SPAM Blocking using Greylisting

Greylisting

    There are a wide variety of techniques for blocking spam. One popular method is to use greylisting. Greylisting is a technique that relies on the fact that many spammers use 'bots' (automated processes) to send email directly to email servers. These bots rarely retry to send email in the event of any errors. Greylisting takes advantage of this by temporarily failing all connections from new senders. Spam bots will not retry, but all legitimate mailservers will as per the SMTP specification.

How Greylisting Works

    Greylisting typically relies on identifying a sender and recipient pair by using a 'triplet'. This consists of three pieces of information:

    • the connecting IP address (the computer connecting)
    • the sender email address
    • the recipient email address
    Email from a new triplet that has never been seen before is rejected with a temporary error code (4xx in SMTP) by the recieving mail server (or MTA, Mail Transfer Agent). The server will store a database of triplets for a configurable amount of time. If the triplet is retried then the server will accept the email from the connection on the next attempt. Once accepted the triplet is stored for a configurable amount of time to ensure email always comes straight through undelayed from that sender in future. if the retry does not happen within a configurable time then the triplet is "expired" from the database and forgotten by the server. Future email from that triplet will again be delayed.

    The advantage of greylisting is that it has a very low false positive rate. That is, it is unlikely to block legitimate email. The disadvantage is that email from a new sender is delayed for a period of time equal to the retry interval of the sending server. This can result in typical delays of 10 to 15 minutes but can be up to one or two hours in extreme cases. Once the sender has been accepted though, email from that sender is in future instantaneous.

    Lets work through an example.

Greylisting Example

    A bot attempts to send an email from sender@spammer.com to user@domain.com from IP address 12.34.56.78

    Mail from bot Rejects Mailserver
    Mail from bot Rejects Mailserver

    The email is rejected with a temporary error code of 420. The bot does not retry as it simply tries the next server or recipient in its list of people to spam. The spam is effectively blocked.

    In the second case, a mailserver attempts to send email from sender@remotedomain.com to user@domain.com from IP address 78.56.34.12

    Remote mailserver Rejects Local Mailserver
    Remote mailserver Rejects Local Mailserver

    Initially the email is rejected as its from a new triplet. The sending mailserver is well-behaved and retries:

    Remote mailserver Retry Accepted Local Mailserver
    Remote mailserver Retry Accepted Local Mailserver

    The retry is accepted as the receiving mailserver has remembered the triplet and immediately accepts the email. Note that other spam blocking techniques may also be applied after greylisting to ensure that spam email sent from servers or bots that do retry is also eliminated.

Adding Greylisting support to your server

    If you wish to add Greylisting to any email server you can use Hexamail Guard or Hexamail Nexus. They provide a sophisticated array of greylisting features in addition to many other spam blocking techniques. Hexamail greylisting has several advantages over many other greylisting implementations:

    • Whitelist of IP addresses so that they are not greylisted at all. You typically want to whitelist all internal network addresses, popular email providers such as AOL, Yahoo and Gmail, perhaps your customers IPs.
    • Scheduling of greylisting for particular times of day. This allows you to greylist overnight but allow all email immediately without delay during office hours.
    • Greylisting by country. You can greylist just email from countries you rarely have business dealings with. This prevents greylisting of important email from within your timezone or main country of business and only delays email from other countries for a short period.
    • Use only a portion of the IP address to define triplets. This can assist when email is being sent from a server farm, or multiple IP addresses. Greylisting will be applied to the first part(s) of the IP address instead of the entire IP address. Server farms typically have all IP addresses within a range and therefore greylisting will not unduly delay email that is retried from different IPs on each retry.
    • Whitelist of sender email addresses so that they are not greylisted at all. You can use this to whitelist your email contacts so that email is never greylisted from them.
    • Exclude some recipient addresses from greylisting. You may have notification addresses or users who always want email immediately without delay. You can ensure email to those addresses is not greylisted.

    Hexamail also provide a mailserver with built in antispam and greylisting capabilities Hexamail Server.