Greylisting: A noble defeat in the spam wars
Fastmail 
, my main email server provider, has recently introduced greylisting (Wikipedia ) in an attempt to reduce the amount of spam getting into inboxes.
Greylisting works by initially rejecting email from an unknown mail server. The theory goes that legitimate emails will be resent and are then accepted the second time, whilst spammers won’t bother resending, so their emails are, in effect, blocked.
It’s a noble idea, and in a perfect world would work perfectly.
Over the weekend, the company acknowledged defeat in its attempts to tweak the feature a little. The story is worth retelling. It shows not only a well-intentioned company frustrated by practical realities outside its control but also how sneaky spammers are:
Tags: email, fastmail, graylisting, greylisting, resending, spamRecently we’ve observed that some spam zombie machines are smarter than others, and do SMTP retrying which means that they bypass greylisting. These machines have been reponsible for a large number of “stock scam†spams that include random text and an attached gif. Between Oct 17 to Oct 20 we were trying out a new greylisting policy that involved taking feedback from the spam scoring system, and re-greylisting systems with an increased delay if they had delivered emails that had been detected as spam by the scoring system. Our testing suggested that this quickly and effectively blocked the zombie machines.
Unfortunately it also blocked a small number of poorly configured real email servers that were being used for forwarding because they would also forward all spam emails, and thus be judged as the source of the spam. This caused some emails to be delayed for many hours or in some cases over a day. We’ve now removed this policy totally. While the concept seems a good idea, unfortunately the small number of incorrectly configured hosts out there mean that this just causes too much of a problem for them.
Related posts
October 31st, 2006 at 6:01 am
They need to learn a bit more about greylisting. Two points in particular:
1. greylisting still blocks probably over 90% of spam with no false positives. Any good filtering system will involve multiple techniques - this is a good, cheap, initial step. A technique doesn’t have to get rid of 100% of spam in order to be useful.
2. The delay that greylisting causes gives the filterer enough time to find copies (either identical or extremely similar) of the spam from other sources (e.g. honeypots). This information can then be used when the more clever spammers do retry