Skip to main content

The trouble with greylisting

Greylisting is one of several fairly common methods of preventing bulk spam from getting into a mail server. In short, the concept is based on the following idea: The receiving mail server is contacted by a sending server it has never seen before. Rather than accept the (possibly spam) message, it issues a message to this effect:
Dear sending mail server: I'm having a problem right now, and can't accept your message. Please try again later.
The thought is that, if it is really serious about delivering it, it will try again in a little while. Most bulk spam mail servers are not configured to retry. as they expect that most of the harvested addresses they attempt to deliver to are going to fail for one reason or another. A real mail server, however, will try back after a few minutes. At that time, the greylisting server will (in theory) recognize the retry attempt, accept the message, and make a note never to test that host with this rather rude procedure again.

There are at least a few problems with this method, that I have seen.

1. Mail being delivered by a cluster having multiple IPs.

These days, the large e-mail providers (Hotmail/MSN, Yahoo, etc.) use multiple IP addresses to deliver e-mail, and the source IP address can vary on the next delivery attempt. In this case, the greylisting host will not recognize it as being a retry, and will "test" that server as well. In the best case scenario, this repeats until all of the possible mail host IPs have been tested & stored, one of the earlier IPs comes around again, and the message is finally accepted/delivered (after a long delay). However, this can also result in the sending host interpreting this strange charade as a permanent problem with the receiving mail server, and giving up. In this case, the sender would receive a bounce message or NDR (non-delivery report).

Arbitrary minimum retry times

To get around the problem of an immediate retry, which is not that expensive to a spam host, most greylisters also implement a minimum retry delay, which will continue to reject reattempts within a certain time frame (usually around 5 minutes). This time frame may be unacceptable to some hosts, and unknown to others, again possibly causing them to give up because they are generally confused about what's going on.

Record lifetimes

The stored info about confirmed hosts usually has a lifetime before a server will need to be re-tested. This causes a delay to occur again in the future, and of course at that time the possibility exists that the process will fail for one of the above reasons, causing everyone to scratch their head.

As the volume of mail on the internet increases, there will be more providers with clusters doing delivery, there will be more spam, there will be more people using techniques such as greylisting, and there will be more spammers finding ways to reduce the effectiveness of greylisting.


Greylisting has got to go. It's a stopgap measure that is based on the idea of fooling someone or something. Those kinds of solutions usually don't scale, and eventually fail.

What is the future of mail host authenticity checking?

I haven't researched this much, but why doesn't every "valid" mail host in the world have a public key listed in a worldwide registry database or available via DNS? There is already precedence for databases on the internet as being part of the infrastructure - such as the root.hints file for DNS, and arguably what people are already doing with RBL services such as spamhaus, cbl, etc.

Here's an example of how this would work:

Mail Host A contacts Mail Host B and tries to deliver a message in a signed"envelope", using his private key.

Mail Host B obtains the public key of Mail Host A (if it's not cached), probably via DNS protocol

Mail Host B verifies the authenticity of the signing against the public key

Mail Host B knows whether Mail Host A really is who he says he is, and perhaps even whether he is worth listening to.

I do realize that this is similar to SPF (Sender Policy Framework), but the thought of using GPG signing seems like a better way to do this. It would get around some of the inherent vulnerabilities and non-portability of depending on identifying certain mail server IP addresses. The signature that Mail Host A uses is totally independent of the IP address being used to deliver the message. As long as the private key is not compromised, the mail envelope can be trusted.


Popular posts from this blog

Reaper, Linux, and the Behringer X-Air - Complete Studio Solution, Part 1

Introduction and Rationale This is part one of a major effort to document my experiences with recreating my home studio, entirely using Linux.  Without getting into too many of the specifics, a few months ago I decided that I was unhappy with Windows' shenanigans - to the point that I was ready to make a serious attempt to leave it behind.  For most in this situation, the obvious choice is to switch to Mac OS.  With its proven track record, support, and options for multimedia production, it is naturally the first alternative to consider if your goal is to simply use something other than Windows. For me the choice was not so simple. I despise Mac OS and, in general, the goals and philosophies put forth by Apple in an effort to ostensibly provide users with an "easy" working environment.  It does not help that I have also failed to find any aspect of the Mac OS UI intuitive, but I realize that this is a subjective matter. With my IT background and user-control* favori

Timbaland rips off a Demoscene artist

I knew this day would come. The new Timbaland/Nelly Furtado song "Do It" uses a song made in 2000 by Finnish demoscene artist "Tempest" (Janne Suni). It's a 4 channel .mod (the ripoff is from a playback using the C64 SID soundchip). The song was hosted on's servers (the main repository for all everyones demos and tracked music, etc.). As you might expect, no permission or royalties were paid to Tempest. Just to clarify, we're not talking about some kind of coincidence here. There is no question that this track was used to create the song "Do It". In an interview, Timbaland tries to downplay it, saying things like "he sampled it from a video game". (This track was not written for a video game- it was actually written for the 2000 demoscene music competition, in which it won 1st place). Regardless, he basically claims he has no legal obligations because it's just like all the other pop artists that sample other m

The Hellscape that is Google’s Web in 2023

Alternate title: "were we better off in 2015 2007?" Time now for another anti-capitalist, “get off my lawn” posting for all the folks out there who won’t see it anyway, because they don’t read real blogs for the reasons specified in this very article. The web has existed for 30 years now. One would think our ability to access information on it would keep getting better. However, I watch as web search is instead devolving every year, to the point where people are giving up and hoping for the next thing.  While this sounds dire, this kind of behavioral change has historical precedent. Remember running your own mail or web server, or better yet, having a phone that you might actually answer calls to, even if you don’t recognize the caller’s number?  Yes, those ideas are gone too. It's all thanks to the uncontrolled thirst for advertising. Let’s walk through the experience of someone doing a simple Google search for “how to control poison ivy”.  The desired outcome would be