What Does Greylisting Mean in Spam Control?

Greylisting in Spam Control is a method that temporarily delays incoming emails from unknown mail servers. This helps reduce spam without permanently blocking legitimate emails.

Table of Contents

• What is Greylisting?
• How Does Greylisting Work in Spam Control?
• What Does a 4xx Message Mean in Greylisting?
• Why Is an Email Delayed?
• What is a Triplet?
• What Technical Values Apply to Greylisting?
• What Does Greylisting Mean in the Logs?

What is Greylisting?

Greylisting is a procedure where an email from a previously unknown sending mail server is initially temporarily rejected. The sending mail server is expected to automatically try to deliver the email again afterward.

Legitimate mail servers will attempt delivery again later. Many spam systems do not do this or do not do it reliably. This allows some unwanted emails to be filtered out before actual delivery.

How Does Greylisting Work in Spam Control?

Spam Control uses an advanced form of greylisting. The filter nodes are synchronized. Therefore, it does not matter through which filter node the email connection is received.

If an email arrives from a previously unknown combination of sending server, sender, and recipient, the connection is initially temporarily rejected for about 10 minutes.

After this time has elapsed, the sending mail server can attempt delivery again. If delivery is successful, this combination will be treated as known in the future so that further emails are not delayed again.

What Does a 4xx Message Mean in Greylisting?

In greylisting, an email is temporarily rejected with a 4xx error code. A 4xx error is not a permanent delivery failure.

The sending mail server is instructed to place the email in its own queue and attempt delivery again later.

Why Is an Email Delayed?

The delay serves to check the behavior of the sending mail server. A properly configured mail server will attempt delivery again after a temporary rejection.

If the sending server responds correctly, the email will be accepted after the retry attempt. This allows Spam Control to recognize the server as known in the future and avoid further delays.

What is a Triplet?

Spam Control evaluates a combination of several pieces of information during greylisting. This combination is called a triplet.

A triplet consists of:

• the IP subnet of the sending mail server,
• the sender’s email address,
• the recipient’s email address.

Example: If a sending server uses the IP address 222.153.243.117, the IP subnet considered is simplified to the range 222.153.243.

This also allows multiple sending servers of the same organization to be recognized if they send from the same technical network range.

What Technical Values Apply to Greylisting?

The following technical values apply to greylisting in Spam Control, among others:

• Unknown greylist triplets are accepted after about 10 minutes.
• IP subnets are added to the greylisting whitelist after 5 successful triplets.
• IP subnet and sender combinations are added to the greylisting whitelist after 2 successful combinations.
• Temporary greylist entries expire after 8 hours.
• Known greylist entries expire after 60 days if not seen again.
• Greylist triplets apply to individual recipient domains.
• The greylisting whitelist can be shared within the filter cluster.

What Does Greylisting Mean in the Logs?

Greylisting can appear as a temporary rejection in the logs of Spam Control. This does not mean that the message was identified as spam or permanently blocked.

The message was only delayed so that the sending mail server would attempt delivery again. If the sending mail server operates correctly, the email will be accepted on the later delivery attempt.

If an expected email was not delivered, check the logs in Spam Control. There you can see whether the message was temporarily rejected, delivered later, or permanently rejected.