LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for July 2, 2009

RealtimeKit and the audio problem

VFAT patent avoidance and patent workarounds

LWN.net Weekly Edition for June 25, 2009

Apache attacked by a "slow loris"

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Spam blocking with greylisting

[Posted June 24, 2003 by corbet]

A certain amount of attention has recently been given to a spam-blocking method called greylisting. A look at the description of the technique shows that it does not, actually, have much in the new way of ideas. Greylisting might, however, become a useful part of the antispam arsenal at some sites.

The core idea of the greylisting technique has been around for a while. It relies on the fact most spammers do not bother to track and retry deliveries which are declined by the receiving system with a temporary failure status. Real mail systems will retry the message later on, until they run out of patience. Spammers just forget about it and move on. So an effective way of blocking a large percentage of incoming spam is to simply refuse mail from new sources with a temporary failure on the first delivery attempt. Real mail will eventually show up again, and be delivered with a small delay. Most spam will never return.

The greylisting technique uses a slightly finer-grained approach. It creates a three-entry tuple out of the originating address, the sender, and the recipient of the message. If the tuple is new, the mail is refused for a configurable period of time. The use of the three-way tuple helps prevent spam from slipping in by using false sender addresses.

The obvious workaround, from a spammer's point of view, is to add retrying for temporary failures to their code. Given the desire of the spam industry to pollute our mailboxes regardless of how hard we try to prevent that, the implementation of temporary failure retrying is only a matter of time. Of course, mail sent through open relays is generally retried anyway, so widespread use of greylisting could result in more use of open relays, and, perhaps, more attempts to compromise systems to turn them into unwilling relays.

As the author describes it, greylisting is meant to be used in conjunction with other spam-blocking techniques, especially blackhole lists. The hope is that, by the time the temporary failure interval has ended for a particular spam source, that source will have found its way into the blacklists and the message can be blocked permanently. This combination could, indeed, prove hard for the spammers to get around.

(Log in to post comments)

Spam blocking with greylisting

Posted Jun 26, 2003 4:12 UTC (Thu) by freemars (subscriber, #4235) [Link]

Greylisting used in connection with 'spamtrap' email addresses might work a bit better against persistant spammers. A highly simplified example:

Allow spammers to harvest 'spamtrap' email addresses, perhaps by adding them to a web page.

When mail arrives from an unknown computer it is refused for, say, 6 hours and the computer is added to the greylist. If the greylisted computer attempts to deliver mail to one of the 'spamtrap' addresses, the computer is moved from the greylist to the blacklist. If the unknown computer only attempts to deliver mail to real addresses it eventually moves from the greylist to the whitelist.

Spam blocking with greylisting

Posted Jun 26, 2003 10:10 UTC (Thu) by beejaybee (guest, #1581) [Link]

Problem - all the extra retries might cause some mail relays to collapse. Especially once the spammers cotton on & begin retrying themselves - after all most of the stuff is undeliverable (sent to non-existent addresses).

What's needed to fight spam are international treaties agreeing that unsolicited commercial mailings are unlawful and a universal acceptance that an alleged 'net criminal can be tried in his/her own state using evidence collected outside that state.

Spam blocking with law

Posted Jun 27, 2003 16:48 UTC (Fri) by giraffedata (subscriber, #1954) [Link]

I agree that treaties and other laws are needed; technology just won't solve the problem.

But I don't want any law that says all unsolicited commercial mails are bad. I don't want legislators handling the tricky definition of unsolicited commercial mail.

Neither unsolicited nor commercial are bad things. "Unwanted email" is what we're going for.

The right solution would be to use the free market. The laws should say bulk mailers have to pay into a fund for every email, and the laws should provide the means to enforce the payments. This would make it impractical for someone to send a million emails when only 10 people will buy the product. But it allows properly targeted solicitation. Properly targetted means there is a significant chance that the recipient will want the product being sold, which means he profits from receiving the email.

Spam blocking with law and technology

Posted Jun 28, 2003 11:37 UTC (Sat) by copsewood (subscriber, #199) [Link]

Yes having a microtransaction supported mail system could be very useful, but this goes way beyond SMTP - more a new kind of messaging service altogether. Introducing microtransactions is very difficult, partly due to the psychological preference people seem to have for unmetered but known fixed monthly bills. When microtransactions become a reality, in my understanding this is likely to be based on a similar model to the highly decentralised one I am researching.

An area where the law could have useful impact would be by agreeing large fines and bounties obtainable by those bringing prosecutions and evidence anywhere the spammer is based against a non-controversial definition of the worst kind of spam, i.e. the kind deliberately using outgoing addresses involving domains belonging to innocent third parties (forged letterheads in other words). This is a form of criminal deception which prevents use of the reply button with a complaint being effective. By making this criminal deception very expensive it then becomes much easier to tune technological measures using origin blacklists against mass mailers who don't use confirmed opt-in list management methods or proper complaint handling.

Spam blocking with law

Posted Jun 30, 2003 13:40 UTC (Mon) by mwilck (guest, #1966) [Link]

I don't want legislators handling the tricky definition of unsolicited commercial mail

What is so tricky about that? "Unsolicited" is absolutely clear - everything the recipient didn't ask for. "Commercial" shouldn't be so hard to define either.

The right solution would be to use the free market.

The solution you propose has nothing to do with the free market. It is just an different form of legislation. This can be very compared well to environmental legislation (instead of forbidding to dump waste, we assign a cost to it). This may or may not work better than a simple ban. In any case, the assigned cost is determined by legislation, not by the market.

"Proper targeting" requires you to have detailed knowledge about the recipient's interests (in your words, to know what sort of unsolicited commercial email the recipient would not consider "unwanted"). If that knowledge comes from person himself signing up to your newsletter - fine, it's not unsolicited, it's not spam. Otherwise, you could hardly have gathered that knowledge by legal means, at least not in Europe, because such information is considered private and confidential - you cannot have it unless the person himself has given it to you.

Spam blocking with law

Posted Jul 3, 2003 20:54 UTC (Thu) by khim (subscriber, #9252) [Link]

"Unsolicited" is absolutely clear - everything the recipient didn't ask for.

And that's exactly why it's so hard to define. This assumes you know what you asked for. When you are wisiting web site and it's asking you "Do you want to get our offers daily by e-mail?" and then when you refuse it asks you the same "Are you really sure you want to avoid getting our offers?" it's easy to click Yes or No two times and "ask" for mail.

Other thing: what about bug report or help requests ? I'm sometimes get requests for help from some peoples I never knew - they just happen to have the same problems with mars_nwe and/or SONY VAIO. I'm pretty sure I never asked for such mail but it's hardly can be named "spam".

So everything is far from black/white picture...

Spam blocking with greylisting

Posted Jun 26, 2003 10:27 UTC (Thu) by sjlyall (subscriber, #4151) [Link]

One problem with this approach is that in this day and age people expect their email to go through in just a few seconds. I'll often be on the phone and I'll email someone a document and then we'll discuss it a few seconds later, many other people are used to doing similar.

I run a mail system for a medium sized ISP and if there is a problem causing mail delays people quickly notice and either complain or become frustrated. I think that a system where a large percentage of email is delayed for up to an hour will be unacceptable for many people.

Spam blocking with greylisting

Posted Jun 27, 2003 18:34 UTC (Fri) by ksmathers (subscriber, #2353) [Link]

IM works better for that kind of collaboration. E-mail can be delayed for a whole variety of reasons.

Spam blocking with greylisting

Posted Jun 28, 2003 2:07 UTC (Sat) by macfisherman (guest, #6018) [Link]

Email is a store and forward technology, not an instant message system.

Spam blocking with greylisting

Posted Jul 3, 2003 20:56 UTC (Thu) by khim (subscriber, #9252) [Link]

It does not matter. Peoples are using it as IM technology and they will not stop doing so if you'll say it's not - they will just switch ISP...

Spam blocking with greylisting

Posted Jun 27, 2003 15:07 UTC (Fri) by copsewood (subscriber, #199) [Link]

I don't know how well this approach will work, at the moment it's at the same status Bayesian filtering had a couple of years ago. This is a very, very fast moving target, so research of this kind is very welcome.

As I didn't have control over the MTA receiving mail for my domain which I subsequently pick up using POP3, I developed a program which tags spams using the DNS blacklists at a later stage.

I found my tagspam program on its own can catch about 80%. So I combined this approach with SpamAssassin as 80% wasn't good enough. However, the ones that get through tagspam mostly get caught by SpamAssassin, which on its own also gets about 80%. Fortunately the combination of tagspam and SpamAssassin seems currently to be getting about 98% (49 out of 50) which I consider to be fairly good.

Spam blocking with greylisting

Posted Jun 27, 2003 17:31 UTC (Fri) by madmakis (guest, #1030) [Link]

I run the mail system for a medium-sized business and am sure that such delays
would cause real complaints from our users.

On the other hand, it seems to me that the objective in Greylisting is simply to
establish that we're dealing with a real SMTP compliant MTA. So If I can put
together a list of MTAs known to me and whitelist that beforehand, then
automatically and permanently add new validated entries to the Greylist's whitelist
of MTAs, we would see neither the colapse of mail relays nor more than "1st time
seen" delays for the rest of the mail.

I also don't see the need for the triplets. The sender and receiver addresses seem
redundant if we're just testing for MTAs. There are also quite a few not-so-compliant
MTAs out there.

Copyright © 2003, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds