Greylisting Explained
Posted by worrall on May 06 2006 23:46:51
One of the most successful spam filtering techniques created in recent history in our opinion is Greylisting. XWall has implemented it extremely well. Greylisting capitalizes on a SPAMMERS reluctance to configure their mail server according to internet standards by queueing and retrying message delivery.

How does Greylisting work?

With Greylisting, XWall maintains a record of three pieces of information when an email is received:

1. The IP address of the machine sending the e-mail.

2. The e-mail address of the person sending the e-mail.

3. The e-mail address to which the e-mail is being delivered.

This set of information is captured and recorded by XWall, and communication with the sender's server is terminated with an error code before the content of the e-mail message is received. XWalls reply to the sending server by saying essentially "Sorry, we're too busy right now. Please try again to send this e-mail later." The error message (called a "400-level error") is specifically "temporary" and properly configured mail servers will queue the message and retry after some period of time.

After an administrativly configurable period (default is 5 minutes), IF and WHEN the delivery is attempted again by the sending email server, XWall will attempt to matche the information that was collected previously and the email is delivered without delay. From that point on, anytime a message with the matching information is delivered to XWall, it is delivered immediately.

Why does greylisting work?

According to the internet specification, when a mail server receives a "400-level" error, it must queue the email message and try later to deliver it. For legitimate email, this process is standard and mandatory. Properly configured mail servers will redeliver their messages appropriately and Greylisting should not represent a delivery challenge to them. Because SPAMMERS send a huge number of emails per-day, to addresses they have no idea are valid or not, they generate a large number of bounced (non-delivered) messages. Acknowledging server responses for these messages, storing the messages on a server for some period of time, and redelivering them again represents for a SPAMMER a resource-intensive process that might very well not return sales of their products or services. As a result, they intentionally misconfigure their mail server not to retry delivery. Since Greylisting requires that an incoming email message originate from a properly configured mail server, most SPAM is filtered by Greylisting today.

Will my email to be delayed?

Email affected by Greylisting will be delayed a minimum of 5 minutes (less if you change the XWall default). The delay interval must be long enough in order to prevent immediate redelivery by already connected SPAM SMTP servers.

Internet specifications suggest that messages temporarily refused be redelivered within 4 hours, and most servers are configured to retry in far less time - often on the order of 5-15 minutes. The specific delay will depend on the configuration of the sender's email servers

Does Greylisting block some email?

As with any protection technology, nothing it 100%. There are cases where a poorly configured email server on the senders side can cause email not to be received. Lots of these issues came up when Greylisting was new. However now that's it's been in the field for some time, this is far less likely to happen. XWall has a list of known domains and email servers which have trouble with Greylisting and excludes them automatically.

Where can I find more technical information about Greylisting?

More information on Greylisting is available at:

Greylisting Wikipedia

Joseph R. Worrall
Lakewood Communications