Configuring greylisting

Go to AntiSpam > Greylist to configure greylisting and to view greylist-exempt senders.

This section contains the following topics:

• About greylisting
• Manually exempting senders from greylisting
• Configuring the grey list TTL and initial delay

About greylisting

Greylist scanning blocks spam based on the behavior of the sending server, rather than the content of the messages. When receiving an email from an unknown server, the FortiMail unit will temporarily reject the message. If the mail is legitimate, the originating server will try to send it again later (RFC 2821), at which time the FortiMail unit will accept it. Spammers will typically abandon further delivery attempts in order to maximize spam throughput.

Advantages of greylisting include:

• Greylisting is low-maintenance, and does not require you to manually maintain IP address lists, black lists or white lists, or word lists. The FortiMail unit automatically obtains and maintains the required information.
• Spam blocked by greylisting never undergoes other antispam scans. This can save significant amounts of processing and storage resources. For this reason, enabling greylisting can improve FortiMail performance.
• Even if a spammer adapts to greylisting by retrying to send spam, the greylist delay period can allow time for FortiGuard Antispam and DNSBL servers to discover and blacklist the spam source. By the time that the spammer finally succeeds in sending the email, other antispam scans are more likely to recognize it as spam.

Figure 276:Workflow of greylist scanning

When an SMTP client first attempts to deliver an email message through the FortiMail unit, the greylist scanner examines the email message’s combination of:

• sender email address in the message envelope (MAIL FROM:)
• recipient email address in the message envelope (RCPT TO:)
• IP address of the SMTP client

The greylist scanner then compares the combination of those attributes to manual and automatic greylist entries. The greylist scanner evaluates the email for matches in the following order:

1. manual greylist entries, also known as exemptions (see “Manual greylist entries” on page 628)
2. consolidated automatic greylist entries, also known as autoexempt entries (see “Automatic greylist entries” on page 627)
3. individual automatic greylist entries, also known as greylist entries

According to the match results, the greylist scanner performs one of the following:

• If a matching entry exists, the FortiMail unit continues with other configured antispam scans, and will accept the email if no other antispam scan determines that the email is spam. For automatic greylist entry matches, each accepted subsequent email also extends the expiry date of the automatic greylist entry according to the configured time to live (TTL). (Automatic greylist entries are discarded if no additional matching email messages are received by the expiry date.)
• If no matching entry exists, the FortiMail unit creates a pending individual automatic greylist entry (see “Viewing the pending and individual automatic greylist entries” on page 193) to note that combination of sender, recipient, and client addresses, then replies to the SMTP client with a temporary failure code. During the greylist delay period after the initial delivery attempt, the FortiMail unit continues to reply to delivery attempts with a temporarily failure code. To confirm the pending automatic greylist entry and successfully send the email message, the SMTP client must retry delivery during the greylist window: after the delay period, but before the expiry of the pending entry.

Subsequent email messages matching a greylist entry are accepted by the greylist scanner without being subject to the greylisting delay.

For information on how the greylist scanner matches email messages, see “Matching greylist entries” on page 626. For information on configuring the greylisting delay, window, and entry expiry/TTL, see “Configuring the grey list TTL and initial delay” on page 628.