Greylisting is a simple but highly effective means to weed out messages that are being delivered via spamware/ratware tools. The idea is to establish whether a prior relationship exists between the sender and the receiver of a message. Most of the time it does, and the delivery proceeds normally.
On the other hand, if no prior relationship exists, the delivery is temporarily rejected, using a 451 SMTP response. Legitimate MTAs will treat this response accordingly, and retry the delivery in a while. In contrast, ratware will usually fail to retry the delivery in a normal fashion.
As a result, greylisting is currently more than 90% effective in blocking incoming junk mail, while nearly all legitimate mail goes through.
Three pieces of information (herafter called a triplet) from the delivery attempt are cached for future reference:
- The address of the host attempting the delivery
- The envelope sender address (MAIL FROM:)
- The envelope recipient address (RCPT TO:)
If a delivery attempt was temporarily rejected, then after an initial timeout (60 minutes by default), but before a retry expiration time (8 hours by default), new delivery attempts with the same triplet are accepted, and the triplet is added to a whitelist. This allows for delivery retries, presumably from legitimate MTAs, and ensures that future mail from the same contact is not subject to greylisting.
If a whitelisted triplet has not been seen for an extended duration (by default 60 days), it is expired. This prevents unlimited growth of the list.
The downside to greylisting is that legitimate mail from people who have never sent you mail in the past (or, at least, within the last 60 days) are subject to a one-hour delay.
The upside is that the current generation of ratware tools will not be able to deliver spam or virii to you. Even if, as a result of lots of sites incorporating the greylisting concept, ratware tools are modified such that temporarily rejected deliveries are retried, you stand an increased chance of blocking such mail. That is because within the mandatory 1-hour initial delay, chances are that the sending host's IP address has been listed in one or more DNS block lists (such as bl.spamcop.net, cbl.abuseat.org, etc..), and can be rejected by your MTA by consulting these lists directly, or via anti-spam software like SpamAssassin.
A prerequisite to greylisting in general is the ability to perform custom filtering throughout the various stages in the SMTP transaction, most notably after the RCPT TO: SMTP command. In particular, greylistd(8) can be invoked either over a UNIX domain socket or via the supplied greylist(1) utility.
Although greylistd(8) is written mainly with Exim in mind, it should be possible to use it with any MTA that:
Some MTAs either have limited or no support for such external filters in the SMTP transaction (e.g. Sendmail), or define a very custom interface for such filters (e.g. Postifx "Policy Servers").
That said, solutions exist for these other MTAs as well. For Postfix, check into "postgrey", and for Sendmail there is "relaydelay". For other MTAs, check the links on Evan Harris' greylisting project page:
Runtime data. Theare are four sections: [white], [grey], [black] and [statistics]. The first three sections consist of lines of the form:
hash = lastseen firstseen count
The [statistics] section contains a counter for each of the three lists, indicating how many items that has ever made its way into these lists by way of the update protocol.
Unhashed data - i.e. the original triplets passed to greylistd. Internally, greylistd(8) hashes the provided data into a single 32-bit value for efficiency. Prior to version 0.6, the original data was not retained; as of version 0.6, data is optionally saved into this file.
Data items are saved in the form:
hash = data ...
The UNIX domain socket providing the main interface to "greylistd". The MTA can either connect to this socket directly, or use the supplied "greylist" utility to do so.
Commands are actually executed in the daemon, not the "greylist" client. If the user who invokes "greylist" interactively has a different time zone than the daemon process, time and date representations in the output will reflect those of the daemon.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
On a Debian GNU/Linux system, the full text of the GPL is available in /usr/share/common-licenses/GPL. It is also available at: