If you’re not familiar with greylisting, it’s a spam-blocking strategy that relies on the simple fact that the vast majority of spam runs are produced by software that doesn’t actually implement a full SMTP sender. Early spammers tried to bounce spam through existing mail servers, but these are relatively easy to find and shut down (or block, at the router if need be). Instead, the typical spammer now uses a large number of clients (often botnets of zombies, or machines that have been infected with malware and can be remotely controlled by the miscreants) to perform a distributed run of messages. The spam literally comes from hundreds or thousands of discrete IP addresses, making it difficult to control by traditional listing methods.
Enter greylisting. What greylisting does is keep track of the properties of incoming connections, typically some combination of the source IP address, the envelope sender address, and the envelope recipient address. This combination is known as a triplet and is treated as a single data item, even though it’s really a composite of three fields. The first time a greylist engine sees a connection from a given triplet, it records that fact in its database and instructs the SMTP server to issue a temporary error. By design, when SMTP-compliant machines get a temporary error, they queue the message up and try to send it again in a short time.
Read the full article at Devin Ganger’s blog.