Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 2 subscribers
  • Views 5567 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Greylisting - record retention?

Louis-M

Does anybody know how long the entry for a confirmed non spam record is retained in the database?

What I mean by that is that after an email address is cleared as not spam, how long is the record held to say that any email from this address isn't spam?

We seem to be having a few issue s where items clear the grey list only to find that 2 days later, the same sender address is getting greylisted again and in this case, their mail server doesn't try to resend for another hour.



This thread was automatically locked due to age.
  • 0

    Hi Louis,

    Grey listing logs will be reflected in the raw logs. When a mail is blocked because of greylist, a legitimate server will try again to send the email later, which will be accepted. The mail delivery will not depend on the non-spam record. Does the mail server attempt to resend a mail after the discovering failure on the first attempt?

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Yes it does. Problem is, it seems that after a day or two, email coming from this same address is greylisted again resulting in a 15 minute wait for the mail to come through.

    We have users complaining about this as they generally want to receive the email within a minute or so. Asking them to constantly wait 15 minutes is unacceptable to them.

    I would have thought that the UTM would have keep a database of safe senders and once the grey listing had confirmed an email address as legitiamate, it would have been added to that to prevent that particular email from being held back again.

  • 0 in reply to Louis-M

    In the utm itself:

    Rejecting hosts sending Invalid HELO or missing RDNS entries is recommended. It is possible to exempt individual hosts from these checks using ExceptionsGreylisting builds and uses a database of ’known-good’ SMTP hosts that resend messages after receiving a temporary error. BATV (Bounce address tag validation) signs the reverse path of outgoing email, so it is possible to detect and drop spam and virus backscatter. SPF(Sender Policy Framework) is a means of querying ’allowed sending hosts’ for a domain from DNS.

    So...... how long does the database hold the record? Is it the same interval as the "Keep database log for X days?"

  • 0 in reply to Louis-M

    I think the triplicate of 'Sender IP/Sender/Recipient' is kept for 72 hours.  Personally, I recommend against using Greylisting as explained in https://community.sophos.com/products/unified-threat-management/f/56/t/49797.  The net of that is that 90% of spams are then rejected immediately with very little additional effort and very few more bits sent and received than with Greylisting.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML