What is greylisting?

Greylisting is a method used in email management to combat spam. It operates by temporarily rejecting emails from unknown senders. An article titled, Measuring the Role of Greylisting and Nolisting in Fighting Spam, states, "The main idea of nolisting and greylisting is that the lack of compliance to standards can be used to prevent malware from delivering the spam messages in the first place.” 

When a mail server receives an email from a sender for the first time, it doesn't immediately deliver the message. Instead, the server returns a temporary error, prompting the sending server to try again later. This delay is a strategic move, as legitimate email servers will typically retry sending the email after a short period.

What is greylisting? 

When an email first arrives at a mail server implementing greylisting, it is temporarily refused with an SMTP 4xx error code, signaling a delayed acceptance. Legitimate mail servers, which comply with SMTP protocols, will retry sending the email after a set delay, usually within minutes to an hour. 

After this retry, the message is accepted and future emails from the same sender are usually whitelisted to avoid repeated delays. Greylisting stems from the behavior-based filtering concept, exploiting the fact that most spam servers do not attempt to resend emails after a temporary rejection, unlike legitimate mail servers. 

According to a PLoS One study on the tracking of spam filtering, “Most of the filtering methods mentioned above were designed to intercept spams by scanning fully the content of email. However, the manner of examining fully email’s content would consume a lot of time.”

Greylisting is primarily used as a proactive method to filter spam while imposing minimal requirements on system resources. Its use is particularly advantageous in environments with high volumes of email, like healthcare, and where preventing spam is needed without relying solely on content or blacklist-based filtering.

How does greylisting compare to other security measures

A Journal of Medical Internet Research study on security and privacy on the internet notes, “The best protection against viruses is not opening e-mails from unknown sources or those containing unusual message headers.”

The fundamental concept behind greylisting is behavior-based filtering—it exploits the fact that spammers, due to the cost and architecture of their systems, rarely bother to resend messages after an initial rejection, unlike genuine mail servers. Consequently, greylisting effectively filters out many unsolicited emails with minimal resource expenditure.

In contrast, blacklisting relies on maintaining a database of known malicious IP addresses, domains, or senders. Incoming emails from these sources are outright blocked. While blacklisting is efficient in blocking known threats, it is limited by its dependence on updating and managing lists, often leading to delays in identifying new spam sources, thus allowing some threats through. 

Whitelisting takes the opposite approach; it allows only pre-approved senders to pass through while rejecting everything else. This method provides stringent security but at the cost of flexibility and increased administrative overhead, particularly in environments requiring broad communication with new or unknown contacts.

Greylisting presents a middle ground with a dynamic, adaptable mechanism that does not rely solely on static lists but on sender behavior, making it particularly efficient in environments where spam volume and diversity are high. It imposes minimal computational overhead since it does not require deep content inspection or signature-based scanning as other filtering technologies do. 

Yet, this advantage comes with possible drawbacks, chiefly the initial delay in receiving emails from legitimate new senders due to the enforced retry mechanism. In critical environments such as healthcare, where timely communication is essential, these delays can be problematic if not managed carefully.

See also: HIPAA Compliant Email: The Definitive Guide

Role of SMTP in greylisting

A Procedia Computer Science study on ‘Efficiency comparison of greylisting at several SMTP servers’ notes, “The idea of greylisting is very simple – temporary blocking of messages from new sources that is expected to be no problem for legal SMTP servers but could be difficult to overcome for SPAM producers.”

When a greylisting system temporarily rejects an email from an unknown sender, it communicates this rejection to the sender's server using an SMTP error code. This error code, typically in the 4xx range, indicates a temporary issue. According to SMTP standards, a legitimate email server receiving this code understands it as a temporary failure and is programmed to retry sending the email after a delay. 

SMTP does not explicitly define this delay, but is commonly set to around 15 minutes by most email servers. The retry mechanism is thus an integral part of SMTP's handling of email delivery issues. When the sending server retries after the designated waiting period, the greylisting system, recognizing the attempt as compliant with SMTP protocol, is more likely to allow the email through, distinguishing legitimate senders from spammers who typically do not follow up on temporary rejections.

Impact on email delivery time

According to a study titled ‘Measuring the Role of Greylisting and Nolisting in Fighting Spam’, “Greylisting is more sophisticated and more popular than nolisting, and is fully implemented in the SMTP server without requiring any modification to the DNS records.”

This process typically results in a delay, as legitimate email servers usually wait around 15 minutes before attempting to resend the email. However, this duration can vary depending on the sender's server configuration and retry policies. Therefore, while greylisting effectively filters out spam by exploiting the lack of retry attempts from spam servers, it also temporarily slows down the delivery of legitimate emails, especially the first time communication is attempted between the sender and the recipient. 

See also: What are whitelisting and blacklisting?

FAQs

How does HIPAA compliant email help avoid greylisting?

HIPAA compliant email typically uses trusted and verified email servers that are less likely to be greylisted by other email providers due to their adherence to security standards.

What is the difference between greylisting and blacklisting?

Greylisting temporarily blocks incoming emails from unknown senders to deter spam, whereas blacklisting permanently blocks emails from senders identified as sources of spam or malicious content.

What is an IP address?

An IP address is a unique string of numbers separated by periods that identifies each computer using the Internet Protocol to communicate over a network.