List of black and grey, and the sticky tarpit

What spamd does to SMTP connections from addresses in the blacklist is to present its banner and immediately switch to a mode where it answers SMTP traffic 1 byte at the time. This technique, which is intended to waste as much time as possible on the sending end while costing the receiver pretty much nothing, is called tarpitting. The specific implementation with 1 byte SMTP replies is often referred to as stuttering.

spamd also supports greylisting, which works by rejecting messages from unknown hosts temporarily with 45n codes, letting messages from hosts which try again within a reasonable time through. Traffic from well behaved hosts, that is, senders which are set up to behave within the limits set up in the relevant RFCs[1], will be let through.

Greylisting as a technique was presented in a 2003 paper by Evan Harris[2], and a number of implementations followed over the next few months. OpenBSD's spamd aquired its ability to greylist in version OpenBSD 3.5, which was released in May 2004. Starting with OpenBSD 4.1, spamd by default runs in greylisting mode.

The most amazing thing about greylisting, apart from its simplicity, is that it still works. Spammers and malware writers have been very slow to adapt. We will see a few examples later.

Notes

[1]

The relevant RFCs are mainly RFC1123 and RFC2821. If you choose to join us greylisting pedants, you will need to read these, if only for proper RFC-style background information. Remember, temporary rejection is in fact an SMTP fault tolerance feature.

[2]

The original Harris paper and a number of other useful articles and resources can be found at the greylisting.org web site.