Yahoo’s Greylist Gets Into Grey Area

Sometimes it’s hard to tell what’s worse – spam or the spam filtering methods some companies decide to use to stop it. That’s certainly what one reader was left wondering after wrestling with what appears to be a very poor implementation of http://en.wikipedia.org/wiki/Greylisting greylist spam filtering by Yahoo and Yahoo’s inability to help him fix the problem.

A few weeks ago the reader wrote me:

“We are a public library. Overdue, Item Hold and Item Coming Due notices are sent via an opt-in automated e-mail system to library patrons. To opt in, patrons have to speak to a human, a circulation staff member, and have the necessary information added to their library card record. After running the system since 2003, suddenly Yahoo stopped accepting any and all mail from our mail server in mid May. The server is not an open relay, it is not on any black hole lists, it is not compromised, it is used for staff mail traffic only. Accounts can only be set up by the Administrator –me.”

“To say that contacting Yahoo has been difficult is a gross understatement. We reported the problem to the Yahoo abuse account. An automated reply arrived in 12 hours, but there was no further response. One of the reference librarians then dug up a corporate telephone number for Yahoo. We called and were e-mailed a whitelist application. We filled it out and returned it. Two weeks later an e-mail arrived with a request for more information, specifically the full text with all headers (as generated by the Yahoo mail system) to show what the Yahoo mail system thinks is the sender and so forth.”

“This would be lovely except for the minor detail that Yahoo rejects all our mail so that I cannot send a message to a Yahoo account in order to extract all the headers. So I explain and substitute (with full explanation of why I am substituting) the full text of a rejected e-mail, one that I sent to my personal Yahoo e-mail account. This is where it gets funny. Three days later Yahoo Customer Disservice replies and points out how the e-mail sample that I sent is a forged e-mail. Yikes!”

“I exchanged several more e-mails with Yahoo Customer Disservice. The most recent claimed that they had made a change to allow our mail server to send to Yahoo mail. Too bad, so sad, mail continues to be summarily rejected by Yahoo. I am fed up and will no longer reply to any Yahoo Customer Disservice mail. They must be so overwhelmed with dealing with crackpots, charlatans, criminals and nut jobs (most of which is their own fault) that they cannot understand a straightforward trouble report and deal with it.”

Last week however I heard from the reader again. “I got to thinking that this might be some kind of test, like Yahoo’s greylist procedures for incoming mail. Incoming mail is always denied and the sending server has to retry an unspecified number of times over an unspecified time period before the mail is finally accepted. Maybe if I do what they ask, as many times as they ask, maybe they will grant a boon and allow my mail server to send mail to Yahoo.”

“Since nothing else was working, I decided to experiment with the Queue Manager on my mail server. By a process of elimination I have arrived at a send/retry cycle that seems to be working. I am up to twelve retries in six hours. I suppose I could read my server logs and figure out exactly how many retries were required before the mail was accepted, but Yahoo likely has some random timing built into the greylist to foil log readers. Now all I get back are the occasional rejects because of dead Yahoo addresses.”

Even if this solution holds though, the reader thinks Yahoo’s approach is going to cause more trouble for legitimate senders than spammers. “I really don’t see how the greylist as Yahoo seems to have implemented it will really deter any serious spammers. It may slow them down, but I doubt enough to make them move elsewhere. Sending spam is done by dumb machinery, so what if it has to retry a dozen, two dozen, a hundred times, it runs 24/7 and can retry forever. The greylist is a poor solution for a problem that Yahoo helped create. Now I know how Don Quixote felt, though I hope I don’t get sent to the gallows at the end.”

Which do you think is more out of control – spam or spam protection? Post your comments on my website, phone the Gripe Line voice mail at 1 888 875-7916, or write me at Foster@gripe2ed.com.

Read and post comments about this story here.