the spam arms race

beating the joneses

It would be fairly easy to bypass a greylisting server. All a spammer would need to do, is reconnect. However, they find it easier to abuse a non-greylisting victim.

This illustrates the well-known security arms race: you don't need to make your house completely burglar-resistant. You just need to do better than your neighbours. Criminals will prefer easier targets that can be conquered faster, with less time for, and less risk of, detection.

buying time

The time aspect is important in another way as well. It's safe to say, ISP's are a fairly well connected bunch. They share information about spam-sending computers really, really fast. As a spammer you have only a very short time window between spamming somebody somewhere, and being black-listed by everybody everywhere.

Because greylisting imposes a delay on new/unknown/untrusted mail senders, it significantly reduces that precious time window for spammers.

To the ISP, this time is cheap. Who cares if some mails get delivered 10 minutes slower, especially if most mails get delivered faster and with less spam noise? Yes, greylisting actually speeds up mail delivery: smaller mailqueues, lower system loads, higher throughput. Also, ongoing sender-receiver dialoges are not delayed. Those are whitelisted.

shifting the burden

The next step is, to actually increase costs for spammers. That is exactly what OpenBSD's spamd does. If you're on the greylist, you get redirected ... to ... a ... clerk ... that ... speaks ... really ... really ... slowly. Spammers get bogged down in what appropriately is called a "tarpit". Mainstream Linux can do this, too!

Tarpitting really goes beyond "beating the joneses". It's more like arresting and detaining burglars immediately, giving them no chance to trouble the neighbourhood.

externalities

Spamming is cheap. Spammers rent stolen computing capacity ("marketing services") on the dollar and send millions of emails. Even if only one in a ten thousand addresses ever responds, they can still earn a profit on selling genital stimulants.

Spam is a negative-value industry. It can only continue to exist in a market economy, because those that reap it's benefits (the spammers) are able to externalize it's costs. The costs of spamming are mosty born by others:

1. The addressee. She spends time reading the message before she realizes it is spam and hits the 'delete' button.
2. The ISP managing the mail server of the addressee. Most of their email bandwith is consumed by spam. Filtering it requires dedicated resources.
3. Some luckless dude whose computer got hacked just to send spam.
4. Society as a whole, facing information security threats with a growing involvement of organized crime.

To decrease spam, we have to shift those costs back to the criminals sending spam. Raising the risk of spending jail time is great. Inventing technical measures that reduce the volume of spam a hacked server can send per hour, is great as well. All of these measures force spammers to internalize the costs of spamming, making spam less and less attractive.