Blog

My blog.

Why I hate greylisting

<- First entryE-mail obfuscation via CSS ->
2021-08-01T14:38:30Z

Greylisting has for the second time delayed a verification e-mail. From the Wikipedia article about greylisting:

Greylisting is a method of defending e-mail users against spam. A mail transfer agent (MTA) using greylisting will "temporarily reject" any email from a sender it does not recognize. If the mail is legitimate, the originating server will try again after a delay, and if sufficient time has elapsed, the email will be accepted. ... Greylisting is effective against mass email tools used by spammers that do not queue and reattempt mail delivery as is normal for a regular mail transport agent.

Essentially, why greylisting "works" is:

I think the DNSBL claim is partially valid, but I do think that it won't be very effective if DNSBLs take a long time to update, which can happen.

For the one-off/no retry MTAs, spammers can just work around it. It is not too hard to do that, is it? And it does not prevent retrying MTAs that spammers use when setting up their own mail servers from being blocked by greylisting. And botnets can be blocked by looking at if the IP is a consumer IP, by inspecting the ISP/ASN/etc.

So to sum it up, greylisting mostly delays e-mails, it might work at catching some spammers, but I don't think it is worth the hassle.