[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: We need an IETF BCP for GREY LISTING
On Oct 11, 2011, at 10:32 AM, Murray S. Kucherawy wrote:
>>> I think someone should take up the effort to begin/draft an GreyList
>>> BCP for systems to follow.
>> I'm not sure that it's worth the trouble. The whole point of
>> greylisting is to marginalize naive client implementations on the
>> assumption (largely valid to this point) that they're likely to be
>> spambots. But I expect that spambots will start to deal with
>> greylisting very soon. If IETF were to document greylisting it would
>> only accelerate that process.
> I agree. I don't see what additional interoperability needs to be specified here that isn't already handled by RFC5321. 4xx means retry, and that's it. If, as a server, I give a hint as to when a retry will succeed, I'm giving the bad guys information that I don't want them to have, while a compliant RFC5321 implementation will do just fine as it is.
For classic greylisting that's all quite true (he whole point of greylisting is the assumption that bad actors will not retry, while good actors will). Greylisting does damage some forms of email, though - discussion lists, where emails are delayed by seemingly arbitrary amounts, breaking up the flow of conversation are one - but I can't think of any good way to mitigate that damage other than telling servers not to use greylisting or telling clients to retry quickly, neither of which seems like a good idea.
There's a vaguely related situation, though, where the current protocol isn't ideal, and that's when an SMTP server wants to put some control on the volume of mail it's being sent (by a specific SMTP client). The scarce resource is number of concurrent sessions, not total bandwidth, so the appropriate level at which to throttle is the SMTP session level. Yahoo, as one example, uses 4xx deferrals in order to shed load or to reserve capacity for high value mail at the expense of low value mail. That's not an ideal approach, as the SMTP clients have no consistent retry policy, so it's a fairly crude tool for capacity management. In that case, some minor extension to allow the SMTP server to communicate something a bit more nuanced than "Go away, come back later." might have some value.