“…while mail that cannot be transmitted immediately MUST be queued and periodically retried by the sender.”   (RFC5321) . This section of the SMTP RFC (Request For Comments) is the basis for Greylisting – the anti-spam technology used to detect mail servers that are not fully RFC compliant such as the ones used to send spam emails.

Spam emails are sent using what is known as the fire and forget method, which means that emails are sent without checking for any errors returned by the receiving server. This is the most cost effective and cheapest way of sending large spam runs. Legitimate mail servers are genuinely interested in the delivery of emails, so they do their best to abide to the SMTP RFC standard, and will periodically try to resend emails that have failed with a temporary failure.

So, let’s delve into the details of how Greylisting works. A mail server is trying to send an email message to another mail server for the first time. Such a message is temporarily rejected with error code “451 4.7.1 – Please try again later…” At the same time a triplet is recorded in the Greylisting database as an unconfirmed triplet.

A triplet consists of:

  • IP address of the sending server,
  • Sender address, and
  • Recipient address.

A spammer will normally give up on the first error encountered. The spammer’s target is to send as many emails as possible in the least amount of time. Thus when an error is encountered while transmitting the email, the spammer will just move on to sending the next message.

On the other hand, a legitimate mail server would try to send the message again after a few minutes when such an error is encountered. The SMTP RFC recommends 30 minutes; however, it does provide the liberty of “variable strategies” to the sending mail server.

On receiving the email with the same triplet for the second time, the receiving mail server confirms the triplet recorded previously and allows the message through. New messages with the same triplet are not rejected in the future.

A benefit of Greylisting is that emails are processed at SMTP level before the sending mail server starts transmitting the email, thus limiting the amount of bandwidth used for rejected messages.

One drawback of Greylisting is that some emails are delayed. The fact that triplet information is stored so that emails with the same triplet are allowed through once confirmed, mitigates the delays for a good portion of legitimate emails. Emails from the same triplet are only delayed the first time the triplet is processed.

Having said that, Greylisting is a very efficient way of detecting spam originating from mail servers which are not RFC compliant – most spammers use such mail servers. Greylisting is also very easy to configure, and any maintenance required can be fully automated by the application implementing the technology. (Click on image to see full animation).

GFI MailEssentials 2010 introduces Greylisting as another method to reject spam.

Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.