At the time of this writing (December 5th, 2006) a significant portion of spam comes from windows operating systems. This has been linked to increases in virus infected windows machines connected to the internet remotely controlled by spammers. By only greylisting email coming from windows operating systems we significantly lower the impact to the system and reduce customer complaint levels.
With this implementation of greylisting record the ip address of the sender and the to and from addresses. We record this information in a hashed directory structure filename using the timestamp on the file as the initial connection attempt. The first attempt to send an email always results in a deferral message from the qmail machine (while the information is recorded). If the sender is a real email server they will handle resending the email for up to a week. Most spammer software will not attempt resending the email, or they will only wait a few seconds or a minute. By default we picked 110 seconds or just under two minutes. In testing we saw hotmail, which sends with windows machines, tries once, then a second time 60 seconds later, then a third time 2 minutes later then 10 minutes again after that. With 110 seconds wait time hot mail will get through within two minutes.
Passive Finger Printing
Passive Finger Printing is nify technique that can determine the operating system of a remote machine by examining the bits, or finger print, of the network traffic. Since this does not require any network traffic to probe the remote system it is called Passive. By limiting the problem space to only windows machines, which send the bulk of spam traffic, we narrow the impact of delayed sending problems caused by broken windows mail servers.
Impact on Spam Filters
Since Windows Greylisting drastically reduces the number of emails scanned it also reduces the need for highly accurate spam filtering. This will also reduce the system resources consumed, especially for spamassassin. Dspam higher efficency does not consume as many resources and the lower number of spam emails also makes it simplier for dspam to develope new rules.