Print

Greylisting is one of the many automated tools we use on the AcceptIO servers to try to minimize how much spam you get while providing high-quality service for legitimate email. In the arms race that is spam today, there is seldom any news that is both good and dramatic. Well, there is very good news today about something called "greylisting", and the good news is that it gets rid of about 90% or more of spam you would be getting without it. The bad news is that someday the spammers will figure out how to get around greylisting (it's not too hard), but in the meantime it's like having a bad cold for a long time and suddenly waking up feeling great one day.

You can search around for descriptions of "greylisting" (usually spelled with an "e"), but the two usual starting places for it are:

(Those links are external sites not affiliated with AcceptIO.)

In a nutshell, greylisting exploits the fact that most spam messages and email viruses are sent by simplistic software on compromised computers all over the world. In contrast to real SMTP servers, the spambot software does a lot of goofy things that don't comply with the SMTP specification. One thing in particular that someone noticed is that they don't usually retry in the face of errors. An SMTP conversation can involve a temporary failure, which is the sort of thing you might get if something were sick on your server or if your account was at its limit of storage space. The receiving SMTP server issues a temporary failure response, and the sender is supposed to wait a while and then retry sending the message again. That sort of stuff happens every day behind the scenes to your email without you knowing or caring. Spambots by and large never retry.

How can we tell the difference? When do we stop giving a temporary failure? For any new combination of:

  1. your email address,
  2. the calling server's TCP/IP address, and
  3. sender's email address,

we issue a temporary failure. We keep track of that and keep giving temporary failures for a limited time. In our case, it's 5 minutes because studies have shown (yes, there actually are studies, and we've seen the data) that 5 minutes is almost as good as infinity when you're waiting for a spambot to retry. After 5 minutes, if the same triplet of things comes around again, we bypass the greylisting. Furthermore, we keep records of those things around as long as they get occasional activity. In the usual non-spam case, the very first mail someone new tries to send you will be delayed. Maybe it will be 5 minutes, maybe it will be a half hour; whatever. After that, messages will flow to you unimpeded.

Greylisting implementations handle a bunch of well-known special cases that we won't go into here. If you're interested, you can read all about it by following the links we gave above. In simplified terms, the biggest problem is legitimate email servers that have various quirks which irritate greylisting. The good news about this is that it's easy to configure any particular legit host or group of hosts to bypass our greylisting completely. (This is called whitelisting in the trade.) We already have a configuration that knows about most major email services and lets them bypass our greylisting.