20 August 2014

A number of times now, we have been asked how good Graylisting of emails is as a technique to try and reduce the amount of Spam a company receives.  And even though this is an old technique, we find it continues to be a good one.  Graylisting takes advantage of the fact that the majority of spam Trojans/bots do not implement a full Message Transfer Agent (MTA).  What the Spammers fail to implement in particular, is a queuing system which gives us an effective way of blocking their email as spam.  The majority of Trojans/bots  simply open a direct SMTP connection to the target and send their spam.  They then then move on to the next recipient and no retrying is done.  So, if we can force SMTP connections to queue, then these Trojans/bots will not get through.  This simply requires that the defending MTA rejects the first connection with a temporary error code to ensure that the sending end should try again later . This is surprisingly effective but some Trojans/bots are more sophisticated or they may be on systems that are behind an intercepting MTA in which case this technique will not work and you need other techniques to filter out those that do get through. However, there is no such thing as a free lunch and Graylisting can result in a short delay for inbound email.  This is because with Graylisting, legitimate email will be rejected first time to see if the email server is fully implemented as described above.  The delay in resending the email is totally dependent on the remote email server and by default, the enforced delay is approximately one minute.  So the delay is usually not very long.  Having said that, there are a number of techniques that can be used to reduce or totally remove this delay. One solution is to maintain a database of proven legitimate connections.  For example, if a legitimate server on a static IP address has responded to a previous block by the Graylisting system then it can be identified as trusted and email from this server and email address will not go through the Graylisting process again.  This ensures that relationships between users are respected and their emails will flow without any delay.  One of the ways we carry out this creation of relationships is by putting our Graylisting solution into ‘learning’ mode for a number of days before you enforce it.  This then allows the system to learn these relationships before Graylisting is actually imposed which means only new relationships from that point onwards get the one minute delay. Another option is to exclude email addresses that always require quick responses.  For instance, sales or support might receive only one request from a prospect or customer and so there may not be a ‘relationship’ as such.  There are those addresses that you might deliberately exclude, for example, if the sender has legitimate SPF record there is little point in doing Graylisting. So Graylisting is good but there is no question that a multi-layered defence is always best to catch situations where it is not valid.  As a result, it is important that your solution implements a number of additional technologies to capture spam, like signatures, Bayesian filters, lexical analysis, reputation of sender and so on. Needless to say there are corner cases that need to be caught in Graylisting and a good number of housekeeping tasks to keep the relationship database clean and relevant but your provider should be worrying about those, enabling your company to benefit from a cleaner feed to the internet and much less spam.

back to all posts