Greylisting: Difference between revisions

From ASRG
Jump to navigationJump to search
mNo edit summary
No edit summary
 
(5 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{ast
{{ast
|date=early 2000s
|date=early 2000s
|difficult=medium
|difficult=Medium
|popular=Low, increasing
|popular=Low, increasing
|effective=High
|effective=Medium
|where=MTA
|where=MTA
|harm=Low
|harm=Low
Line 14: Line 14:
Greylisting attempts to detect SMTP client systems that are not true SMTP servers and do not maintain a message queue, instead using a "blast and dump" approach.
Greylisting attempts to detect SMTP client systems that are not true SMTP servers and do not maintain a message queue, instead using a "blast and dump" approach.


Greylisting operates by initially deferring incoming messages by giving a 4xx (temporary failure) response during the smtp protocol dialogue.  The receiving MTA stores information about the attempted delivery, at minimum the client SMTP system's IP address, but in some implementations also the [[envelope sender address]] and [[envelope recipient address]])When all three items are stored, it is called the triplet.
Greylisting operates by initially deferring incoming messages by giving a 4xx (temporary failure) response during the smtp protocol dialogue.  The receiving MTA stores information about the attempted delivery, at minimum the client SMTP system's IP address, but in some implementations also the envelope sender address and envelope recipient address, and in a few cases a hash of the message bodySome systems remember (IP, to, from), sometimes known as a ''triplet''.


If a new delivery attempt matching the stored client information (that is, the same IP address or the same triplet) arrives within the minimum delay time enforced by the receiving MTA, the retry is also rejected and the minimum delay time reset.  If the retry arrives after the minimum delay time, the message is accepted and the saved data is marked so that subsequent attempts which match the saved data are immediately accepted with no delay.  Depending on the implementation, subsequent attempts need only match the IP address of the client SMTP system, or the entire triplet.
If a new delivery attempt matching the stored client information (that is, the same IP address or the same triplet) arrives within the minimum delay time enforced by the receiving MTA, the retry is also rejected and the minimum delay time reset.  If the retry arrives after the minimum delay time, the message is accepted and the saved data is marked so that subsequent attempts which match the saved data are immediately accepted with no delay.  Depending on the implementation, subsequent attempts need only match the IP address of the client SMTP system, or the entire triplet.
Line 23: Line 23:
* problems with inbound server pools that accept connections on multiple IPs
* problems with inbound server pools that accept connections on multiple IPs
* problems when the retry time of the sending system is smaller than the minimum retry time enforced by the receiving system (note that RFC 2821 says that the 30 minute delay is a SHOULD, not a MUST)
* problems when the retry time of the sending system is smaller than the minimum retry time enforced by the receiving system (note that RFC 2821 says that the 30 minute delay is a SHOULD, not a MUST)
* long delays when the retry time of the sending system is too long - some big ISPs set this value to values bigger than 4 hours and even a day.
* unwanted interactions with servers doing callbacks
* unwanted interactions with servers doing callbacks
* extra burden on the sending MTAs
* extra burden on the sending MTAs


A few legitimate mail clients don't work with greylisting, either because they don't retry, or they retry in a way that the greylisting server doesn't recognize.  Often, whitelist tables of such hosts need to be maintained.
A few legitimate mail clients don't work with greylisting, either because they don't retry, or they retry in a way that the greylisting server doesn't recognize.  Often, whitelist tables of such hosts need to be maintained.
=== References ===
* M. Kucherawy and D. Crocker, Email Greylisting: An Applicability Statement for SMTP", RFC 6647

Latest revision as of 17:48, 4 March 2015

Anti-spam technique: Greylisting
Date of first use: early 2000s
Effectiveness: Medium
Popularity: Low, increasing
Difficulty of implementation: Medium
Where implemented: MTA
Harm: Low


Greylisting (AKA graylisting) is an extremely effective method against illegitimate spammers who use cracked PCs (botnets, for example) to send the spam. It is utterly ineffective against spamers sending from conforming conventional MTAs.

SMTP requires clients to maintain a queue of outgoing messages. During a delivery attempt, a 4xx response code indicates a temporary failure. The client system must then retry the message. See RFC 2821 Section 4.5.4. Clients can immediately try another host listed in an MX record for the target domain, or re-queue the message and try again later. When the message is re-queued, the RFC says the client SHOULD wait at least 30 minutes before the next delivery attempt, and generally should use progressively larger delays for each subsequent retry attempt.

Greylisting attempts to detect SMTP client systems that are not true SMTP servers and do not maintain a message queue, instead using a "blast and dump" approach.

Greylisting operates by initially deferring incoming messages by giving a 4xx (temporary failure) response during the smtp protocol dialogue. The receiving MTA stores information about the attempted delivery, at minimum the client SMTP system's IP address, but in some implementations also the envelope sender address and envelope recipient address, and in a few cases a hash of the message body. Some systems remember (IP, to, from), sometimes known as a triplet.

If a new delivery attempt matching the stored client information (that is, the same IP address or the same triplet) arrives within the minimum delay time enforced by the receiving MTA, the retry is also rejected and the minimum delay time reset. If the retry arrives after the minimum delay time, the message is accepted and the saved data is marked so that subsequent attempts which match the saved data are immediately accepted with no delay. Depending on the implementation, subsequent attempts need only match the IP address of the client SMTP system, or the entire triplet.

While effective against certain kinds of spam, the technique has its drawbacks:

  • greylisted messages are initially delayed, possibly for hours or days
  • problems with outbound server pools that retry with different IPs
  • problems with inbound server pools that accept connections on multiple IPs
  • problems when the retry time of the sending system is smaller than the minimum retry time enforced by the receiving system (note that RFC 2821 says that the 30 minute delay is a SHOULD, not a MUST)
  • long delays when the retry time of the sending system is too long - some big ISPs set this value to values bigger than 4 hours and even a day.
  • unwanted interactions with servers doing callbacks
  • extra burden on the sending MTAs

A few legitimate mail clients don't work with greylisting, either because they don't retry, or they retry in a way that the greylisting server doesn't recognize. Often, whitelist tables of such hosts need to be maintained.

References

  • M. Kucherawy and D. Crocker, Email Greylisting: An Applicability Statement for SMTP", RFC 6647