I received this comment in response to an earlier blog entry:
Is there any chance of webmail.us implementing greylisting? Here is a link about it: http://projects.puremagic.com/greylisting/whitepaper.html I have yet to see a downside…. Thanks, Zachary
Zachary– thank you for the question and the answer is: probably not anytime soon. I’m putting this as a separate blog post because I think it is a really good general question and the explanation for my answer might be useful to others.
What Is Greylisting?
First, let’s talk about whitelisting and blacklisting. A whitelist is a list of email addresses and/or Internet Addresses that someone knows as “good” senders. A blacklist is a corresponding list of known “bad” senders. Clicking “trust sender” in the webmail interface puts a user on a whitelist. Clicking “report spam” doesn’t blacklist the sender, but does submit the message to our filtering software so that it can learn to recognize the new type of spam.
The link Zachary sent along is a great explanation of the concept of greylisting. It is an approach that says, “I don’t know who you are so I’m going to make your email message jump through some extra hoops before I accept it.” So an email from an unrecognized sender is neither on the whitelist or the blacklist and therefore is treated differently.
Greylisting works by telling the sending email server to resend the message sometime soon. Most spammers right now set their software to blindly transmit their spam email and the software doesn’t understand the “resend soon” message. Thus, the spam would never actually be delivered.
There is one weakness to this approach in a business or high-performance personal setting: the delay and resend may take up to an hour. Many businesses receive email from new customers regularly, whose email would be delayed by the greylisting rules, and the delay could have a significant business impact. And if you frequently get email from “friends of friends”, then greylist might cause you problems, too.
A second potential weakness is that it seems to Bill Boebel, our CTO, that updating spammer software to follow greylisting rules would be just too easy to implement. So as more people used greylisting it seems likely to stop working altogether as spammers adjusted.
Choosing Your Approach To Spam
There is no wrong approach, just a few choices that will make your mailbox work in a way that’s most useful to you.
I’ve included some info in earlier posts about how we filter spam. The summary is blacklists, keyword recognition, and some very intelligent programming in SpamDNA(r). But our customers can also use desktop anti-spam software and 3rd party services to add more layers if that better meets their needs.