OIT’s Core Systems group has put in place an implementation of greylisting on the central email servers over the thanksgiving holiday weekend. Greylisting is another method of combating spam which relies on the methods that most spammers are currently using to send their messages by returning a temporary error to a mail server the first time it attempts to communicate with a particular recipient. While well behaved mail servers will simply retry sending their message within a short period of time, spammers won’t, causing your wanted messages to get through but leaving the spam on the floor.
Like any anti-spam technique, greylisting does have a negative side effect. The side effect is that a delay – sometimes significant – may be incurred on the first time a message is sent to a UMBC recipient from a particular server. However, after the initial message does get through (after a short timeout period), messages from that mail server should flow smoothly to your mailbox from that sender. While our servers are configured to accept mail 2 to 5 minutes after the initial attempt is made – the remote server is responsible for scheduling the re-try.
We’d like your feedback on how the greylisting is working.
The Details
First, a little about how internet email works. Email is a store-and-forward system – a message is passed along from mail server to mail server, and if at any point there is a temporary failure in transport, an attempt is made to retry sending the message to the next hop.
Back when internet Spam first became a problem, spammers would use “open relays” – misconfigured hosts on the internet – which they could use to send mail from anywhere, to anywhere, in this fashion. Mail server administrators caught on to this, and made efforts to secure open relays, or, track them, so that they could reject mail coming through these insecure access points. The spammers, of course, caught on to this, and now rely on bot-nets – armies of compromised PCs throughout the world – as the initial source of their spam. These hosts are numerous hard to track – some may only be used to spam for very short periods of time – so the methods of blocking spammers by the hosts their messages originate from became almost impossible.
Attention then turned to content-analysis of messages – phrase analysis, or other patterns – which could flag a message as being junk mail. Again, the spammers quickly caught on to this, and began to craft the content of their messages to evade such detection.
Spammers need to send their messages quickly and move on – after all, they have millions of individuals to offer their latest and greatest stock tip, or discounted Mexican Viagra to. Therefore, spammers don’t spend much time trying to re-send a message when it returns an a temporary or permanent error – they just move on, sure to get you in the next round of messages.
What is Greylisting?
Greylisting is a practice of using the spammers ‘shotgun’ approach against them. When a mail message comes into a mail server, three pieces of information that make up the envelope are recorded: the source IP address of the message, the SMTP FROM: address, and the SMTP recipient. This triple is looked up in a database of triples recently seen by a mail server, and if a matching record is found and is recent, but not too recent, the mail is allowed to pass. If a triple is not found, or the timestamp recorded in the database is too old, or too young, the mail server returns a temporary error to the sending host. A well-behaved mail server will simply queue this message for a retry at some later point (usually within 30 minutes, usually less), at which time the mail will go through, as that triple has already been seen. A bot-net’d PC being used to send spam won’t retry – either because the spammer has moved on to spamming someone else, or, that host has been discovered and cleaned of it’s infection.