Some spammers learn that you use graylisting – which is great because they try to send less spam to your server. This is at least what I learnt since I have implemented graylisting on one of my mailservers. Besides the fact that far less spam was delivered to users I also noticed that there are less rejected connections. The number of rejected tries has continuously droped since Graylisting was implemented.
The following mailgraphs show a mailserver traffic. In Dec several hundreads of mail users were moved to the system from another mailserver which had no graylist implementation.
The red graph represents the number of refused connections (DNSBL, Postfix policies and graylist rejects). Some of the initially high number of rejects are of course the initial graylist rejects. But each legitimate connection initializing the graylist should produce at most twice as much connections as during the time when graylisting is already in action (which is May or later). But the number of rejected connections during graylist implementation was much higher than 2x rejects in May or Aug.Therefore I susspect that spammers do keep track of hosts which return reject upon their first try.
This is also supported by stats of another mailserver, where they deliver ALL mail :\ and only then decide if it is a SPAM or not. They get a huge rate of SPAM messages. And because they deliver everything, spammers keep sending them spam. For comparison here is the statistics for one month for their and my mail server:
My mail server
Delivered Mails: 132k received/125k sent
Refused: 279k
SPAM: 2k
Their mail server
Delivered Mails: 358k
Tagged: 15k
Removed: 339k
SPAM: 14 299k
What you see is that while they deliver only two times more non-spam mail than my server, they have 52x more SPAM mails than I have refused connections. This, of course, does not mean that they get 52x time more SPAM delivering connections (because one connection might deliver also hundreads of SPAMS to the same system). Anyhow it definitly means that their bandwidth and resources on their mail server are much busier than mine 😉
Conclusion
The conclusion is: USE GRAYLISTING! If the only thing which bothers you are initial mail delays, implement an auto-whitelist! Auto-whitelist will lower the number of tripples in your graylist database and will speed-up the deliveries from systems, which would by any circumstances bypass the graylist. Graylist is also not every-spam-problem-solving solution. Graylist just filters sending hosts which are not regular mail servers. I will post another blog about auto-whitelist later.