What Is Greylisting?
Greylisting is a means of fighting unwanted emails by controlling the way emails are accepted into the system, where system is generally our mail server(s). It is a cross between black- and whitelisting, with mostly automated updating. It works by examining three pieces of information from an email communication: the sender address, the receiver address and the IP address of the sending server. We’ll call from now on this trifold piece of information the greylisting triplet. The basic rule of functioning is: if we have never seen this triplet before, refuse the delivery and any others that may come within a certain period of time with a temporary failure. This process is illustrated in Figure 6-1. Any well behaved server that respects RFC 821 (where the core SMTP is described) will retry sending the email over a period of time if it received a temporary failure while attempting a delivery. This method of delivering a mail is implemented because the SMTP is inherently an unreliable method of transporting/exchanging data. In contrast, spam (and recently virus) applications adopt the method of sending the emails without retrying because it’s not feasible. Spammers need to send out fast huge volumes of emails and retrying simply isn’t an option for them. That’s why greylisting is very effective in stopping both spam and virused emails.
Figure 6-1
Greylisting service consumes minimal resources from the hosting system. Aside from storing the greylisting triplets and the associated timestamps, plus all the verifications against the database where this information is kept, it does almost no other work, minimizing the network traffic to the connection itself. This is very beneficial because, unlike other spam/virus protection system, we are not inspecting the email itself, preserving both processor time and saving network bandwidth. Also, because all the legitimate mail is sent through RFC 821 compliant MTAs and because we never permanently fail a message, this service should never generate bounces (hence, no false positives).
On the flip side, this service adds a little more work on the sender’s MTA side because they have to retry sending the emails for a certain period of time and the emails will always arrive later. However, this is true for the spammers as well and it can both increase the cost of their operation and also may give enough time for other methods of blocking spam (RBLs, etc.) to identify the source of the spam. By the time it will circumvent our greylisting system – if ever – there are other methods (that already know of that spam source) to kill a particular piece of spam. Greylisting works best stacked with some other methods of identifying spam and viruses.
In conclusion, greylisting is a low-cost, low-maintenance service that can cut down on the processor time used for filtering spam and viruses and also will limit the consumption of network bandwidth for unwanted traffic.