What is “Greylisting”?

In a truly ironic turn of events, it seems that spam has sparked a number of technological innovations. Traditional spam filters for example are technically very complex pieces of software that try to analyze the content of email to determine whether or not it is legitimate or not.

No less innovative, greylisting is conceptually very simple, and makes use of the mail system’s own protocols to try to ferret out the legitimate from the spam.

Yes, conceptually very simple.

Greylisting relies on a characteristic of the protocol used to move mail from one mail server to another (SMTP, or Simple Mail Transfer Protocol). That protocol says that it’s OK for a mail server to be “too busy” to accept mail. When computer A tries to send mail through mail server B, and B responds by saying “I’m too busy right now”, machine A is supposed to hold the message it’s attempting to send, and then try to send it again later.

Greylisting also relies on the observation that most spam zombies don’t try again later, they simply fail to deliver their spam. Legitimate mailers sending primarily legitimate mail will follow the protocol, and after a few seconds, minutes or hours, will re-send the delayed mail.

So now that we have this technique that will allow us to tell the difference between some likely spam and other more likely legitimate mail, how does a greylisting implementation actually use it?

The greylist processor tracks three pieces of information for each email that it receives:

• the IP address of the machine sending the email to the mail server
• the “From” address of the email
• the “To” address of the email

Call that a “triplet” of information about each email.

The basics of greylisting then works like this:

• If the triplet has never been seen before, respond with “I’m too busy”.
• If the triplet has been seen before, process the mail normally.

So the first time a message shows up, it gets delayed. The second time it shows up, it is processed and that triplet is then considered “ok” from then on, and no longer subject to greylisting delays.

Now there are some details that I’ve glossed over. For example two different emails that happen to share the same triplet should not cause greylisting to think that they’re ok. Similarly, that “resend” needs to be seen within a certain amount of time for it to be considered valid. So in practice the greylisting processors will keep and manage a database of triplets that are in various states. (Implementations differ on how persistent that database is .. some maintain it semi-permanently, others start from an empty database each time the mail server is restarted. Ultimately that’s only an optimization, and doesn’t affect the effectiveness of the technique.)

Note that this process is totally based on experience – greylisting “learns” who the legitimate senders are by their behavior over time. There’s no need for a “whitelist” of known good senders. A good sender will simply prove itself over time by behaving properly.

Risks of Greylisting

Not everyone is in complete agreement on greylisting. There are at least a couple of risks associated with using it.

Bad, yet legitimate, mailers: it turns out that not all mailers know what to do when the server they’re sending to says “I’m too busy”. The result is that mail sent from these mailers that should be queued and tried again later, is instead bounced back to the sender. There’s no easy way to get the mail through at that point. Fortunately, these misbehaving mailers are few, and in decline.

Processor load: greylisting is yet another task that the mail server has to do to process each incoming mail. Depending on the implementation, the server’s load, and the database technology it implements, greylisting can have an impact on server performance. The good news is that by implementing greylisting “in front of” any spam filtering, total load can often be reduced as a result, since spam filtering is typically an even more computing-intensive task.

How to get Greylisting

Ask your system administrator. Period. Greylisting is most definitely not something for end-users to implement. It requires tight integration with the mail software running on your mail server. Depending on  your mail server, and who provides it for you, getting it may not even be an option.

Finally, greylisting is but one tool in the war on spam. Even with it in place, you’ll still need your other anti-spam solutions, whatever they might be, and your anti-virus and anti-spyware solution as well. Greylisting might prevent you from getting some of the spam headed your way, but it does not prevent you from viruses or spyware that might turn your machine into a spam-sending zombie.