[Greylist-users] Waiting until after the DATA phase.

[Corey Huinker]

I suspect that most people understand this, but I think it should be stated:

One of the purposes of greylisting is to conserve your own bandwidth.

A large ISP has a measurable percentage of their bandwidth taken up by
inbound spam.  Spam isn't just an intangible cost to them, it's completely
measurable on a monthly basis.

It's noble of you to wait til the end of the DATA phase in an effort to
slow down spammers across the planet, much like a tarpit (better than a
tarpit, actually).  However, that means that you're not bandwidth
constrained, and can afford that luxury.  Others cannot.  Every byte spent
on spam is a byte they can't use streaming audio back to their paying
customers.  Waiting until after the DATA phase causes you to pay the full
bandwidth cost for the spam, and possibly pay it again if they retry.

Greylisting was built to trade CPU time and disk space (fixed costs which
get cheaper with each passing day) to conserve a metered utility
(bandwidth, an inherently recurring cost).

I personally don't care if I waste a spammer's time.  I just don't want
them wasting my time and resources.

Consider the following:

Most spam is some for of multilevel marketing.  A big AmWay of Viagra, if
you will.  Like all MLM schemes, the real money isn't made off the sale of
the product, it's made off of selling the tools to the lowest level
participants, so that they can attempt to sell the product.  In this case,
the money is being made off the sale of Spam Software.

The makers of spam software currently don't check to see if the message
was sent correctly.  It's NOT IN THE AUTHOR'S INTEREST to report accurate
delivery statistics, because this would only discourage the purchaser of
the software.  They want the purchaser to have a happy-go-lucky attitude
about the 'ware.  Thus, the spam program will cheerfully report how many
connections it has made, sidestepping the fact that many of those
connections were to nonexistant users.  In fact, getting a tempfail would
actually make the software appear to be sending mail FASTER.  Adding
retries would require work on the author's part, and it would only serve
to hurt the performance of the software (performance, as defined by the
author).

So, greylist essentially conspires with the sellers of spam software. 
Greylisters are not burdened with the spam, and the sellers get some
awesome statistics to show off their evil warez.

In summary, while it's A-OK by me if your greylisting implementation waits
until after the DATA phase to tempfail, I think it's missing one of the
chief advantages of greylisting: conserving bandwidth.