in

From The Trenches

Fighting SPAM With Greylisting

Recently, we have implemented greylisting on in-bound e-mail gateways as one of the tools in our arsenal against spam. Although we had this feature for years, we held it back due to fear of negative effects it may have on our users. However, after sustaining wave after wave of spam attacks during the last several weeks and numerous complaints from our users as the result, one can no longer argue that a temporary inconvenience of gray-listing outweighs the risks that spam-bots and viruses can pose.

What Is Grey-listing?

Grey-listing works because the vast majority of spammers and email-propagated worms cheat. To get their messages out quickly and easily, they take shortcuts. One of the biggest shortcuts is that most message deliveries are attempted only once. If a delivery attempt fails for any reason, the sender ignores that delivery and tries other addresses.

Grey-listing relies on spammers using software that does not queue messages with temporary failures to try them again at a later time. Real mail servers will continue trying to deliver a message for at least several hours, and usually several days if it doesn't go through the first time. Implementing this functionality significantly complicates the mailing software and uses resources on the sender's computers, which is probably why so many spammers are neglecting to do it.

In general terms, greylisting works by creating a "triple" of remote IP address, envelope sender, and envelope recipient for every incoming recipient. I say "recipient" instead of "message" because in the case of carbon copies, a single message can have multiple recipients. This triple is then looked up in a database. For the first 10 minutes that a new triple is seen, it is rejected with a temporary failure (400-series SMTP response), requesting that the remote Mail Transfer Agent (MTA) try again later. After that, the recipient is allowed for delivery.

After the first 12 hours, if a message is not received within the next three hours, the entry is removed and the remote sender must start all over again. This further ensures that the remote system is queuing the message instead of sending another campaign.

Benefits

The primary benefits of greylisting are its effectiveness and low requirements for maintenance. It's the single most effective technique we have found for cutting down on the spam that makes it into our edge SMTP gateways. We have been using RBLs, Reverse-Path Checks, red-listing, real-time spam signature checks, Bayesian algorithms, and other techniques, and the addition of greylisting has reduced the amount of spam our spam filters have to process by 5 to 10 times. Additionally, with it we've been able to reduce our quarantine queue size by 76%.

The low maintenance requirements are a huge benefit for the already overworked sys admin. After the initial install and a few tweaks, we have not had to touch the greylisting system at all. Unlike other techniques, it doesn't require rule-sets to be updated, quarantine folders to be reviewed, lists to be preened, decisions about which RBLs (Real-time Black-hole Lists) to use, etc. It just works.

Even if spammers start queuing more of their messages, there are advantages to delaying the initial message from a particular sender. That delay gives other anti-spam techniques such as DCC, Spamcop, and RBLs a better chance of detecting the message as spam. When the spam or virus delivery is retried, it is more likely to be caught by these other mechanisms.

Drawbacks

The biggest complaint against using greylisting is that it will almost certainly cause some email to be delayed. The first message from a particular sender at a particular location will, under most circumstances, take at least 10 to 30 minutes to be delivered. If a user is on the telephone with the recipient and an email is sent, the email won't immediately come through unless the sender is already in the greylist. Outgoing mail may also be delayed because of a technique called "SMTP callbacks". SMTP callbacks are used by some mail servers to try to combat forged sender addresses. When a mail server gets a message claiming to be from a particular user, a connection is made to a mail server for that domain to check that it will accept email for that sender address. If this happens from one of your users, the greylisting software may cause the remote server to deny the message until after the greylisting period expires.

Conclusion

Gray-listing is a potent weapon in fight against SPAM. Some users argue that an initial delivery delay is unacceptable, however after we have disabled spam filtering for their domain they quickly realized that an alternative is even less desirable. As the volume of spam has exceeded over 92% of all SMTP traffic this year, it is obvious that we have to employ every weapon in our arsenal to combat it.

Published Aug 20 2008, 03:13 PM by skozyuk
Filed under: , ,

Comments

 

drewmister said:

So basically you temporarily reject the first incoming email to a recipient in my domain.

Why 10min delay? Why not 1min? What is the standard retry time remote servers use?

Why 12 hours and not 24 or 48? If there are people you regularly communicate with keeping the "triple" alive longer may alleviate delays. Or is it common for a particular spammer to do a similar attack within 12 hours?

August 21, 2008 2:22 AM
 

drewmister said:

I'm not sure if this new policy is to blame, but a colleague sent an email to our group. It was a notification about some service we use being down. A little while later he sent and update that the service had been restored. Trouble is I got the update before I got the original message. My guess is that your answer to this will be it is because the sender did not retry the original message before the update message went out. The time between the creation of the 2 emails was 1 hour but I received the 1st email 5 hours after the second. I'm not a mail guru and can't read the envelopes well enough to see where the problem was, but isn't it possible the new greylist policy could be part of the problem?

August 21, 2008 2:47 AM
 

skozyuk said:

The delay has to be long enough to ensure that submitting MTA agent is not attempting to simply send duplicates of the same spam message as it is often the case with spam bots that hammer our servers. Also, short delay will not reduce time lag for legitimate servers, since typical first delivery retry on most servers is 15 to 30 minutes.

The reason you have received the second e-mail before the original is because sending MTAs retry period is too long. When second e-mail was sent the greylist on our end has expired ad allowed the message to pass uninhibited. The firs e-mal arrived 5 hours later because the sender MTA retried only after that period of time.

August 21, 2008 4:53 PM
 

Websites tagged "greylisting" on Postsaver said:

Pingback from  Websites tagged "greylisting" on Postsaver

October 9, 2008 9:47 AM
2004 - 2008 IHOST, LLC