Greylisting

Recently, I was asked to write an article on greylisting for a slightly non-technical audience. Through the editing process it became a much smaller article and had its focus slightly changed. I still like my original version and got permission to post it here. Actually, I hate the second paragraph, but I couldn’t figure out how I wanted to fix it.

Comments, corrections, etc, welcome.

———————————————

Greylisting: another tool in the war on spam

As anyone who uses e-mail knows, getting spam is a constant problem. In the spam arms race new technology is being created all the time. One of the newest technologies on the side of e-mail receivers is greylisting.

Before, we talk about greylisting, let’s do a quick review of the terms whitelisting and blacklisting as they pertain to e-mail. Whitelisting is explicitly letting someone into your inbox and blacklisting is explicitly denying them. Greylisting, as the name implies, falls somewhere in between. It neither explicitly denies nor approves mail, but assumes all mail is potentially until it proves itself.

Greylisting depends on the persistence of legitimate mail servers in their attempts to deliver mail. When mail delivery is attempted, the receiving mail server looks into a database for the combination of to, from, and sending mail server. If it does not find the combination the receiving mail server sends back a standard SMTP temporary failure message of “450 Try again later.” The receiving mail server then adds that combination into the database.

For legitimate mail the sending mail server will retry late and the combination will be found in the database on this second attempt. The receiving mail server will then accept the mail.

Spammers do not use standard mail servers for sending their e-mail. Typically, a spammer’s mail servers will only attempt delivery once. As described above, they will get the “try again later” notice and mail won’t be accepted by the receiving mail server. Since they don’t try again, you’ll never get the spam.

The results of this simple test and delay are astounding. Before greylisting, one small mail server I admin was accepting on average about 11,000 e-mails a week. After greylisting, it was accepting about 4,000. But what about the missing 7,000 e-mails? Those are assumed to be spam.

The real test of any anti-spam measure is if the users notice. When greylisting was turned on they noticed. Users were calling the IT staff to see if the mail server was up. It seems they weren’t getting the daily flood of spam that managed to make it past their spam filters.

The are many benefits of this approach, a few are:

  1. Minimal impact of the end user
  2. This approach tends to stop e-mail viruses as well.
  3. Saves on mail server resources (anti-spam and anti-virus software aren’t being run on mail we didn’t accept)

#3 is a big one for people running IT shops. That’s 7,000 fewer pieces of e-mail going through anti-virus and anti-spam scanners, lessening the burden on the mail server. This means a longer life on your current generation of hardware. You won’t have to upgrade the hardware just to keep your mail flowing due to the increased processing demands, both in memory and CPU, of modern anti-spam and anti-virus software and the modern increasing flood of spam.

It should be noted that there are some potential downsides. The biggest issue is that greylisting will delay initial contact. The range of the delay is anywhere from 5 min to server hours, depending on how the sending mail server is configured. If you are dependent on up-to-the-second e-mail, it may impact how you conduct your business. Another downside comes into play when some websites do user verification via e-mail. You’ll either get the mail way past when you were attempting to use the website, or it could be missed entirely if the website uses a different from address on each attempted contact. Fortunately, most greylisting configurations allow you to whitelist sending mail servers for situations like this.

All in all, greylisting is a valuable and effective tool that your ISP or IT dept should be looking into if they aren’t using it already.

Resources:
http://greylisting.org/

———————————————

For the record, I’m using gld with postfix.

One thought on “Greylisting”

  1. Thanks for getting me to think about greylisting. Since I’ve set it up three weeks ago the spam that has gotten through has dropped 95%. I’m using the greylist.pl program that comes with postfix. A correction to your article, in the second to last paragraph should be ‘5 minutes to several hours’.

Leave a Reply