SPAM (unsolicited bulk email) has become a huge issue for all connected businesses. Not only does it represent a massive inconvenience, but there are real costs associated with it in the form of increased Internet data costs, unproductive time for staff as they deal with the barrage of junk and the potential for important emails to simply get lost in the fray.

While JASCO has always used and recommended the best in Anti-Spam technology from vendors such as Trend Micro, we still find the need to re-visit the problem time and again for both ourselves and our clients, each time more closely.

The commonly-implemented policy of Delete only the mail that you are 100% certain is SPAM, and tag-and-deliver the rest for closer human inspection, is deemed necessary to avoid too much good mail getting lost, but it also creates an administrative nightmare with at least some members of staff having to wade through 300-400 messages each morning, looking for the proverbial needle (the good message) in the haystack (the junk mail folder).

There simply had to be something else we could do...  

What is Greylisting?

The technique we employed to cut the volume of SPAM reaching our mail server is called greylisting.

Greylisting takes advantage of the fact that SMTP (email) is an unreliable technology, and that there is functionality built into the SMTP protocol specification to deal with delivery problems (See RFC 821).

Here is a simplified version of how it works;

1. The remote host (mail server) connects to your greylisting-enabled mail service, and attempts to send a message.
2. The greylisting server forms a token by which the mail occurrence can be uniquely recognised. This token is called a triplet and is made up of; (a) The originating host’s IP address, (b) the sender’s address from the email envelope and (c) the recipient’s address from the email envelope.
3. If this token has not been seen before, then the greylisting server refuses the mail with a Temporary Failure message.
4. When the remote host re-sends the message after a nominal period, the greylisting server identifies the triplet (as having seen it before) and lets it through, adding it to a whitelist of allowed triplets.

So how does simply delaying mail help to fight SPAM?

This is the key. A vast majority of SPAM is generated by specific SPAM-creating applications that fire-and-forget their email payload. Why?

Because of the sheer volume of messages that are being sent and the expected high failure rate, a traditional mail server would spend a significant amount of time and CPU load processing failures, time that could be better spent blindly sending more SPAM.

The Results

The graph below shows the volume of mail being receipted and processed at our own mail server over a month, both before and after the deployment of a greylisting service in front of it. Keep in mind, that these figures include good messages too (eg. all mail).

The net effect is that our Exchange 2007 mail server (and our Trend Anti-SPAM engine) now needs to only process an average of 4,600 messages daily, as opposed to the original 12,500, a 63% reduction in total mail volume (obviously saving data costs and processing overhead).

While this is interesting in itself, it doesn’t actually portray the actual end-user experience.

A survey of JASCO staff revealed a 94%-98% decrease in SPAM volume by users who were previously heavy sufferers.

Also, because this technology targets only mail from non-compliant SMTP sources, the likelihood of false-positives (accidentally denying good mail) is extremely low.

What's the Catch?

I’m glad you asked! The only real negative imposed by greylisting is the forced delay of the initial message from a given source (remember the triplets?). Because the retry period is configured at the sender’s end, the period of delay is out of your control.

Our experience shows it can be as low as 5 minutes, or as high as 4 hours (more typically, 5 minutes). 

Most greylisting solutions have a manual whitelist facility, where you can enter the domain names of companies that you frequently deal with (so they are ignored by the system) or internal addresses for whom you want greylisting disabled (an email address that needs the timeliest delivery possible and doesn’t care about SPAM).

Some websites also send things such as registration emails using scripts, and not via an SMTP server. In these cases, and exception may need to be manually added to your local whitelist.
 

The Deployment Model

There are greylisting solutions compatible with all popular mail platforms. Some are installed on the mail server itself, others can be deployed in front of one or more corporate mail servers (in a gateway topology). 

Both commercial and open-source products currently exist.

It is important to emphasise that greylisting is therefore most attractive to businesses that deal mainly with established customers, and that systems may need to be tailored to ensure that the impact on legitimate ad hoc email communications is minimised. JASCO can advise the most appropriate greylisting solution for your business.