+5 votes
119 views
in Email security by (242k points)
reopened
What is a gray list?

1 Answer

+3 votes
by (1.6m points)
edited
 
Best answer

Scope of Greylisting
How greylisting works
Advantages and disadvantages of greylisting
What complications can a gray list cause?

image

What is a gray list?

The so - called greylisting e-mail (or, in Spanish, the use of a gray list) is a very effective technique to fight against the sending of junk emails, that is, spam emails . The gray list works on the email server of the recipient in question and does not require any configuration on the part of the sender or receiver..

In theory, a gray list does not allow any legitimately sent mail to be lost. It is, therefore, one of the most widely used techniques worldwide to control the sending of spam .

advice

Use a personal or professional email address with your own domain..

If you have your own email server, it is highly recommended that you use a gray list as a basic protection against spam .

Index
  1. Scope of Greylisting
  2. How greylisting works
  3. Advantages and disadvantages of greylisting
  4. What complications can a gray list cause?

Scope of Greylisting

Spam filters are a complex type of software that uses heuristic methods to recognize spam emails . Gray lists, on the other hand, use a less expensive method that attempts to prevent reception when it is obvious that it is spam . Since it is based on a simple process, this technique requires far fewer resources to execute..

Gray lists are mainly used to combat the illegitimate and massive sending of spam emails . More specifically, they try to avoid sending what in English is called UBE, Unsolicited Bulk E-Mail : emails sent in bulk, without any kind of personalization . To send this type of spam, they often use purchased or stolen lists of email addresses.

In general, the sending occurs from hijacked computers whose users are not aware of what is happening: their computers are connected to a so-called botnet, that is, a network of computers controlled remotely and used to send emails from mass spam . These waves of spam are often sent from spoofed addresses - that is, sender addresses that don't actually exist.

However, greylisting is not a suitable method to combat the so-called UCE ( Unsolicited Commercial E-Mail ). These types of emails are sent one by one by real companies or commercials and are usually personalized. Content filters and the blacklisting technique are often used to combat this type of spam .

How greylisting works

The idea of ​​gray lists is based on discarding possible spam emails when they have not yet reached their destination . Here's how exactly this process works.

To send an email from a sender to a receiver, the Simple Mail Transfer Protocol (SMTP) is used. In principle, all email sent over the Internet follows the following path:

  1. The sender composes an email using his MUA ( Mail User Agent ). This agent can be a locally installed mail program or a webmail interface .
     
  2. To send the mail, the Mail User Agent establishes an SMTP connection with the sender's Mail Transfer Agent (MTA). The MTA is software located on the SMTP server that collects and sends emails.
     
  3. The sender's Mail Transfer Agent transmits the email in question to the recipient's Mail Transfer Agent . If the latter accepts the email, it will arrive in the receiving user's inbox.
     
  4. If that user has synchronized their local inbox using the IMAP or POP3 protocol, the email will be displayed as a new message.

The gray list acts in the third step: when the recipient's Mail Transfer Agent accepts the mail. This receiving agent can recognize three pieces of information before accepting the entire mail:

  • The IP address of the sending mail server
  • The sender's email address, thanks to the SMTP MAIL FROM command
  • The email address or addresses to which it has been sent, thanks to the SMTP RCPT TO command

Since this data is already visible to the Mail Transfer Agent before the mail itself has been received or opened, it is sometimes called envelope data . The Mail Transfer Agent records the envelope data of each incoming mail in the so-called gray list. Here is an example of an entry in this list:

IP adress Transmitter Receiver
192.0.2.3 [email protected] [email protected]

Every time an email is received with a new combination of this envelope data , the Mail Transfer Agent rejects it initially and sends an error code saying that a technical problem has occurred. In this way, the sender's Mail Transfer Agent is requested to retry sending after a certain time .

If the sending Mail Transfer Agent is legitimate and conforms to email standards, it will obey and resend the email later. When you do this the second time, the envelope data will already be greyed out and the mail can be delivered to the user.

On the other hand, if the mail has been sent illegitimately, the corresponding Mail Transfer Agent will generally not try it again. This is the characteristic that the gray list takes advantage of to fulfill its function: since there is no second attempt, the spam mail does not get delivered . The user who has just been protected, for his part, does not notice anything. It is therefore a very elegant way to avoid annoying spam emails.

However, the gray list has a clear drawback : the time it takes for the second attempt to occur causes some emails to arrive with a noticeable delay to the recipient. In some cases, it can even be hours.

Perhaps it has ever happened to you when requesting a password recovery email on a web page: the recovery email does not arrive. You try again and again, to no avail. Then hours later, you finally receive all the emails at once, but the recovery links they contain have already expired. The cause of this frustrating problem is the gray list of your email address.

Graphic: this is how a gray list works

image
The operation of e-mail greylisting is based on several communication steps between the sender and the receiver.

(a) The Mail User Agent (MUA) transmits an email to the sender's mail server (P).

(b) Said server (P) relays the mail to the receiver's server (Q), which is in charge of checking the envelope data of the message: the sender's IP address and the e-mail addresses of both the sender and the receiver. If the combination of these three data has not yet been registered in the list of the receiving server (Q), the mail delivery attempt will be rejected, indicating a technical failure as the reason. The receiver's server (Q), however, will record the envelope data , that is, the mail will be included in the gray list.

(c) If it is a legitimate email, the sender's server (P) will try to send it again after a certain waiting time. Since, in this second attempt, the envelope data will already be recognized by the receiver's server (Q), the mail will be delivered. Optionally, the envelope data can then be incorporated into the whitelist of the recipient's mail server. If this happens, future emails with the same envelope data will be delivered without delay.

(d) On the contrary, if it is an illegitimately sent mail, a second delivery attempt will generally not occur. In this case, therefore, the gray list will have fulfilled its spam protection function and the mail will not reach the inbox.

The greylisting is often used in combination with other technologies of protection against spam . The Sender Agreement or, in English, Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) as well as the DMARC (Domain-based Message Authentication, Reporting and Conformance) protocol are other effective systems to protect email traffic against to the most common forms of abuse.

In particular, gray lists work especially well when combined with other related techniques: black and white lists , that is, with the whitelisting and blacklisting methods . Next, we also present an example of the path of sending attempts to receiving servers when these mechanisms are present.

image
Example with greylist, whitelist and blacklist

The image shows a list of email delivery attempts, numbered from e1 to e5 in temporal order.

e1) Enter an email from an issuer that is not yet registered on the gray list (? Listed? No.?). The receiving Mail Transfer Agent rejects delivery of the mail indicating a technical error as the cause. Envelope data is recorded in the gray list.

e2) Later, another mail arrives from the same sender to the same receiver. Since the envelope data this time is registered in the gray list, the mail is delivered. In addition, the envelope data is incorporated into the white list.

e3) Anna's SMTP server IP address has changed since the last email exchange between her and Marco: last time it was 192.0.2.3 , now it is 192.0.2.34 . Therefore, Anna is identified as an unknown sender and registered, initially, on the gray list.

e4) Later, Anna writes to Marco again. This time, however, it does so from the SMTP server with the first IP address, 192.0.2.3 . Since this data was previously whitelisted, Anna's email is delivered immediately.

e5) The server 192.0.2.66 is trying to deliver an email. Since it is a server already identified as malicious on the blacklist, the delivery of the mail is rejected. Everything indicates that the station address [email protected] has been falsified by spoofing .

Advantages and disadvantages of greylisting

Advantage Drawbacks
It does not require configuration by the user. The user is usually not aware of how the gray list works.
It does not usually cause the loss of legitimate emails. In exceptional cases, legitimate emails can be lost.
Delay in delivery can help to blacklist malicious servers. Delayed delivery can lead users to doubt the proper functioning of the server if they see that emails are not arriving when they should.
Delayed delivery can protect against as-yet unidentified malware intrusion attempts. It can be too slow when the reception time is relevant (as in the case of password recovery links).
Compared to most spam filters, it consumes few resources.  
It is a very effective technique, which is why it frees many servers worldwide.  

What complications can a gray list cause?

While the advantages of a gray list are very attractive, this technique also brings with it certain problems:

  • The IP address of the sending SMTP server must be kept constant . If this address changes, incoming mail will still be identified as unknown by the recipient's SMTP server and the mail will go through a greylisting process first .
     
  • In certain cases delivery fails due to errors in the implementation or configuration of the sending server . If the sender's Mail Transfer Agent does not try to send the mail a second time for any reason, delivery will not occur.
     
  • The spammers could overcome the protective mechanism if they have sufficient resources . In theory, spammers can also send multiple times to overcome the gray list. However, doing so is such a logistical effort that it is usually not worth it.
     
  • Delay in delivery may cause certain items in the mails to expire. This problem is common when trying to recover a password: the recovery email is sent by a still unknown sender and therefore has to overcome the gray list mechanism first. After the sender has succeeded in sending the mail a second time, so much time may have elapsed that the retrieval link or the code to log in has already expired.

...