‘Greylisting’, as described here, has received a lot of attention recently. However, I don’t think it’s a goer; here’s why:
Firstly, as Alan Leghart pointed out on the SpamAssassin-talk list:
This method proposes to delay EVERY SINGLE MESSAGE until a database match is found for sending IP, FROM, and TO. So…we punish everyone in the world, and hope that a delay of one or more hours is considered ‘acceptable’?
Read his message for a sample typical daily scenario which shows how bad this can be. Maybe some people already expect a mail to take several hours to reach a recipient. In that case, you need to fix your mail server. Even the 300Mhz SpamAssassin spamtrap server gets through mail faster than that, and it’s seeing an absurd mail load ;)
Secondly, many VERPing mailing lists and newsletters will need manual whitelisting. Requiring manual intervention == work == what spam filtering is trying to reduce == bad.
Thirdly, it assumes spammers would never introduce retries into their spam-tools if it took off. Tempfailing, what this is based on, is effective right now because spamtools don’t retry. But every proposed solution has to consider what would happen if every server admin in the world implements it, and spammers then want to subvert it.
IMO, ‘greylisting‘ would work fine until the spamtools start retrying, then we’re back to square one — except some legit mail takes a long time to get delivered, and the bandwidth wasted by spam has doubled due to all those retrying spams.