[Gross] Weighted checks in production

Jesse Thompson jesse.thompson at doit.wisc.edu
Fri Mar 28 16:50:05 EET 2008

Eino Tuominen wrote:
> Eino Tuominen wrote:
>> Eino Tuominen wrote:
>>> Hi all,
>>> I have now weighted checks version in production in one node:
>>> smtp01:gross# ps -e -o etime,time,vsz,rss,pcpu,args | grep grossd
>>>     03:50:08        6:08 32408 31776  0.6 sbin/grossd
>>> Trust: 9959 Match: 46 Greylist: 3643 Block: 39232 Queries/sec: 3.823019
>>> Its now 6:30 pm here, so ham is still coming in. I uploaded a new 
>>> development snapshot on Google, play with it!
>>> Oh, I now made these ports as defaults: 5525 gross; 5522 status; 5524 
>>> sync. This time I checked IANA port list first!-)
>> Darn, I managed to upload wrong version. Now check_blocker is broken in 
>> the gross-svn-232.tar.gz. I'll fix it ASAP. Otherwise it should be stable.
>> I'll be back,
> First night has passed, here are the statistics of one node:
> Trust: 15166 Match: 233 Greylist: 8582 Block: 120463
> Quite amazing?!

Cool!  Nice work, as always.  I will try this out soon, I hope.

> I have now uploaded gross-svn-236.tar.gz, it's running now in production 
> here. I couldn't get check_blocker to reuse connections as Sophos' 
> blockerd keeps shutting every connection down right after the answer. 
> And, now there's watchdog to see if blocker threads get stuck.

Was this a bug?  I can't remember the details.

> Jesse, you threw an idea some time ago about skipping first n rotating 
> filters when calculating the effective filter. I've been pondering your 
> idea and I think it could be of use now. It might be a good idea to hold 
> a triplet as long as few hours at greylisted state, as it would give 
> Puremessage and alike time to update their filters and let the spammers 
> id get spread to another RBL's as well. What do you think?

Yeah, I think that this is the most efficient way to enable longer 
greylisted states.  From what I understand, the current method of 
setting a greylist time period keeps the entry in memory and waits X 
seconds before updating the filter.  This seems to me like it wouldn't 
scale well to larger time values.

> The original problem was that resolution of filters is so poor (1 hour 
> with default config). But now that most spam gets blocked and only a 
> portion gets greylisted there is a lot of room in the filters. We could 
> easily afford more rotating buffers skipping a few first of them.

Yeah, if the filter resolution is 1 hour, and you tell gross to ignore 
the first filter, it will mean that the triplets will be in the greylist 
state for 0 < X < 1 hour.  Otherwise you could tell gross to ignore the 
first 2 filters, which would be 1 hour < X < 2 hours.  That seems too long.

I'd probably want to first try setting the filter resolution to 30 
minutes and then ignore the first 2 filters, so the triplets will be in 
the greylist state for 30 min < X < 1 hour.  That still might be a 
little too aggressive though.  So maybe 15 minute filters, ignoring the 
first 2: 15 min < X < 30 min?



   Jesse Thompson
   Email/IM: jesse.thompson at doit.wisc.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3340 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.utu.fi/pipermail/gross/attachments/20080328/34d691ca/attachment.bin>

More information about the Gross mailing list