 This is an old version – click here for latest version
Introduction
Since I have had a lot of problems with false positives with the black lists that I’m using on my Exchange 2003 server I started looking into another way of filtering spam.
The obvious choice of additional protection fell on grey listing ( you can read more about what it is here ).
The problem with this is that there doesn’t seem to be any free products out there for Exchange and as I don’t want to set up a Linux box ( yet another box in the rack ) I decided to write one myself.
Usually i receive 3500-4000 spam attempts per day so that means that 70 mails a day are slipping trough. These 70 get matched to a blacklist that is not that aggressive and the result of this is that my spam level has gone down to almost 0% while I haven’t had a single false positive yet.
|
About the program. It consists of two parts.
- Greylist installs as a .dll and connects to the SMTP service’s OnInboundCommand RCPT. It reads it configuration from Greylist.cfg and uses Greylist.mdb for logging entries. It also produces a log file in the log directory.
- Greylist admin creates and configures the above files as well as controls the settings and the white list.
Requirements:
- Windows server 2000/2003
- Exchange 2000/2003 or the vanilla IIS service
- .NET framework 2.0
Features:
Greylist
- Continue blocking for X minutes.
- Installs as a cached .dll
- Block by Source IP, Sender email address, Recipient address all together or in any combination.
- White list (always allow) by Source IP, Sender email address, Recipient address or in any combination.
- Clean out entries older then X days on the first session of the day.
- Stores data in a Microsoft access database, .mdb
- Logs on error to the event log
- Logs all sessions to a daily log file in /log/
Greylist admin
- Configures: Block for X minutes, Max age in X days, White list.
- Configures which items to use when blocking by Source IP, Sender email address, Recipient address all together or in any combination.
- Displays blocked items and passed items in totals.
- Displays current items in database.
- Displays block rate in % according to all entries in the database.
- Manually start cleanup routine.
New in version v1.1.3 (v1.1.1 for Greylist admin):
Greylist
- Supports wild cards (or rather partials) in the white list.
- Can now handle higher loads. Tested with 35 simultaneous sessions.
- Can now handle email addresses up to 200 characters.
- Logs in a different format supported by AwStats and logs all sessions. Click here for a limited demo.
- Now supports IIS SMTP. Source IP is not used though.
Greylist admin
- The constraint bug in the white list tab is gone.
- White list buttons are now pressed when selected.
This is an old version – click here for latest version
What does it cost?
Nada. Nothing. It’s for free!
See it as a contribution to a better world 
A free contribution! I’ve released this under a Creative Commonce license, which comes down to that you can use it and redistribute it as long as you refer to me and this site while using any part of my program. The full license is available in the readme file.
The program is distributed ‘as-is’ and I don’t intend to provide any support for it.
But feel free to send me any suggestions to improvements or your own modifications.
Cheers,
Chris
Forum {beta}
October 27th, 2006 at 9:37
Chris,
Thanks again for a great tool, the last version is working great for me and it looks like this one is even better.
Allen
October 28th, 2006 at 2:21
Wonder if you are able to add junk support? Or to ability to move files to a different folder. Would be very nice!!
October 28th, 2006 at 10:24
Piethein: No, that won’t work as it’s only delaying the sessions. There is no way to determine if a session is legitimate if you don’t block it.
October 28th, 2006 at 16:18
I’ve added a statistics demo based on AwStats.
If numbers get you going then look here for a limited demo.
October 29th, 2006 at 7:37
Thanks for latest version.
I did run into a issue with SMTP – 999 in the text log.
The recieving mail server is set to 100 sessions and I understand
greylist tool can only handle 35.
I set the incoming mail server to 30 and it is back to reporting SMTP 451’s
This has logged over 15,000 blocked messages in less then 12 hours and that is not
counting the 999 failures.
Suggestions:
* Add sorting/search for whitelist (much needed)
* Add “Accepted” logging to allow easy adds to whitelist
(select entry and add to whitelist).
I am running this on:
Exchange 2000
Windows 2000 sp4
October 29th, 2006 at 8:08
Exrace: Without making any promises I can say that I’m working on the next version that will have support for ODBC connections instead of the local mdb. The mdb is today the limitation for the concurrent sessions. With a ODBC we should be able to make use of a MsSQL or MySql and be able to get more sessions going.
The suggestions are accepted and added to the todo list.
Man, you have some serious traffic going!
Cheers,
Chris
October 29th, 2006 at 13:19
Running up on SMTP – 999 in the log again.
What might be the problem?
22,000 and counting.
October 29th, 2006 at 16:37
Hi chris,
Well, your 1.1.3 update is great! Upgraded as per your advice and put some wildcards in straight away. I also amended some existing entries to be wild cards
Had a slight “glitch” over a few days ago with 1.1.0 and Exchange stopped accepting email, it just refused everyone. Restarted SMTP and all fixed.
See how this version goes. At same time thx very much for a great product
regards
Ian
October 30th, 2006 at 0:51
The latest version is working like a clock. I am a bit concerned about the access database size, but I am sure that will be working versions were I can use MSSQL instead in the near future.
I have a reject rate of 87%, 77000+ blocked and 63000+ entries in database.
When you look at migrating to a “real†database, you might consider make an option to log to database, instead of logging to file.
October 30th, 2006 at 1:48
Exrace: Error 999 is logged if something went wrong in the db connection. This usually happens if it’s overloaded. Try reducing maximum concurrent sessions.
October 30th, 2006 at 6:31
I will tweak this connection size. I had at 30 but was getting
“maximum number of connections has been reached. Connection being closed” so
I bumped it back up.
I have it set at 35 for now but let use know what is the max connections it
should be at.
I have also seen crashes around same time as the 999:
Faulting application inetinfo.exe, version 5.0.2195.6620, stamp 3de2893b,
faulting module msado15.dll, version 2.80.1062.0, stamp 43fff143, debug?
0, fault address 0x000014af.
October 31st, 2006 at 1:39
It seems like that 1.1.3 is stopping IIS SMTP. Every morning we have outbound mails queued up on the exchange server.
We are sending alle mails trough our mailgateway on the DMZ zone where Greylist is installed. When we make an iisreset /restart on the mailgateway all outbound mails on the exchange server is sendt. If we remove the Greylist program we have no problems but SPAM
Btw great program – when it works……
November 2nd, 2006 at 1:19
Chris,
We have reinstalled our mailgateway and the problem with Greylist 1.1.3 is over.
Conclusion – we had a problem with our IIS and not Greylist.
It works fine now. Thanks
November 3rd, 2006 at 11:26
To upgrade to v1.1.3 from v1.0, do you recommend remove & re-install or is there a safe way to keep using the old database?
November 3rd, 2006 at 21:10
Just wanted to let you know I did get your comment back in September, and have finally written up your greylist on my blog:
http://blogs.3sharp.com/Blog/deving/archive/2006/11/03/2350.aspx
November 5th, 2006 at 13:30
Eoin: When you install the new version and start Greylist admin for the first time then it will upgrade your existing database.
So – yes. You can just keep the old installation as is.
November 6th, 2006 at 3:37
I have a lot of entrys like this in the log file, but the statistics are 0, what s wrong ?
2006-11-06 09:33:03 infonum-110527710333db@deutsche-bank.de xy@mbn-interlab.de – 84.121.122.129 SMTP – 999 0
November 6th, 2006 at 6:24
Gert: 999 means that there was an unknown error. This is usually happens if the load (concurrent sessions) is to high.
November 6th, 2006 at 13:05
i try it after a reboot from the Exchange Server, but the result is the same SMTP – 999 0
(i not think that Concurrent Sessions are to high). NT Server 2003, Exchange Server 2003, latest SP
and McAfee Groupshield – It’s McAfee the problem ? Thx!
November 10th, 2006 at 10:54
Chris,
This is a great plugin for exchange and it’s doing a great job for us blocking spam. However, I’ve seen a few spams get through without getting 451 response first when it’s a spam with BCCs in it:
2006-11-10 15:10:51 estukuleledes@ukulele.com foo1@foo.net – 82.160.42.74 SMTP – 200 0
2006-11-10 15:10:51 estukuleledes@ukulele.com foo2@foo.net – 82.160.42.74 SMTP – 200 0
2006-11-10 15:10:51 estukuleledes@ukulele.com foo3@foo.net – 82.160.42.74 SMTP – 200 0
2006-11-10 15:10:51 estukuleledes@ukulele.com foo4@foo.net – 82.160.42.74 SMTP – 200 0
2006-11-10 15:10:51 estukuleledes@ukulele.com foo5@foo.net – 82.160.42.74 SMTP – 200 0
Could you put ‘catch’ in that try/finally block and log any error to the log file? I’m guessing it’s a problem the strRecipient parsing or maybe chkWhitelist handling strRecipient.
November 13th, 2006 at 7:36
Matt G: Code 200 means that the mail was passed through as it was whitelisted. Do you have @foo.net in your recipient whitelist or @ukulele.com in your senders whitelist or the ip in the source ip whitelist?
Cheers,
Chris
November 13th, 2006 at 8:47
Hi Chris,
I didn’t @foo.net or @ukelele.com whitelisted. In fact, I didn’t have anything whitelisted at that point nor have I seen it happen again since then. Looking at your code it appears that the only way the result code could be set to 200 is if bolWhite = true so I think I had a whitelist entry in the database with an empty string in it. The more that I think of it I’m pretty sure I had two empty rows visible on the whitelist tab at that time because I created an entry and then I erased the contents of that entry.
Matt
November 13th, 2006 at 15:25
Thanks for a great tool – works awesome for us. A request I have is for a black list. About 40% of the mail coming to our server is for people who no longer work for us. Ideally I’d like to just drop anything addressed to them.
November 13th, 2006 at 18:20
I tried Greylist today but had no luck (Exchange 2003 on Win 2003).
The first time I ran Greylist admin there where lots of error messages pointing to some problems with the database. I think there is a problem with the date/time format since this is a german system. Changing the date/time settings to engliush (USA) fixed that, but still nothing but 999s in the logfile and no entry in the db. Recreating the db turns out to be difficult since something has its fingers on the mdb (disabling does not help) so I could not delete it. Server restart helped but that can’t be the solution.
What a pity – I like the idea of greylisting very much and especialy a free program implementing it…
Joz
November 14th, 2006 at 1:50
Hi together,
I think also there is a Date/time Problem.
Run Greylist admin on a (German)SBS2003server creating the database end with OK then the following error:
At next start Greylist admin or klicking [cleanup now] or [refresh]
Following error:
Failed retrieve internal settings cause BOF or EOF is true ……
Sorry my rubbish english
Volker
November 14th, 2006 at 3:51
Joz and Vosweb: Yes that’s correct. There is a date problem and this has been resolved in the new version that I’m still developing. I’m now storing all dates in international format to overcome this issue.
Eric: I’ve decided not to implement a blacklist as this is a function supported by Exchange itself. I’m not going to reinvent the wheel 😉
November 14th, 2006 at 6:41
Hi Chris
After testing your great tool, I seem to have some problems. I have a server that gets a lot of event id 348. Its running very slow:
A message could not be virus scanned – this operation will be retried later. Internet Message ID , Error Code 0x0. For more information, click http://www.microsoft.com/contentredirect.asp.
Actually I have disabled your tool by running the disable script. So I don’t get, why I have this event about 350 times a day.
Google gives me this:
http://www.webservertalk.com/archive128-2005-4-604357.html
They talk about some smtpvbs.reg script, and this is where you come in
Is there something in your smtpreg.vbs that isn’t disabled correct?
Henrik
November 14th, 2006 at 14:13
Henrik: Odd problem you have…
The way Greylist works is that it will only interfere with a mail if it needs to be blocked. If it’s not blocked then it passes through without Greylist even touching it.
What I could imagine is that the virus scanner has a lower priority, or close to, then Greylist and that this might interfere.
Could you do this: Enable Greylist and run cscript smtpreg.vbs /enum > enum.txt from the Greylist directory. Then send me an email with the enum.txt file.
I’ll mail you my address separately.
Cheers,
Chris
November 14th, 2006 at 22:26
I have a smart host between the Exchange server and the internet. Will I still be able to use this program
November 15th, 2006 at 3:16
Jeff P.: Unfortunately you can’t use Greylist on a server behind the main MX as your smart host would resend any failed emails and the only effect would be that you’d get an delay in recieving emails.
Greylist has to be installed on a MX server that faces the spammers.
Cheers,
Chris
November 17th, 2006 at 16:01
I’ve installed the software on a Windows 2000 / Exchange 2000 server. Aside from installing a later MDAC version, and .NET 2, all appears to have worked well. I am receiving mail, and have had no spam as yet……
November 18th, 2006 at 17:54
I am just trying greylist out and so far looks very promising. But it would be nice if there was a feature that listed in a simple format what has been blocked and what has been passed.
Filtering and sorting what’s in the log file, I guess is what I’m suggesting. In other words, filter out blocked items if they were subsequently allowed to pass on retry, and filter out multiple passed items. Then sort what’s left in some logical manner.
That would make it easier to analyze how well it’s doing at blocking junk and avoiding false positives.
Ideally this would be available via command line so I could automate it with a perl script to email the output on a regular basis.
November 18th, 2006 at 18:28
One other thing… the log file’s name and the times inside the log file appear to be GMT rather than local time. Any chance we can see this changed or at least have an option?
November 20th, 2006 at 2:18
Jeff S: The easiest way to find items is from the command prompt. Open a command prompt and go to the \log directory.
To find all blocked grey sessions type: find ” 451 ” 20061120.log
To find all passed grey sessions type: find ” 250 ” 20061120.log
To find all whitelisted sessions type find ” 200 ” 20061120.log
To find all bad sessions type: find ” 999 ” 20061120.log
The reason why dates and times are in UTC (not GMT) is that the logfiles can be consolidated across different servers and timezones.
In the next version, that is almost ready, the dates in the database are also in UTC.
Cheers,
Chris
November 20th, 2006 at 12:17
Thanks Chris. “find” isn’t quite what I was looking for, because “blocked” really means “potentially blocked” and if the sender resends, then it passes. So in that case seeing an item blocked is misleading. I was hoping for something that filters out the blocked items that were subsequently passed.
November 20th, 2006 at 18:57
The theory rocks – “looks” like a silver bullet. So far, all is well. Comments on following please:
I am running this on my ISA server which is also a border firewall. It SEEMS to be blocking on all three of the triplets. Did you sneak in a silent upgrade?? Somewhere I remember seeing that if doesn’t filter on source IP if running on IIS SMTP.
Multi-MX source server issue: This seems to be the only “gotcha.” One fix would be to insert the IP addresses of all the “Big” mail servers. Since they don’t change often, a simple text file update would probably work – and someone to keep it up to date. Is there any thought to an auto-update?? As in fill in the MX servers we want to whitelist and then have DNS auto-populate the whitelist??? THAT would be awesome.
SQL – gees, how about SSE??? It is dyne Oh mite and free. Though, if it will work on MS-SQL it will work on SSE.
Definitely on the right track. Keep this thing simple and clean – just run a bit faster.
Thanks for the great work!! JUST the ticket for me.
BootP
PS – almost forgot – Exchange 2007 will have it’s own internal SMTP engine. Not sure how this sort of animal will fare in that environment. PLUS – major gotcha – it will need to run on x64 hardware and in an x64 OS.
November 21st, 2006 at 1:16
Hi Chris,
Great job, donation on its way,
no issues so far running it on MS Small Business Server 2003.
Cheers,
Ryan
November 21st, 2006 at 4:57
Hello, what a great tool this is. stoping over 80% of spam.
I am getting this error from time to time:
Could not load file or assembly ‘System.EnterpriseServices.Wrapper.dll’ or one of its dependencies. The process cannot access the file because it is being used by another process. (Exception from HRESULT: 0x80070020)
Thanks for your time in helping me fix this error
November 21st, 2006 at 15:17
*Nice* tool, but we could really, really use a way to easily import whitelist entries.
Several known sources use multiple email servers to send emails, so they will frequently get blocked. The resend isn’t always from the same server. I found lists of servers that should be whitelisted in several places, but this seems to probably be the best one:
http://greylisting.org/whitelisting.shtml
– Matt Borcherding
November 21st, 2006 at 17:55
Hi Chris,
I’ve got the same date problem as vosweb. When are you releasing a new version?
Would be great to make it work in switzerland.
Cheers
Loris
December 12th, 2006 at 3:10
Hi, like the tool and saves me lot of e-mail, BUT,
I have reports of MISSING mail which are never delivered!
It’s seems only to happen to mails with to: and cc: field used.
I have isue’s of a cc: not receiving it mail the to: arrived fine.
But today i had it the other way arround.
The log file says 200 but the mail never arrives at our mail server?
Any sugesstions?
Mike