Greylisting
The term gray list or greylisting ( Brit ) or greylisting (USA) is a form of fighting spam in emails, in which the first e -mail from unknown senders is first rejected and accepted only after a further delivery attempt.
Greylisting is both a method to detect spam, and a method to notify the sender of discarded e-mails.
Operation
If an SMTP server is contacted, so that it takes an e -mail in reception, so this mail server are the following three data known before the mail server must accept the e-mail (the " SMTP envelope " ):
If an e -mail never received this combination of addresses, then the delivery attempt by the SMTP server is blocked with a message that a temporary error had occurred, the SMTP client should therefore try the service again later. If a next time try to deliver an e- mail with the same combination of data (which is a regular and RFC - compliant configured SMTP server should definitely do ), then this e -mail accepted (after a configurable time interval ). If and when a new delivery attempt is made to depend solely on the senders. There are also greylisting implementations that relax the rules a little by example the domains involved are entered and checked instead of the e- mail addresses.
Benefits
Typical software for the mass sending of e- mails (especially worms or Trojans) often does not attempt a ( spam ) e- mail deliver a second time to the same SMTP server. These e -mails are successfully filtered by " greylisting ". Currently, hence is a very effective spam fighting possible, which reduces the spam of up to a tenth.
Due to the delayed delivery of access to methods of spam detection, based on network tests, more effective ( such as RBLs, Vipul 's Razor and DCC), as it was between the first and second delivery attempt the spam wave may already identified and registered in the respective blacklists.
An e -mail can only be rejected if only the mail envelope was received with sender and recipient data and not only after the complete e -mail has been ( with body and possibly attachments ) is obtained. In this way, more spam filters such as SpamAssassin not be charged a rejected mail, thereby saving substantial resources.
Unlike heuristic spam -fighting methods is lost through " greylisting " Normally, no e -mail. Most greylisting implementations perform a dynamic whitelist. After a successful mail delivery, the combination of transmitter, receiver and the mail server is entered in the White List. Combinations that are entered in the White List, bypass the greylisting, so the e -mail is already delivered on the first attempt. Takes place between two people repeatedly e -mailing instead, it is therefore not hindered by the greylisting.
Disadvantages
( Improperly configured ) mail server programs could not undertake another delivery attempt and temporary errors. The responsible administrator of the sending mail server should be stopped to fix this gross mis-configuration of his system. Furthermore, they offer many greylisting implementations a whitelist, which should be used but rather for legitimate than for faulty sender, for example, for whitelisting great provider. A useful whitelist is for example the DNSWL. The increased again by the high proportion of false sender addresses proportion of spam can be negated by the use of SPF.
A further disadvantage is the time delay. A welcome e -mail may take a few minutes or hours to arrive by the greylisting later.
Some mail server programs generate the first attempt of a rejected by greylisting email a provisional delivery report to the sender. This report is often not accurately read or not understood and thus often treated as a final report on failed delivery.
Like all methods of fighting spam greylisting loses due to ongoing spam software efficiency. The more greylisting distributed, the more the spammers will adapt. It is therefore advisable to simultaneously use other methods such as SPF or DKIM.
It is also important to note that where possible all enabled for a domain responsible mail server greylisting, since spammers already often directly use the - MX with the lowest priority for delivery - often worse protected.
In implementations on cluster servers is important to note that the greylist database is replicated to all server nodes, otherwise, mail reception can be greatly delayed.
In addition to the principle-related delay of delivery by a few minutes to a few hours it was mid-June 2009 e-mail from T -Online customers significant delays. So was performed by T-Online in a rejected by greylisting delivery attempt the second delivery being delayed from 12 hours to about 5 days. T-Online here first referred to the non- RFC compliant behavior of the negative mail server, then removed but the delays.
Field of application
Greylisting is applicable against UBE, because usually stuck to botnets merged infected PCs behind it. Against this target group also helps e- mails dial-in connections generally rejected. But lists dial-in connections must be constantly maintained.
Against UCE greylisting is not generally applicable. Since it may be a personal decision, what it is spam or not, blacklisting is the most accurate solution; relatively well help automatic spam filter.
Changing Server address
Changing server addresses are for greylisting is not a serious obstacle:
Large mail server operators need to distribute the load of sending e -mails to multiple servers. In a few each iteration comes from another server. Many are at least all repetitions from the same server. The same combination of IP address and e-mail address of the sender therefore does not always equal the second attempt, but definitely after a while. If you configure " weak greylisting " is the last byte of the mail server address is ignored and the second delivery attempt succeeds even when it is admitted from another server of the mail server operator.
In practice, this makes little sense, since now use very many mail systems greylisting and thus gray list the erstverbindende IP in the normal case. Serves the redelivery attempt from a different IP, greylisting can never be revoked for the erstverbindende IP, which ultimately leads to the fact that each e- mail is sent delayed because of the advantage of the recognition of an already existing conversation now invisible ( temporary suspension of the Grey Listings for erstverbindende IP or autowhitelisting ) and the load from the server, quite the opposite to the desired effect, becomes even increased because now always must be made at least two delivery attempts. A possible chance for immediate delivery is usually only when the entire configuration of the connecting MTA, the IP and the associated to the e- mail address domain is perfectly okay (unfortunately with the fewest providers and private mail systems do) and however, is ultimately always depends on the rule set of the receiving server.
Chance make server initially only one delivery attempt. All recurrences are the same, new mail id instead of ( = content of another message ).
The throw of mail servers via a dial-up access (and thus changing at least daily IP address ) occurs barely, because dial-up addresses are rejected by almost all SMTP servers.
Adaptation of the spammers
In the period 03 /2008 to 08/ 2009 were insignificant waves of spam botnets on the go, who repeated the throw of spam, perhaps for testing purposes. Characteristics of multi- objections were:
Accidentally or on purpose - none of the waves was likely to undermine a greylisting as described here. The combination of the same PC with the same sender and temporal distance was just not there. Greylisting, until October 2010, the most accurate spam filter for UBE.
Since the end of October 2010, a small portion of the UBE spam from botnets was also sent several times since October 11, 2011, a significant. Greylisting is thus still a criterion for the spam filter, but is not the sole solution.
RFC compliance
RFC 2821 provides a general fault is temporary not available. The conformal method would be to delay the first throw-in confirmation to the examination of the e-mail. In the usual greylisting (confirmed by the second throw ) the connection would have to be generally separated before confirmation of receipt.
It has established itself instead to reject the e -mail with a temporary error 4xy. This is in the sense of RFC 2821 wrong, but allows the sending mail server to monitor the cause of the " temporary failure ".
Notifying the sender
If an SMTP server emails to begin with, and then filters only spam, it can not notify the sender: The sender information in almost all spam emails is fake, and the notifications would go to innocent victims.
The SMTP server can, however, first take the mail with envelope, header and body and provide a temporary error instead of the confirmation. Has he completed the spam-checking until the next delivery attempt, he provides an answer 250 (OK) or 5xy ( error).
It is even conceivable that the recipient personally mails sorted, and thus the examination takes place after hours.
By rejecting the throw of the email the true sender of the email is normally notified. Consequently, the receiver is no longer forced to watch a spam folder. In an erroneous rejection, the sender will judge according to any instructions in the error message or pick up the phone.