embargo time in greylist rejection message

Vernon Schryver vjs@calcite.rhyolite.com
Fri Jun 25 14:27:12 UTC 2004

> From: Juergen Georgi 

> recently I saw the following SMTP greylist rejection message:
> 451 4.3.0 We will accept the mail in 1 minutes and 0 seconds.
> I is possible to show the leftover embargo time within the
> dccm rejection message? 

The DCC client does not know how much time must elapse before the
embargo stop.  If the server knew, the duration might be stuffed into
some bits in the DCC client-server protocol, but it would be a nasty
kludge.  There are cases when even the server cannot be be certain
when the embargo will stop.

Besides, the message might be rejected instead of accepted 
if its DCC target count increases during the embargo.

Worse, "we will accept in X minutes" might encourage naive users to
manually retransmit their messages.  Unless they are using broken MTAs
that violate RFC 821 and do not retransmit automatically, there is
little a user can do with knowledge of the duration of the embargo.

The default 4.5 minute embargo is so much shorter than the RFC 2821
recommendation and short in human terms that "will accept if
retransmitted" would be accurate, except that would encourage users
to manually retransmit and it can be wrong if the SMTP client uses
a different IP address.

>                         Currently only the sendmail queue ID
> and the client IP is available with "-r rejection-msg". 
> IMHO the standard dccm rejection message - "452 4.2.1 mail 
> abc12335 from aa.bb.cc.dd temporary greylist embargoed" - 
> is too technical and has a somewhat negative sound. 

I used "temporary embargo" to try to soften the connotations.
Do you have some other suggestions?

>                                                     I received 
> many inquiries from customers who were confused by this
> message. The above style is more "positive", and comprehensible 
> even for someone not familiar with greylisting.

Would a URL for a web page be better?

How do customers see the messages?  Mail senders do not see the
messages unless they run their own MTAs or have broken MTAs.

Some Internet service providers turn off the logging of greylisting
in dccm or dccifd with "option greylist-log-off" in global
or per-user whiteclnt files to reduce customer confusion.  (See 
the main DCC man page as well as the proof of concept CGI scripts
in /var/dcc/cgi-bin)


] From: John Sutton 

] There is probably a downside to telling spammers *precisely* when their 2nd 
] effort will be successful.  It would be rather inviting them to build the 
] hooks in their systems to use this info...

The best tactic for a spammer concerned about greylisting is to run
something that acts like a real MTA.  That does not need knowledge of
the targets' embargo durations.

] But I agree that positive is nice!  Something along the lines of:
] 452 4.2.1 We will accept mail abc12335 from aa.bb.cc.dd if presented again 
] later

There are two problems with that:
  - it would encourage users to manually retransmit messages.
  - it will be false in some cases

Vernon Schryver    vjs@rhyolite.com

More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.