A day in the life of a mail server

Think your life is hard? A mail server's is harder -- it spends far more time killing spam than delivering mail

I woke up, fell out of bed, dragged a comb across my head, and checked the statistics generated by one of my mail servers during the past 24 hours. The day before, I wrote a Sendmail milter in Perl to match every inbound mail relay against three of the most popular DNS blacklists: spamhaus.org, sorbs.net and spamcop.net. No actual blocking took place, as I was just interested in collecting numbers. (A milter is an extension to Sendmail’s mail transfer agent; the code for my milter is freely available on my blog).

After the inbound e-mail was catalogued in the database, it was passed on to a trio of e-mail filters. First, it hit the greylisting milter, which uses a heavily customized version of Evan Harris’s relaydelay code. If it passed that filter, it was checked by ClamAV for viruses and phishing scams, then finally passed to SpamAssassin for spam checking. As you can see, the results are impressive. Of the 122,865 connections seen, spamcop.net matched on 45,829 IP addresses, sorbs.net matched 59,010, and spamhaus.org’s sbl-xbl list matched 57,881.

Beyond the DNS blacklist matches, we see that the greylisting filter is working overtime: 120,571 messages were seen by the greylisting code, with only 87 matching manual whitelists. Of those, only 2,515 messages were retried and successfully passed through the filter. Of that number, ClamAV discarded seven worms and 23 phishing scams, and SpamAssassin pulled out 64 confirmed spams, although 308 suspected spams were passed through. This filtering resulted in 2,113 messages actually delivered to e-mail inboxes in that 24-hour period, or just less than 2 percent of the overall mail volume. If the DNS blacklist checks were in place and refusing e-mail based on the lookups to sorbs.net and so on, the number of e-mails hitting the filter chain would be nearly halved, although at least 60,000 unwanted e-mails would still hit the filters.

13FEblacklists-in.gif
Beyond the DNS blacklist matches, we see that the greylisting filter is working overtime: 120,571 messages were seen by the greylisting code, with only 87 matching manual whitelists. Of those, only 2,515 messages were retried and successfully passed through the filter. Of that number, ClamAV discarded seven worms and 23 phishing scams, and SpamAssassin pulled out 64 confirmed spams, although 308 suspected spams were passed through. This filtering resulted in 2,113 messages actually delivered to e-mail inboxes in that 24-hour period, or just less than 2 percent of the overall mail volume. If the DNS blacklist checks were in place and refusing e-mail based on the lookups to sorbs.net and so on, the number of e-mails hitting the filter chain would be nearly halved, although at least 60,000 unwanted e-mails would still hit the filters.

Looking through the logs during the past few weeks, I saw that this was not an anomalous event. These numbers crop up nearly every single day. The MySQL database running as the relaydelay back-end has seen more than 43 million e-mails since I implemented it in its current form almost exactly one year ago.

If you think that this filter chain is rather absurd, take it as an indication of the general state of e-mail traffic today. Without these filters, e-mail through this server would be completely unusable due to the crushing spam volume. That’s the truly absurd part.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies