Grey listing is a new method of blocking significant amounts of spam at the mail server level, but without resorting to heavyweight statistical analysis or other heuristical (and error-prone) approaches. Consequently, implementations are fairly lightweight, and may even decrease network traffic and processor load on your mail server.
The term grey listing is meant to describe a general method of blocking spam based on the behavior of the sending server, rather than the content of the messages. Grey listing does not refer to any particular implementation of these methods. Consequently, there is no single grey listing product. Instead, there are many products that incorporate some or all of the methods described here.
The SecPoint® Protector (http://www.secpoint.com/secpoint-protector.html) comes fully loaded with the grey listing functionality that provides the customers with the best anti-spam solution.
Grey listing has been designed from the start to satisfy certain criteria:
Have minimal impact on users
Limit spammers' ability to circumvent the blocking
Require minimal maintenance at both the user and administrator level
While somewhat effective, user-level spam blocking has a few key drawbacks that make its use in the continuing spam war undesirable. A few of these are:
It provides no notice to the senders of legitimate email that is falsely identified as spam.
It places most of the costs of processing the spam on the receivers' side rather than the spammers' side.
It provides no real disincentive to spammers to stop wasting our time and resources.
As a result, grey listing is designed to be implemented at the MTA level, where we can cause the spammers the most amount of grief.
High Level Overview
Grey listing got its name because it is kind of a cross between black- and white-listing, with mostly automatic maintenance. A key element of the grey listing method is its automatic maintenance.
The grey listing method is very simple. It only looks at three pieces of information (which we will refer to as a "triplet" from now on) about any particular mail delivery attempt:
The IP address of the host attempting the delivery
The envelope sender address
The envelope recipient address
From this, we now have a unique triplet for identifying a mail "relationship". With this data, we simply follow a basic rule, which is, "If we have never seen this triplet before, then refuse this delivery and any others that may come within a certain period of time with a temporary failure."
Since SMTP is considered an unreliable transport, the possibility of temporary failures is built into the core spec. As such, any well behaved message transfer agent (MTA) should attempt retries if given an appropriate temporary failure code for a delivery attempt (see below for discussion of issues concerning non-conforming MTA's).
During the initial testing of grey listing in mid-2003, it was observed that the vast majority of spam appears to be sent from applications designed specifically for spamming. These applications appear to adopt the "fire-and-forget" methodology. That is, they attempt to send the spam to one or several MX hosts for a domain, but then never attempt a true retry as a real MTA would.
The aforementioned tests confirmed that in the test environment, based on a fairly conservative interpretation of testing data, an effectiveness of over 95% was attained, and that is with no legitimate mail ever being permanently blocked.
In addition, with the recent rampant proliferation of email-based viruses, grey listing has been shown to be extremely effective in blocking such malware, as they also do not tend to retry deliveries. And since they tend to be fairly large, bandwidth and processing savings are significant compared to the standard method of accepting delivery and local virus scanning.
This blocking comes with a minimal price from the terms of local resources. Assuming the use of a local datastore for the triplet and other metadata, there is no required network traffic caused by grey listing other than that associated with the connection itself. Since users tend to not check the contents of the message at all when using grey listing services, there is very little processing overhead, unlike many other spam-blocking methods.
The best part is that since grey listing never permanently fails a message delivery, as long as the delivering MTA's are well behaved, the spam-blocking method should never cause a legitimate mail to bounce. There should never be a false positive!