SpamCheetah greylisting technique

Greylisting helps stop spam even before it enters your network

Greylisting of SMTP traffic

What is greylisting?

Greylisting is the fundamental spam rejection technique in SpamCheetah. By sending a temporary rejection for any first seen mail sender IP, we ensure that all senders are standards compliant.

Without greylisting SpamCheetah will still work but with it, it really excels since you also save on network resources and you give much less load to your mail server.

When SpamCheetah rejects mail without greylisting the mail server is involved but greylisting does not involve your mail server at all. All rejections and handling occurs at SpamCheetah level itself.

Usually greylisting works like magic to deal with spam. So please enable it despite minor inconveniences ab initio.

How does it work?

Greylisting does the following at arrival of new mail.

This video will help you as well.

Greylisting video

What you can infer from above video is that the email is not accepted and a reject message is sent by the fake SMTP server process even before sending the E-mail body(the DATA command). The result being that the spam sender if caught in this mess will simply go away and not retry.

According to RFC 5321 every standards compliant SMTP implementation or mail server is supposed to retry when a 451 temporary error is returned by the other side of the SMTP session.

However spammers often operate with a volume business and this standards conformance and retrying logic will mean more resources/money and that will not suit them.

Most spam, not all is sent by automated bots or programs and not humans. They take up temporary IP address blocks known as bogons and pump spam to as many email addresses they can and then go attack someone else from some other network block.

Theirs is a volume game. If they target million recipients and in their sales funnel if they get a minuscule conversion percentage their purpose is met. Unfortunately this annoys the rest of us.

This method of pumping unwanted junk mail is called as botnet spew.

Theirs is a volume game. If they target million recipients and in their sales funnel if they get a minuscule conversion percentage their purpose is met. Unfortunately this annoys the rest of us.

This is not the only way spam mails are sent but the vast majority falls in this category.

There have been several techniques to arrest this from hitting your inbox.

And much more.

But then the most effective of all is greylisting and we shall presently analyze why that is so.

Already the mail sending IP address is being used in RBL lists and DNSBL lists and so on. But the IP addresses change all the time. That is why we must depend on SPF and keep the lists of current known spammer IPs up-to-date.

Greylisting as an effective method to combat spam has been around for decades but with a key problem.

The e-mail hitting your inbox from the sending IP address is delayed by few minutes or hours depending on greylisting configuration Once the IP address is whitelisted, then emails are no longer delayed

This can be an issue and there is another problem as well.

More and more SMTP senders are using a network of IP addresses to retry the SMTP failure. And this wreaks havoc on greylisting. But there are fixes to address this behavior.

One obvious solution is to whitelist all the popular E-mail services that are known to have a huge bank of IP addresses to send out email.

Since greylisting never accepts any mail that is not standards compliant the major benefit we get is we save huge bandwidth and lessen network load.

Most of the core routers are even today in 2021 stressed by various trojans, malwares and junk mail traffic and greylisting if used widely can lessen their load in a big way.

In my experience however, content filtering is a very lame way of addressing the spam problem. And in today’s scheme of things that has a place but deep down in the hierarchy of methods.

And Spamcheetah has content filtering too but it does not play a big role in its marking a message as spam.

Content filtering must be augmented with training and there can be several subjective interpretations, the less said about it the better.

How effective is greylisting in spam control?

In terms of raw effectiveness , the load on SpamCheetah as well as the target mail server are both cut down drastically by greylisting.

Without greylisting every email attempt reaches the mail server. But with greylisting, only the standards compliant mail servers are able to deliver mail.

Even after greylisting, the filtering of e-mail header body and attachment takes place and none of those are bypassed.

The idea is that the greylisting system has to settle down and understand your frequent sender IP addresses. Greylisting is only concerned about whether your mail sender is genuine or not.

Once a meaningful conclusion is arrived through subjecting your network’s mail senders to the greylisting filtering process, then the procedure is very straight forward.

Most of the mails now flow without being subjected to greylisting logic. This not only means instant inbox delivery but also ensures that new mail senders must still comply by the rules to be considered genuine.

Also the IP addresses that bypass greylisting once proven to be genuine do not stay in the trust list forever. They expire and you must prove once again. This is done due to the churn in Internet in which good IP addresses become bad and vice versa.

Is greylisting effective?

Yes of course. Else millions of sites will not be depending on it today. What with all the content scanning an Bayesian filtering greylisting still works like magic since most mail servers that spammers employ do not have resources to bypass greylisting.

Unless it is a spearphishing attack, greylisting works really really well to deter spammers. Usually they leave you in peace and your mailbox is saved from the pain of having to delete a spam or several 100s or even 1000s of spam messages.

Where is the world headed as regards greylisting?

After the advent of big mail companies in which a very large percentage of mail traffic is between Gmail and Office365, the interest in running individual email servers and spam control to protect them have been coming down over the years.

But even if the big companies keep on attracting customers there will still be people that have a really valid reason to not trust the big player or do things on their own for a justifiable reason.

It is also a myth that running a mail server is a hassle. Like so many myths like flat earth theory, this has no basis whatsoever. The only way to truly hurt spammers which is what

greytrapping attempts.

And in order for it to do that well, you must run more and more mail servers where this happens. This not only combats spam for us effectively and meaningfully it also reduces the spam volume despatched to other unsuspecting user/networks.

The intention to do greylisting may or may not be altruistic but the fact is that greylisting does have an overall impact on reducing e-mail spam and malware spread.

In fact most of the malware traffic that leads to infections on the Internet are carried in spam payloads only. Without e-mail even today, no malware would spread.

This is not strictly true as normally government backed attacks are more sophisticated and do not depend on e-mail.

The way e-mail standards created 3 decades ago have evolved very little, the spammer business model and their methods have also evolved very little and in the spam control arsenal the very same methods that existed 10 years ago are in vogue today as well.

And greylisting as a technique to fight spam is relevant today as it always was.

How is greylisting different from other approaches?

If you want to kill spam there is always a mix of methods to be employed. Instead of relying only on few time tested methods we must constantly evolve with the times and attack vectors.

The fact that greylisting works very well with 90% of the spam traffic is good news. But let us not stop there. We must do whatever we can to identify a given message as spam or ham.

It could be content filtering, it could be using DCC or Razor or whatever else you have up your sleeve.

Spam as a problem must be fixed and fixed well. Since your network and uers are at attack and you as an MSP is answerable to several SLAs you sign and promises you make to customers.

As long as the expectations are clear that no product in this universe can stop 100% of all spam, we must keep upping our game.

Don’t you get spam in your gmail INBOX? You do.

And with all our capabilities we still can’t deal with targeted Spearphishing without doing sophisticated things that are geared towards addressing the issue of Business E-mail Compromise or BEC.

The world is not yet done with spam. And mail. We must keep fighting even if we are tired. No other go.

So how to address shortcomings of greylisting?

Greylisting is now without its own set of issues. When you send an email you expect to see the mail land in INBOX instantly don’t you?

And if it lands in spam folder then you wish to see your next mail in INBOX once the recipient marks the mail as not spam.

In the case of greylisting, the mail is simply high up in air. You have delays and this is thankfully only for the mail server. So if your mail server is whitelisted then any number of email from your mail server gets delivered instantly to the recipients despite presence of greylisting.

There is also the issue of cloud based mail server groups that wreak havoc with greylisting. This problem has only gotten worse over last 10 years. There are methods to combat this, mostly by SPF whitelisting and doing greylisting by keying sender domain instead of sender IP address. But despite of all that, greylisting still works and works well to fight spam.

Every spam control product must employ it in some form or other.