. We can safely configure greylisting tight because there are few legitimate mail blocked by Starpit.
Moreover, this patch enables us to specify the number of times of retry for greylisting. Most of anti-greylisting spam retries just once.
Additional functions with this patch are as follows:
/etc/postfix/main.cf
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_unauth_destination
...(whitelist and other filter)
check_client_access regexp:$config_directory/permit_client_nots25r
check_policy_service inet:60000
...
permit
smtpd_data_restrictions =
permit_mynetworks
permit_sasl_authenticated
...(whitelist)
check_client_access regexp:$config_directory/permit_client_nots25r
check_policy_service inet:60000
permit
/etc/postfix/permit_client_nots25r
/\.dip\.t-dialin\.net$/ WARN
/\.dyn\.optonline\.net$/ WARN
...(other dynamic IP FQDN pattern(not match S25R pattern))
!/(^unknown$)|(^[^.]*[0-9][^0-9.]+[0-9].*\.)|
(^[^.]*[0-9]{5})|(^([^.]+\.)?[0-9][^.]*\.[^.]+\..+\.[a-z])|
(^[^.]*[0-9]\.[^.]*[0-9]-[0-9])|
(^[^.]*[0-9]\.[^.]*[0-9]\.[^.]+\..+\.)|
(^(dhcp|dialup|ppp|[achrsvx]?dsl)[^.]*[0-9])/ OK ...(This regexp is one line)
/./ WARN
# postgrey --tarpit=125 --targrey --retry-count=2 --delay=1800
The policy server is called twice. First, it is called by the smtpd_recipient_restrictions parameter, then it filters the client by tarpitting. At this time, it lists the client address on the tarpitting black list. Next, it is called by the smtpd_data_restrictions parameter, then it finds that the client has been able to pass through tarpitting. At this time, it deletes the client address from the tarpitting black list. If it finds that a client matches the tarpitting black list when it is called at the first time, then it greylists the client without tarpitting.
I designed taRgrey to decrease false positives.
However, I heard the demand to use tarpitting for to decrease false
negative. I prepared a tarpit&greylist mode with the following option.
"--tarpit=35 --retry-count=2"
It work tarpit&greylist mode. It delay 35 sec and return 450(greylist).
Mr.Nakahara reported a rate of false negative about each method.
I also made a patch for postfix. It makes non blocking sleep.
The SLEEP action of postfix just calls the sleep UNIX system call.
Therefore a sleeping process wastefully remains after a client
disconnects during tarpitting. This patch enables postfix to detect
disconnection by a client and kill the sleeping process.
postfix-2.3.x / 2.4.x / 2.5.x / 2.6.x / 2.7.x / 2.8.x / 2.9.x
http://d.hatena.ne.jp/stealthinu/