dempa.init5.net

Spam & Greylisting

Once upon a time, spam was something delivered in a can. Nowadays, it comes in all flavors directly delivered to your mailbox. Get a bigger/longer penis, buy cheap meds, get a university diploma etc. And lets not forget all the nice letters from Nigeria. I read somewhere that spam already constitutes over 50% of all email traffic on the internet. That’s just wrong. On my own mailserver I’ve used SpamAssassin since day 1. It’s a really nice server-side filter for guessing which emails are spam and tagging them accordingly. It’s then up to your email client or some other filter to do whatever’s appropriate. However, this still requires your email server to do alot of processing. Enter a “new” technique for stopping spam at the door - Greylisting!

Greylisting is a relatively new technique for stopping spam before your email server accepts it and starts to process it. It’s based on the fact that most spam sources doesn’t behave like a normal mail server. Normal mail servers will, if a temporary error occurs at the receiving end, buffer the email and try again later. “Spam cannons” doesn’t normally have this functionality built in. So, let’s generate a temporary error on purpose and let the sending server come back later to try to deliver the mail again. A normal server (which most of the time has a real email to deliver) waits a while and tries again and then succeeds in delivering the mail. A spam cannon only tries one time and then the email will be lost, keeping it from consuming processing power and disk space on your email server.

The greylisting mechanism keeps a database of approved senders, each consisting of sender address, recipient address and the IP-adress of the sending email server (I’ll refer to this as the sender triplet from now on). When a new sender triplet is found for the first time, a message looking something like this is sent back to the sending email server:

451 4.7.1 Greylisting in action, please come back in 00:30:00

Here we can se the appropriate SMTP codes for a temporary error and a descriptive text of what has happened. I’ve configured my mail server to wait 30 minutes before accepting a new sender triplet. If the sending email server tries again before the 30 minutes has passed, it will receive a temporary error again:

451 4.7.1 Greylisting in action, please come back in 00:15:00

Here we can see that there’s 15 minutes left before the email server will accept the email. After the 30 minutes has passed and the sending server tries again, the email will pass and the sender triplet will be registered as “whitelisted” for a configurable duration (30 days or something like that). That means that subsequent emails from the same sender to the same recipient will be delivered without delay. Everytime a new email from this triplet is received, it gets a fresh new 30 days (or whatever you’ve configured it to be) in the whitelist. In other words, contacts you communicate with frequently will only experience a short delay the first time.

This is mostly transparent to the actual users, besides for a small delay the first time. There are however times when this method will fail due to lousy (sending) email servers. If they are important to you, just add an auto whitelist entry for them in the greylisting configuration (if your implementation supports this).

And now to the kicker… This works! SpamAssassin did a good job. It tagged most of the spam. However, that requires processing power and storage space (for a separate spam folder that gets cleaned manually from time to time). Also, some spam fooled SpamAssassin and was delivered untagged to my inbox. With Greylisting in place I haven’t received one single spam message in my inbox. My spam folder (tagged and filtered by SpamAsssassin) receives three or four spam messages per month now. Greylisting has reduced the number of spams received by my email server by over 95%. That’s just plain fantastic, wouldn’t you agree?

Is this the definitive answer to all our spam problems? No. Spammers will adapt. They always do. Install Greylisting and enjoy it while it lasts.

Greylisting information:
http://www.greylisting.org/