MspPortal Mail Secure:What is Greylisting?


Greylisting is an optional feature that can be used to reduce the volume of junk mail. When greylisting is enabled for a domain, the filtering servers will send a temporary deferral message to unrecognized sending mail servers (technically, the deferral is only sent in certain circumstances, based on the sending mail server’s IP address, the sending email address, and the recipient email address).

A legitimate mail server will always retry the message after the deferral, typically within a few minutes. On the other hand, most spam systems are designed to send messages as quickly as possible, and they often ignore deferrals – meaning that that spam message simply will never be delivered. Additionally, even if the spam software retries delivery of that message, the retry is typically attempted after a significant period of time, which gives the other spam detection mechanisms additional time to recognize the message as junk. As a result, greylisting can be a highly effective tool in reducing the volume of spam, particularly in combination with the other spam detection techniques used by the filtering.

How Does Greylisting work?

The first time a given recipient receives a message from a given sender, we respond to the sending mail server with a temporary rejection message, asking the sending mail server to try again. (This happens during the SMTP conversation and is transparent to end users.) With legitimate email, the sending mail server tries again a few minutes later, at which time we accept the message and send it through the standard spam and virus filtering systems. But most spam messages are sent using software that will not re-try the delivery — thus those junk messages will never be re-sent, and will never arrive either in quarantine or in the user’s inbox.

For each incoming message, we examine three elements in the early part of the SMTP conversation: the IP address of the sender, the sender email address, and the recipient email address. If this is the first time we identify this email “relationship,” we issue a temporary deferral message to the sending mail server, before the DATA portion of the email is sent. That relationship is then “greylisted.”

If or when within a finite period we see that same set of sender IP address, sender email address, and recipient email address again — as we would expect to see with any legitimate email — we then “whitelist” that combination, so that that message, as well as any future message with that relationship, is passed through without the temporary deferral. This whitelisted combination remains in place for upwards of a month.

After a message passes through the greylisting, we then process that message as usual, so that any spam message that is re-tried will still be subjected to the same message analysis techniques as in cases where greylisting is not used

Greylisting by its nature can introduce delays in message flow, but these delays are generally brief and non-recurring for a given recipient-sender combination. The length of the delay is dependent on how long a sending mail server waits before re-trying after we defer the message. While a few sending mail servers — typically those used for high-volume mailings — will have a relatively long re-try interval of 1-2 hours, most mail servers will automatically re-send a temporarily deferred message in 15 minutes or less.

Additionally, since the email “relationship” described above (sender IP address, sender address, and recipient address) is whitelisted after a single temporary deferral, there should not be any subsequent delays after that initial message.

Any “From” addresses that are whitelisted by a user or domain administrator are not subjected to the greylisting.

Tags: , , , , ,

Comments are closed.

%d bloggers like this: