Email greylisting: what, why, and how
See also: Email greylisting problems and how they’re monitored
Greylisting is an email anti-abuse mechanism that aims to reduce spam by temporarily rejecting email traffic from unknown senders. Recipient mailservers which have greylisting enabled usually send out a ‘4xx’ DSN code in response to messages coming from senders without an established reputation, indicating a “soft bounce” or temporary problem. That in turn acts as an invitation to legitimate senders to retry delivery of their emails after a period of time.
The basic concept behind greylisting has been around for decades (SAUCE, PureMagic) and is fairly simple. Spammers used to commonly use intentionally misconfigured or limited software (spamware) that would not retry sending an email if it was initially rejected, even for temporary blockages (soft bounces).
At the same time, legitimate senders would use well-configured mailservers which would retry delivery many times by default. The difference in these two approaches reflects the value of the messages being sent: spam has a low value per message and prioritises bulk, whereas legitimate mail has a high value and prioritises delivery success.
Greylisting introduces a deliberate delay to mailservers receiving mail in order to evade easily-deterred spammers, at the cost of a minor inconvenience to legitimate senders. The concept is the same as requiring “proof of work” and the requirement for “mining” in cryptocurrencies like Bitcoin (Bitcoin in fact inherited the idea from email).
Since greylisting was first introduced, email abuse attempts have become significantly more sophisticated; at the very least spammers often retry delivery, whether through their own software or via innocent third party servers which they have hacked.
Regardless of whether a spammer retries delivery or not, greylisting is effective to the extent that it increases the cost of spamming, as more delivery attempts and server resources are required. As such it has proven to be a useful tool in combatting spam, at the cost of greatly decreasing the efficiency of mailserver operation for legitimate and illegitimate senders alike.
For the most part, email greylisting and blacklisting are almost identical – they’re both anti-abuse mechanisms that aim to reduce emails from bad actors by rejecting them. The not-so-subtle difference is that while greylisting deals with temporary rejections (asking senders to retry delivery), blacklisting permanently blocks mail from the sender.
Both mechanisms can co-exist and build on top of each other’s results and effectiveness, as long as they are configured properly and constantly monitored and updated.
Greylisting can be applied at different stages of mailserver communication. RFC 6647 introduced the following SMTP phases where greylisting may be used:
- Connection-level greylisting
- Greylisting at SMTP EHLO/HELO
- SMTP MAIL
- SMTP RCPT
- SMTP DATA greylisting
At each stage different information is available for a greylisting decision to be made. For example: connection-level greylisting takes place at the very beginning of communication, at which point only the IP address of the remote host is known. The message has not yet been received. Therefore greylisting here means using the least data to determine trustworthiness – only the remote host IP address – and the least investment in storing and processing the message. In other words it’s cheap but less accurate.
Greylisting at the last stage of SMTP DATA greylisting takes the opposite approach: by this point the message has been received and stored and is available for inspection. The contents of the email can be used to determine whether the message is spam and the sender is trustworthy. As such this approach is expensive but more accurate.
Lightmeter monitors these delays in the form of deferred email, and provides an easy way for admins and mailbox users to check the status of any email via the Message Detective.