What is Greylist?

Greylisting is a method used in spam filtering to temporarily reject any email from a sender it does not recognize. If the mail is legitimate, the originating server will, after a delay, try again and, if sufficient time has passed, the email will be accepted. If the mail is from a spammer it will typically not be retried, and hence never accepted, because a spammer goes through thousands of email addresses and typically cannot afford the time delay.

The term “greylisting” is derived from the terms “blacklist” and “whitelist”, where a blacklist denies entry and a whitelist allows entry. In the case of greylisting, the entry is initially denied but can be allowed later if the criteria are met. This method is particularly effective against mass email tools used by spammers that do not queue and reattempt mail delivery as is normal for a regular Mail Transfer Agent.

How Does Greylisting Work?

Greylisting works on the principle of “triplets”. A triplet consists of the IP address of the client sending the email, the envelope sender address, and the envelope recipient address. When an incoming email arrives, the receiving mail server checks its greylist for the triplet. If the triplet does not exist, the server will send a “temporary failure” message, also known as a “soft bounce”, back to the originating server.

The legitimate email servers will attempt to resend the email after a delay, in accordance with the Simple Mail Transfer Protocol (SMTP). When the email is resent, the receiving server will recognize the triplet and allow the email to be delivered. However, most spamming software will not attempt to resend, thus the spam email will never be delivered.

Greylisting Time Delay

The time delay used in greylisting is crucial. It is typically set to be long enough to deter most spammers, who will not wait to resend an email, but short enough not to significantly delay legitimate email. The exact length of the delay can vary, but a common delay time is 15 minutes.

However, this delay can cause problems for time-sensitive legitimate emails. For example, password reset emails or confirmation emails often need to be delivered immediately. In such cases, the delay caused by greylisting can be a disadvantage.

Whitelisting and Greylisting

Some servers use a combination of whitelisting and greylisting. Once an IP address has passed the greylisting process, it can be added to a whitelist. Emails from whitelisted IP addresses are not subject to the greylisting delay, which helps to ensure timely delivery of legitimate emails.

However, whitelisting can potentially allow spam emails through if a spammer’s IP address gets whitelisted. To prevent this, some servers will periodically remove IP addresses from the whitelist, forcing them to go through the greylisting process again.

Advantages of Greylisting

One of the main advantages of greylisting is that it is a passive form of spam filtering. It does not require the content of the email to be scanned or analyzed, which can be resource-intensive. Instead, it relies on the behavior of the sending server, which is much less demanding on resources.

Greylisting is also effective against “dictionary attacks”, where a spammer sends emails to a large number of made-up email addresses in the hope that some of them will be valid. Since each new email address results in a new triplet, the spammer would have to resend the email to each address, which is typically not feasible.

Resource Efficiency

Greylisting is a highly resource-efficient method of spam filtering. Unlike content-based filters, greylisting does not require the inspection and analysis of every incoming email, which can be a resource-intensive process. Instead, greylisting simply checks the triplet of each incoming email against its list, which requires very little processing power.

Furthermore, because greylisting initially rejects all unknown triplets, the server’s resources are not wasted on processing spam emails. This can significantly reduce the server’s workload and improve its performance.

Effectiveness Against Dictionary Attacks

Dictionary attacks are a common method used by spammers, where they send emails to a large number of made-up email addresses in the hope that some of them will be valid. Greylisting is particularly effective against this type of attack.

Each new email address results in a new triplet, and since greylisting initially rejects all unknown triplets, the spammer would have to resend the email to each address. This is typically not feasible for spammers, who prefer to send out a large number of emails in a short amount of time. As a result, greylisting can effectively protect against dictionary attacks.

Disadvantages of Greylisting

Despite its advantages, greylisting also has some disadvantages. The most significant of these is the delay it causes in the delivery of legitimate emails. Although this delay is typically short, it can still be a problem for time-sensitive emails.

Another disadvantage is that greylisting can be bypassed if the spammer’s server is set up to automatically resend emails after a delay. However, this is relatively rare, as it requires additional resources and reduces the speed at which the spammer can send out emails.

Delay in Email Delivery

The delay caused by greylisting can be a significant disadvantage. Although the delay is typically short (often around 15 minutes), it can still be a problem for time-sensitive emails. For example, password reset emails or confirmation emails often need to be delivered immediately. In such cases, the delay caused by greylisting can be a disadvantage.

Furthermore, the delay can be longer if the sending server is set up to retry delivery after a longer period of time. Although the SMTP standard recommends a delay of 15 minutes, not all servers follow this recommendation. Some servers may retry after a much longer delay, which can further delay the delivery of the email.

Bypassing Greylisting

Another disadvantage of greylisting is that it can be bypassed if the spammer’s server is set up to automatically resend emails after a delay. This requires additional resources and reduces the speed at which the spammer can send out emails, so it is relatively rare. However, it is still a possibility, and it means that greylisting is not a foolproof method of spam filtering.

Furthermore, some spammers may use a large number of different IP addresses to send their emails. Since greylisting is based on the triplet of the sending IP address, the envelope sender address, and the envelope recipient address, changing any one of these elements can bypass the greylisting. This is known as “IP rotation”, and it is another way that spammers can potentially bypass greylisting.

Greylisting and CAPTCHA

Greylisting can be used in conjunction with other spam filtering techniques to increase its effectiveness. One such technique is the use of CAPTCHA.

CAPTCHA, which stands for “Completely Automated Public Turing test to tell Computers and Humans Apart”, is a type of challenge-response test used to determine whether a user is human or a computer. It is often used to prevent bots from accessing certain parts of a website or from carrying out certain actions, such as sending emails.

How CAPTCHA Works

CAPTCHAs work by presenting a task that is easy for a human to complete but difficult for a computer. This could be, for example, identifying objects in an image, solving a simple math problem, or transcribing distorted text. If the user successfully completes the task, they are assumed to be human and are allowed to proceed.

By using CAPTCHA in conjunction with greylisting, it is possible to further reduce the amount of spam emails. If an email is rejected by the greylisting process, the sender could be presented with a CAPTCHA. If the CAPTCHA is successfully completed, the email could be allowed through, on the assumption that the sender is a human and not a spamming bot.

Advantages and Disadvantages of Using CAPTCHA with Greylisting

Using CAPTCHA in conjunction with greylisting has several advantages. Firstly, it can help to reduce the amount of spam emails, as bots are typically unable to complete CAPTCHAs. Secondly, it can help to ensure that legitimate emails are not delayed by the greylisting process. If a legitimate sender is presented with a CAPTCHA after their email is rejected, they can complete the CAPTCHA to have their email delivered immediately, bypassing the greylisting delay.

However, there are also some disadvantages to using CAPTCHA with greylisting. CAPTCHAs can be annoying for users, and they can be a barrier to accessibility for users with certain disabilities. Furthermore, some advanced bots are capable of completing certain types of CAPTCHAs, so they are not a foolproof method of distinguishing humans from bots.

Conclusion

Greylisting is a simple yet effective method of spam filtering. By temporarily rejecting emails from unknown senders, it can significantly reduce the amount of spam emails. However, it is not a foolproof method, and it can cause delays in the delivery of legitimate emails. Therefore, it is often used in conjunction with other spam filtering techniques, such as CAPTCHA, to increase its effectiveness.

Despite its disadvantages, greylisting remains a popular method of spam filtering due to its simplicity and resource efficiency. It is a valuable tool in the ongoing battle against spam, and it is likely to remain so for the foreseeable future.