Home / Blogs

Greylisting Still Works - Part I

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
John Levine

Greylisting is a hoary technique for rejecting spam sent by botnets and other poorly written spamware. When a mail server receives an attempt to deliver mail from a hitherto unseen sending host IP address, it rejects the message with a "soft fail" error which tells the sender to try again later. Real mail software does try again, at which point you note that the host knows how to retry and you don't greylist mail from that IP again. The theory is that spamware doesn't retry, so you won't get that spam. I wrote a paper on it for the 2005 CEAS conference, and concluded that conservative greylisters worked well.

We've now been using greylisting for close to a decade, and some people have argued that it's no longer useful, since the bad guys could easily fix their spamware to retry, or since bots are so cheap, they could just send everything twice. So does it still work?

I recently went through my greylister's logs and collected some statistics for both a recent week, and the past year, about hosts that I greylisted:

WeekYear
No retry12121294812
One retry745662402
Many messages495674590

The first row is the number of hosts that got a soft fail and never came back. The second row is the number that retried the message that failed, but never sent anything again, and the third row is the number that retried and sent more messages after that.

As you can see, for the week, about half of the greylisted hosts didn't retry, and over a year, about 2/3 didn't. That's still a lot of mail my mail server didn't have to filter. I attribute the different ratios to the shutdown of several botnets over the past year, evidently botnets that didn't retry.

So it's certainly not a magic bullet (what is?) but greylisting still is an effective way to deter a lot of spam cheaply.

Next, Greylisting Still Works - Part II

By John Levine, Author, Consultant & Speaker. More blog posts from John Levine can also be read here.

Related topics: Cybersecurity, Email, Malware, Spam

 
   

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Afilias

DNS Security

Sponsored by Afilias
Verisign

Cybersecurity

Sponsored by Verisign
Afilias Mobile & Web Services

Mobile Internet

Sponsored by Afilias Mobile & Web Services

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Port25 Announces Release of PowerMTA V4.5r5

New Case Study: Jobtome.com Replaces 30 Postfix Servers with a Single PowerMTA

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?