Could potentially work, greylisting can already be setup to greylist based on a certain SMTP weight threshold. Adding some additional logic to check if the weight is above a certain value OR the session was not secure could add the desired functionality. A setting would need to be added somewhere to control this behavior as well.

It would cover all the domains that the default greylist filters achieve and millions more legitimate senders like me, you and all of your customers. It allows for new IP ranges to be added by the likes of G/Hotmail without the need to adjust the greylist filters as today's default configuration would require. It's then up to the Spammers to work this out and start encrypting mail but I'd expect us all to be ahead of them for a few years at least.

Another thought that would sit in the same piece of code would be to add a delay (30 - 45 seconds for example) if the STARTTLS command was not submitted (with or without greylisting), Spammers would have moved on at that stage but legitimate/unencrypted email would wait for a response.

If not greylisting, could we have an Antispam check for 'STARTTLS not used' so that we can add weight to email accepted without encryption?

Steve, all excellent ideas! If the stats are accurate that 99% of messages coming in through a non-secure connection are spam, then adding a weight to those messages would be a simple solution. Thumbs up.

I wonder how risky it would be to just reject messages that don't use TLS.

Kevin

+1 for Steve's idea

@Kevind @jade-d thanks for the votes guys.

@Kevind the Google transparency reports say that in the past few years 90+% of email is delivered over TLS, this is slightly higher than my report for this month of delivered non-spam so we're still far from a position where we can outright block unsecure email, although I've made good progress here in the UK this past 9 months having worked with BT to use TLS which they haven't been doing for the past 8-10 years :(

They used to use cpcloud.co.uk who had a 'not bothered' approach to STARTTLS, BT appear to be removing evidence of the events. I replied to this which has been removed from the forum.

If there was a 'Spam Check' for not using STARTTLS it could be the same as 'Null Sender' as it can act on incoming SMTP and/or spool filtering adding weight as we see fit.