Deutsch Intern
  • 50-jähriges Jubiläum des Rechenzentrums
Information Technology Centre

Greylisting

Slow down spammers with greylisting

How does greylisting work?

Greylisting takes advantage of the fact that spamming is generally not error-tolerant. In order to "spam" effectively, many millions of emails must be sent within a short period of time. The maxim "fire and forget" is used to try to send an e-mail to a specific recipient only once. A large proportion of the spam is sent to non-existent mailboxes (guessed e-mail addresses) anyway, so that it has (so far) not seemed sensible for the spammers to repeat failed attempts. This is where greylisting comes in. Three pieces of information are stored for each connection attempt to our inbound servers:

  • The IP address of the contacting mail server
  • The e-mail address of the sender (envelope address)
  • The e-mail address of the recipient (envelope address)

If this combination occurs for the first time, the delivery attempt is rejected with the temporary error message "450 you are greylisted - try again later". This behaviour is compliant with the SMTP standard (Simple Mail Transfer Protocol). In such a case, the standard requires the mail server to repeat the delivery attempt after a certain time (about 30 minutes). The combination is now known and the mail is allowed to pass.

To prevent a delivery from being repeated immediately after the first failed attempt, the combination of sender, recipient and IP address is only enabled after a defined time (currently 10 minutes). Otherwise, greylisting could too easily be cancelled out by spammers. If another delivery attempt is made with the same combination within the next 12 hours, the mail is delivered as usual and the information triple is activated for the next 36 days.

If no further attempt is made, the triplet is removed from the database after the 12 hours have elapsed. For a mail to be successfully delivered, the second attempt (or one of the next attempts) must be made within this time window! With each successful delivery, the validity period of the information triplet is extended so that only the first mail is affected by a delay in the case of regular e-mail contacts.

What is the advantage of greylisting?

Since the introduction of greylisting, the proportion of spam has fallen from over 90% to around 30%. The mail relays have been noticeably relieved as a result. The volume of mail has fallen from around 200,000 mails per day to around 50,000 mails per day. A positive side effect is that mail worms such as Sobig can cause less damage. These pests, which spread themselves via email, are also not designed to be fault-tolerant and are normally blocked by greylisting. Although mail worms are intercepted by the data centre's central virus scanners, it usually takes several hours or even days between the appearance of new worms and the reaction of the antivirus software manufacturers. During this period, the newly emerged worms cannot be detected by the virus scanners. Greylisting offers the only protection here.

What problems does greylisting harbour?

Greylisting can also occasionally cause problems with legitimate mail servers. This is because they do not behave in accordance with SMTP. This is usually caused by a sloppy configuration or simply poorly programmed software. The responsibility here lies with the operator of the mail server.

Dynamic IP addresses (modem connections, DHCP) are another problem. You are usually assigned a new IP address every time you dial in. A computer is usually not online long enough with the same IP number to fulfil the success criteria of greylisting. The sender is required to use the relay server (smarthost) of their provider. This then takes care of the correct delivery of the mail.

Are there exceptions?

In order to minimise the potential disruption to mail traffic, greylisting is only applied to connections that are classified as suspicious. The criteria for this are

  • The client is a potential dial-up machine (more than 5 digits in the host name)
  • The HELO domain does not correspond to the client domain
  • The sender domain does not correspond to the client domain
  • No sender is specified (MAILER-DAEMON, without exception!)
  • Client name cannot be resolved by DNS (without exception!)

In addition, mail servers from domains from which little spam is known to be expected have been excluded from greylisting. These are currently

  • major providers (aol.com, hotmail.com, yahoo.com, lycos.com, t-online.com, t-dialin.net, t-ipconnect.de, web.de, freenet.de, gmx.de, gmx.net, kundenserver.de)
  • international educational institutions (*.edu, *.ac.??)
  • German universities (uni-*.de, fh-*.de, tu-*.de, fu-*.de)
  • etc.

It is also possible to add other domains that cause problems to the whitelist.

Summary

  1. No emails are deleted!
  2. The acceptance of emails from "suspicious" sources is merely delayed.
  3. No emails from organisations with properly operated mail servers are lost.
  4. Anyone accessing the Internet via a dial-up connection must use the mail relay (smarthost) of the respective provider to send e-mails to recipients within the University of Würzburg!

Further information