Graymatterhost’s Advanced Anti-Spam Custom Built Solution Saves You Time & Money. Tired of spam with your current hosting company, we can help.
Filter 1. First the email is greylisted. Greylisting is a method of defending electronic mail users against e-mail spam. Our mail transfer agent uses greylisting which will “temporarily reject” any email from a sender it does not recognize. If the mail is legitimate, the originating server will try again to send it later, at which time we will accept it. If the mail is from a spammer, it will probably not be retried, and spam sources which re-transmit later are more likely to be listed in DNSBLs and distributed signature systems such as Vipul’s Razor. Greylisting relies on the fact that most spam sources do not behave in the same way as “normal” mail systems. Although it is currently very effective by itself, it performs best when it is used in conjunction with our other forms of spam prevention. The term Greylisting is meant to describe a general method of blocking spam based on the behavior of the sending server, rather than the content of the messages. The great thing about Greylisting is that the only methods of circumventing it will tend to make other spam control techniques just that much more effective (primarily DNS and other methods of blacklisting based on IP address) even after this adaptation by the spammers has occurred. Greylisting got its name because it is kind of a cross between black- and white-listing, with mostly automatic maintenance. A key element of the Greylisting method is this automatic maintenance.
How it works: Typically, a server that uses greylisting will record the following three pieces of information (known as a “triplet”) for each incoming mail message: 1. The IP address of the host attempting the delivery 2. The envelope sender address 3. The envelope recipient address From this, we now have a unique triplet for identifying a mail “relationship”. With this data, we simply follow a basic rule, which is: “If we have never seen this triplet before, then refuse this delivery and any others that may come within a certain period of time with a temporary failure.”
This is checked against the mail server’s internal database. If this triplet has not been seen before (within some period), the e-mail is greylisted for a short time, and it is refused with a temporary rejection. The assumption is that since temporary failures are built into the RFC specifications for e-mail delivery (see RFC 821
), a legitimate server will attempt to connect again later on to deliver the e-mail.
In practice, most greylisting systems do not require an exact match on the IP address and the sender address. Because large senders often have a pool of machines that can send (and resend) e-mail from, IP addresses that have the most-significant 24 bits (/24) the same are treated the equivalent, or in some cases SPF records are used to determine the sending pool. Similarly, with mailing lists which use unique per-message return-paths (via variable envelope return path or VERP), if an exact match on the sender address is required, each post from such a mailing list will be delayed. Instead, some greylisting systems try to eliminate the variable parts of the VERP by using only the sender domain and the beginning of the local-part of the sender address. Greylisting is effective because many mass e-mail tools used by spammers will not bother to retry a failed delivery, so the spam is never delivered. When a spammer does retry a delivery after the waiting period has expired, however, it will likely be after a number of automated honeypots have detected the spam source and listed both the source and the particular message in their DNSBL databases. Thus, these subsequent attempts are more likely to be detected as spam by other mechanisms than they were at first. The main advantage from the users’ point of view is that greylisting requires no additional configuration from their end, the end user will only notice a delay on the first message from a given sender. From a mail administrator’s point of view the benefit is twofold. Greylisting takes minimal configuration and that rejecting email with a temporary reject code is very cheap in system resources. Most spam filtering tools are very intensive users of CPU and memory. By stopping spam before it hits filtering processes, far less system resources are used. This allows more layers of spam filtering or higher throughput. There is a possibility that poorly-configured e-mail systems will translate the temporary reject as a permanent bounce and not deliver the mail, which would lead to legitimate mail being bounced. This can be prevented with whitelisting. Some MTAs (Mail Transfer Agent (aka: mail servers)), upon encountering the temporary failure message from a greylisting server, will send a warning message back to the original sender of the message. The warning message is not a bounce message, but it is often formatted similarly to and reads like one. This practice often causes the sender to believe that the message has not been delivered, when in fact the message will be delivered successfully at a later time. When a mail server is greylisted, the duration of time between the initial delay and the re-transmission is variable. Some mail servers use a default of 4 hours, though most will retry sooner. Most open-source MTAs have retry rules set to attempt delivery after around fifteen minutes (Sendmail default is 0, 15, …, Exim default is 0, 15, …, Postfix default is 0, 16.6, …, Qmail default is 0, 6:40, 26:40, …). Greylisting delays much of the mail from non-whitelisted mail servers – not just spam – until typical patterns of communication are recorded by the greylisting system. Also, legitimate mail might not get delivered, if the retry doesn’t come within the time window the greylisting software uses, or if the retry comes from a different IP address than the original attempt: When the source of an e-mail is a server farm or goes out through an anti-spam mail relay service it is likely that on the retry a server other than the original server will make the next attempt. Since the IP addresses will be different, the recipient’s server will fail to recognize that the two attempts are related and refuse the latest connection as well. This can continue until the message ages out of the queue if the number of servers is large enough. The problem can be partially bypassed by identifying and whitelisting such server farms in advance.
Filter 2. Next the email is checked against the domain’s Whitelist. A “whitelist” is a list of people or addresses from whom you choose to receive email. Messages sent from whitelisted sources go straight to your inbox without hitting a spam filter. ‘s spam solution supports two types of whitelists: a list of regular expression patterns, and a list of IP addresses or CIDR blocks of addresses. Then the email is checked against the domain’s Blacklist. A “blacklist” is a list of people or addresses from whom you choose to not receive email. Messages sent from blacklisted sources are usually blocked before you ever see them. ‘s spam solution supports two types of blacklists: a list of regular expression patterns, and a list of IP addresses or CIDR blocks of addresses.
Filter 3. Next the email’s Message ID is checked. All email messages must have a Message-ID header. If this header is malformed or missing, there is nearly a 100% chance the message is spam. Then the email’s size is checked. This filter is useful for routing messages over a given size. Filter 4. Next the email is checked against known DNSBL lists. A “DNSBL” is a DNS blacklist, a list that can be queried via DNS for particular IP addresses. The list owner sets the criteria for determining which IP addresses are on the list. A DNSBL or RBL as it is commonly called, has a list of IP addresses whose owners refuse to stop the proliferation of spam. The RBL usually lists server IP addresses from ISPs whose customers are responsible for the spam and from ISPs whose servers are hijacked for spam relay.
Filter 5. Next the email is checked against SPF. SPF is an acronym for Sender Policy Framework, an anti-forgery solution making identifying spam easier.
Filter 6. Next the email is checked for its ASN. Autonomous System Numbers (ASNs) are globally unique numbers used to identify autonomous systems (ASes). If you know an ISP’s ASN(s), you can use the ASN filter to classify mail originating from it.
Filter 7. Next the email is checked for RDNS. The Reverse DNS filter checks an IP address for a hostname. If one does not exist, there is a very good chance the message is spam.
Filter 8. Next the email is checked against the RHSBL’s. An “RHSBL” is a right-hand-side blacklist, a list that can be queried via DNS for particular domain names. The list owner sets the criteria for determining which domains are on the list.
Filter 9. Next the email is checked for valid nameserver’s. A “nameserver” is a server responsible for providing a domain’s name services. This filter looks up the sender’s domain, acquires its nameserver’s IP addresses, and checks those addresses against the DNSBLs listed in your DNSBL filter.
Filter 10. Next the email is checked for its content. The Content Scanner checks messages for specific content in the headers and bodies of messages. A “bogon” is a term for an unallocated IP address. Any message claiming to have originated from a bogon is an obvious forgery and can be safely rejected. The “header” filter looks for obvious forged headers and other tell-tale signs of spam. Mail caught by this filter is almost certainly spam. The “phone” filter looks through a list of spammers’ telephone numbers in messages. Mail containing these phone numbers has a high probability of being spam. The “URL” filter is a thorough body scan for URLs containing domains from the RHSBL. This often catches spam when all the other filters fail, but also flags a small percentage of legitimate mail. When used in conjunction with whitelist entries, false positives can be reduced making this is an extremely effective filter.
Filter 11. Next the email is scanned using a Bayesian filter. A Bayesian filter classifies mail as spam or ham (non-spam) by a statistical analysis of a message’s headers and content (body). The filter is able to learn from users’ classifications and corrections. Bayesian scoring is between 0 and 10. Lower scores tend to produce more false positives while higher scores tend to reduce accuracy. Then the e-mail message is virus scanned using the acclaimed open-source software Clam AntiVirus, which prevents e-mail containing viruses from reaching your e-mail box. We also have Clam AntiVirus scanning for phishing e-mails, and when found deletes them. Phishing is the act of attempting to fraudulently acquire through deception sensitive personal information such as passwords and credit card details by masquerading in an official-looking email. Popular targets are users of online banking services, and auction sites such as eBay. Phishers usually work by sending out e-mail spam to large numbers of potential victims. These direct the recipient to a Web page which appears to belong to their online bank, for instance, but in fact captures their account information for the phisher’s misuse.
Lastly, if the email passes all of the filters above it gets transferred into your Inbox. If it does not pass any one of the filters, it gets deleted automatically.