Fighting spam via greylisting

Bryan Kadzban bryan at
Sun Apr 8 06:06:08 PDT 2007

Jeremy Huntwork wrote:
> The basic idea is that whenever a new MTA (one that is not in the 
> greylisting database) attempts to deliver mail, the mail is 
> automatically rejected. If the MTA is a valid MTA, it will retry to 
> deliver the mail after a few minutes.

Assuming the user doesn't get a "your message has been delayed" message
from their MTA in the meantime.

It's been a while since I looked at the SMTP RFC(s), so I don't know if
there's any minimum time (or minimum number of attempts) that have to
pass before the user gets notified, but I'm guessing there isn't.  If
that's true, it would be valid for an MTA to notify the user if the
first attempt failed.  (Of course I don't know if there *are* any MTAs
that work like this, either.)  If there are any users on a setup like
this, I can see some confusion happening.

Also, the "after a few minutes" may be how most MTAs today work, but I
doubt it's required behavior.  I would bet that either the retry
intervals are completely up to the MTA, or that the RFCs specify a
minimum but not a maximum.  I would bet that a half-hour retry interval
would be "legal".

Finally, I would hope that when the greylisting engine "rejects" a mail,
it does so with a temporary-failure code (4xx), not a permanent-failure
code (5xx).  Otherwise MTAs don't have to retry the messages, and some
likely won't.  I would assume that something like this has been thought
through by the people that implemented the greylisting already, but it
might be worthwhile to make sure.  If I remember, I'll try sending a
mail "directly" from my IP to my address through telnet, which
should get rejected by the greylist, and see what response I get.  (Of
course I'm on a dynamic IP, too.  Hope that doesn't complicate things.)

It sounds like this will reduce spam, yes, but I'm just slightly
concerned it will also introduce some user confusion (either due to
"your message hasn't been delivered yet" messages or "I send this an
hour ago, and it hasn't been delivered yet!" because their MTA is slow
doing retries).  But maybe I'm just used to the way people think at work
("if it doesn't work RIGHT NOW, it's not working: call support!").

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the lfs-dev mailing list