With greylisting, our mail cluster servers maintain a record of three pieces of information when an e-mail is received:
1. The IP address of the machine sending the e-mail.
2. The e-mail address of the person sending the e-mail.
3. The e-mail address to which the e-mail is being delivered.
This set of information is captured and recorded in our database servers and communication with the sender’s server is terminated with an error code before the content of the e-mail message is received. Our servers reply to the sending server to say essentially “Sorry, we’re too busy right now. Please try again to send this e-mail later.” The error message (called a “400-level error”) is specifically “temporary” and properly configured mail servers will queue the message and retry after some period of time. Spammers, however, tend to do hit-and-run or “drive-by” mass mailings, fully aware that only a portion of the tens or hundreds of thousands of mails they might send will reach their target mailboxes before being identified as spam. As a consequence, they tend to change the addresses (or even entire servers) very often in order to try and get around various spam filtering (and sometimes in the case of hacked servers sending spam, simply don’t take the time to configure the mail server properly), the result being that once the message is denied by our server the first time, any spam will be blocked and the chances of it being resent is almost zero.
After 5 minutes, our servers prepare to receive the e-mail again. Assuming the message is legitimate, the originating server (if properly configured) will attempt to resend to the “busy” mail recipient, at which point the the servers compare the information that was collected previously and the e-mail is delivered without delay – from that point on, anytime a message with the matching information is delivered to our servers, it is delivered immediately. Entries are removed from the greylist if the waiting period expires without the sender re-sending the e-mail, because in this case, the sender is most likely a spammer.