Greylisting -- Was: Anti Spam

Christopher Hilton chris at
Wed Apr 25 22:24:51 UTC 2007

Just my $0.02. Have you considered adding greylisting. I find the 
combination of greylisting and Spamassassin with the SA's bayes filter 
completely handles my spam problem. On my primary MX I use spamd on 
OpenBSD and on my secondary MX I use spamd on FreeBSD. As a very 
informal method of measurement my Inbox.spam folder, held an average of 
400 messages per day in October before I started using spamd. It 
currently averages about 80 messages per day.

If you don't know about greylisting it works as follows. A greylister 
monitors port 25 for inbound mail connections. When a server connects to 
this port to exchange mail the greylister predetermines the response 
based on whether or not this server has exchanged mail in the recent 
past. If it has it's allowed to exchange mail again and the server's 
timestamp is updated. If the server has not exchanged mail in the recent 
past the greylister responds: "45x - I'm too busy to talk to you right 
now. Please try to deliver this mail later". It then puts the server and 
information about the mail being delivered onto a list. If the same 
server tries the same message later it passes and the greylister 
promotes the server onto it's list of okay mail servers (mail servers 
that it has exchanged mail with in the recent past).

Greylisting works because many, and I'd like to say most, spam programs 
never retry message delivery. The best thing about greylisting is that 
combines well with filters like SA by reducing the amount of mail that 
they have to see. In my case something like 80% of the mail that 
Spamassassin used to process just never gets past the greylister today.

The downsides to greylisting is that it delays the first message from a 
legitimate mailserver. In the most common case the incurred delay will 
be between 30 minutes and an hour. This assumes that then sending mail 
server retries queued mails every half hour or so. In an extreme case 
the delay may be longer. If the mail sender has a cluster for delivering 
outbound mails and that cluster features shared message storage and 
several processing units to handle the smtp transfer then the greylister 
will trap that message until the same server attempts redelivery. This 
is a problem with mail coming from very large internet companies like 
Google or AOL or very distributed corporations like General Electric, 
Unilever or United Technologies.

Since you are in an ISP environment greylisting may not be something 
that you can do. I was extremely surprised when a client told me that 
the 1 hr delay in receiving mail from new and infrequent mail servers 
was too much to pay to stop the spam coming into his mailbox. I don't 
claim to know the political layer as much as I do the technical one.

-- Chris

       __o          "All I was doing was trying to get home from work."
     _`\<,_           -Rosa Parks
Christopher Sean Hilton                    <chris | at |>
         pgp key: D0957A2D/f5 30 0a e1 55 76 9b 1f 47 0b 07 e9 75 0e 14

More information about the freebsd-questions mailing list