← Back to blog
2026-04-284 min read

Greylisting Explained: Why Asking Servers to Wait Kills 90% of Attack Traffic

Every legitimate mail server knows what to do when delivery temporarily fails: wait and try again. Most attack bots don't. That gap is what greylisting exploits. It quietly eliminates the vast majority of registration bomb traffic before anything else needs to run.

What greylisting actually does

When an unknown sender tries to deliver mail to a greylisted server, the server responds with a temporary rejection: a 451 "try again later" code. This is a standard part of the SMTP protocol. Legitimate mail servers respect it and retry within a few minutes. The mail arrives normally, just slightly later than usual.

Why bots don't retry

Registration bomb attacks are executed by scripts optimised for volume: submit to as many services as fast as possible. They are not designed to queue failed deliveries and retry minutes later. When a greylisted server rejects a delivery, the bot moves on. The confirmation email never arrives.

The numbers behind it

In real-world deployment, greylisting alone stops 80-90% of registration bomb traffic. Not because it's clever, but because it's simple. Most bulk attack infrastructure has no retry logic at all. The temporary rejection is all it takes.

The trade-off

The one downside is a short delay for first-time legitimate senders. The first email from a new contact arrives a few minutes later than usual. This happens only once. Once a sender's server has successfully retried, it's whitelisted and all future mail arrives immediately. For most organisations, a one-time five-minute delay is an entirely acceptable trade-off.

Greylisting as part of a layered defence

MX Moat uses greylisting as one of six protection layers. It runs first because it's the cheapest defence: it costs almost nothing computationally and eliminates most attack traffic before the more intensive checks need to run. ASN scoring, burst detection, and content analysis then handle whatever gets through.

Frequently Asked Questions

Will greylisting delay my important emails?

Only the very first email from a sender you've never received mail from before. Once their server has successfully retried, it's permanently whitelisted and all future mail from that address arrives without any delay.

Does greylisting affect email from major providers like Gmail or Outlook?

No. Google, Microsoft, and all major providers have proper retry logic and are typically already whitelisted in the reputation database. Their mail is never delayed.

Can attackers get around greylisting by adding retry logic to their scripts?

Some do, which is why greylisting is one layer among six, not the only defence. ASN reputation scoring and burst pattern detection handle the more sophisticated attacks that do retry. Greylisting just ensures cheap, high-volume attacks never make it to the heavier checks.

Have a question about protecting your domain?

Get in Touch →

Don't Wait for the Attack

Registration bombs don't send warnings. By the time you notice, 100,000 emails are already in your inbox. Protect your domain now.

Protect Your Domain →
🇪🇺 EU-hosted · GDPR compliant · Works with any email provider · Setup in 5 minutes