Greylisting, Greytrapping and Initial Stuttering: A Novel Approach to Spam Filtering

By now, most email administrators are aware of several spam filtering techniques such as blacklisting, whitelisting, relay blocking and the like.  The list is long.  These measures take an immediate effect on email as it is received to determine the legitimacy of the email.

No one method of filtering email is effective in itself.  A server may find itself blacklisted by a list maintainer bearing a grudge or due to poor configuration of the sending server.  Then again, you may accidentally whitelist a sender who later starts sending spam your way.  Trying to find the hole to plug it can be a frustrating and time consuming endeavor.  Enter greylisting.

Greylisting is a technique whereby incoming email is held in queue for a period of time until the sending server attempts to resend the same message a second time.  This is generally 15 minutes.  It forces sending servers to comply with RFC standards for proper mail transmission.  If a message retry occurs, the sender is added to the whitelist for a period of time thus removing future delays caused by greylisting.  After a long period of inactivity with the sending server, the whitelist is automatically pruned of the stale record.  Further emails from the sender go through the same process.

Greytrapping is another effective technique for keeping your filters up-to-date automatically.  By configuring specific email addresses for spammers to send to, you can have the system keep watch for incoming mail to those boxes.  Sending servers are then immediately moved from the greylist to the blacklist for a period of time.  If the sender re-issues another email during that timeframe, the clock is reset.  This can keep someone on the blacklist indefinitely or can automatically remove them once they have corrected their behavior.

Since you generally have a fifteen minute window between the initial message and the retry interval, you can make efficient use of this time period by using a technique called initial stuttering.  To accomplish this, you effectively slow down the initial communication of your incoming SMTP session.  Since most spam attempts to transfer in the first 10 seconds of the session, this can cause them to give up and go away.  It also ties up their resources to further limit their ability to send spam.  It is not inconveniencing to the normal email sender.

Initial stuttering has another benefit to your mail server.  Since most spammers drop the slow connections, the volume of mail processed by your server can be easily cut in half.  By having these services on a front end server, your primary mail server is left with resources to process legitimate mail with reduced workload on other filtering technologies. 

A combination of best practices will allow you to filter out the vast majority of unwanted white noise without adversely affecting those emails that you do wish to receive.

Resources:

Postgrey - Postfix Greylisting Policy Server http://isg.ee.ethz.ch/tools/postgrey/

Free (Or nearly free) Spam Reduction with Spamd and PF http://bofh.cns.ualberta.ca/beck/spamd

Building Firewalls with OpenBSD and PF http://www.devguide.net/books/openbsdfw-02-ed/spamd-02.pdf