GRYNX

23rd 2007f January, 2007

Greylist – freeware Grey list for Exchange v1.3

by @ 13:18. Filed under
Greylist

JEP(S), the successor of Greylist has been released at Proxmea.com
The new version includes many new exciting functions (RBL, RWL, Automatic white listing) and gives you a very granular control over how the filter works. And it’s still available in a free version!
Go and have a look!.

Introduction

Since I have had a lot of problems with false positives with the black lists that I’m using on my Exchange 2003 server I started looking into another way of filtering spam.
The obvious choice of additional protection fell on greylisting ( you can read more about what it is here ).
The problem with this is that there doesn’t seem to be any free products out there for Exchange and as I don’t want to set up a Linux box ( yet another box in the rack ) I decided to write one myself.

Usually i receive 3500-4000 spam attempts per day so that means that 70 mails a day are slipping trough. These 70 get matched to a blacklist that is not that aggressive and the result of this is that my spam level has gone down to almost 0% while I haven’t had a single false positive yet.

Latest version: v1.3.1 – 19 feb 2007

About the program. It consists of two parts.

Requirements:

Features:
Greylist

Greylist admin


New in version v1.3.0:
Greylist

Greylist admin

JEP(S), the successor of Greylist has been released at Proxmea.com
Even though Greylist has been succeeded by JEP(S), the download links remain here for reference.

Download:

Install package Greylist_v1.3.1.zip
Documentation Readme.doc
Source Greylist Greylist source v1.3.0

Previous versions:
Greylist v1.2
Greylist v1.1
Greylist v1.0

 

For support, feature requests and general chit-chat check out the Greylist forum
For comments like ‘Hey – great app!’ use the form at the end of the page.


What does it cost?
Nada. Nothing. It’s for free!
See it as a contribution to a better world :) A free contribution! I’ve released this under a Creative Commonce license, which comes down to that you can use it and redistribute it as long as you refer to me and this site while using any part of my program. The full license is available in the readme file.

But – please consider this especially if your a corporate user –
Register it! It will cost you 50 euro (about 65 USD) and will support the continued development and you’ll get access to the customization options for how Greylist behaves on the communication level.
The registration license will be mailed to you as soon as I’ve registered the payment.
And if your boss wants an invoice – no problem! I’ll mail that to you upon request.

The program is distributed ‘as-is’ and I don’t intend to provide any support for it.
But feel free to send me any suggestions to improvements or your own modifications.

Cheers,
Chris

40 Responses to “Greylist – freeware Grey list for Exchange v1.3”

  1. Bootp Says:

    Chris:

    Stumbled onto your applet some time ago and love it. Something I have done may help:

    I do NOT have it cohosted on the Exchange Server box – I am running ISA Server as an
    inside firewall. I am running IIS with SMTP ONLY installed – so I can use it my
    ISA server as an SMTP relay/proxy in front of Exchange. I have installed Greylisting
    on my ISA IIS SMTP installation and am delighted. NO ISSUES – and I am stopping spam
    which frequently contains virus’s at the firewall. ~nice~

    Re SQL Express (SSE) – I have managed to install other 3rd party APPs to use a
    remote SSE install when the 3rd party vendors couldn’t get their own product to work.
    The issue is NOT the 3rd party APP, but the appalling Microsoft documentation concerning
    remote access to SSE. Specifically, the Microsoft documentation was not ready when
    they released SSE to market – so their isn’t any documentation!! Lucky us.

    Realize that SSE is designed to be a developer’s tool, so remote isn’t “required” and
    Microsoft treats it on that basis. Add to that reality the additional security
    posture of Microsoft – and you can see why the default SSE install will ~not~ allow remote
    access.

    I have been running in a test environment and like all I see. Keep going – I think you
    are onto a terrific little applet here.

  2. Gary Lynch Says:

    I have been using Greylist for a couple of weeks now and have found it very useful, it has blocked 180,000 messages since we’ve started using it and has stopped a lot of emails that our GFI MailEssentials was failing to block.

    One thing I think could be changed is in the way the database cleanup is applied. As I don’t have the IP address checking enabled then over time you will get spam from/to the same sender/recipient causing all future spam from such pairs to get through.

    I think it’s save to assume that if the First Seen and Last Seen timestamps are the same and over 24 hours old then it is not going to be resent and is probably spam. The clean up function could look for this and delete those entries, the database would be much smaller then. I have added a query to the Access database to do this for me.

    Following on from this, is there an easy way compact the database? Access is especially wasteful with regards deleted records and I find the database can grow to 100MB in a couple of days. To run a compact on the database I am having to disable Greylist to remove the file locks and then enable again afterwards.

    Keep up the good work.

  3. Ara Says:

    I came across this tool and it looks to be a good tool. There is one issue I faced. After applying this on exchange server, I had socket errors when trying the email test on dnsreport.com so I restarted the server and it went fine. Maybe it is mandatory step and has to be in manual for product.
    Great work

  4. Martin Edwards Says:

    Usually my own email account got about 50-100 spam emails each day. I used to run with the GFI sollution, but it kept crashing our server, and let quite a few span-emails through. This has let 3 spam-mails through during a 3 week period! I am running with the built-in exchange “intelligent filter” along side with greylisting, and have made a short “whitelist” of domains, and it works perfect!

  5. Chris Eidem Says:

    If you are using the SQL DSN and you lose connection to your server, what happens? Does the software fail back to the Jet DB locally? Does it stop greylisting until the connection is restored?

  6. Chris J. Says:

    Hi Chris,
    If that happens then it will fallback to not blocking / greylisting emails until the database connection is restored. It will try to restore the connection every couple of minutes automatically. Then it will log these error sessions with code 999 in the logfile.
    This has been tested quiet extensively to make sure that it works correctly – and it does.

    Cheers,
    Chris

  7. Gary Lynch Says:

    What’s changed from 1.3.0 to 1.3.1?

    cheers
    Gary

  8. Michael G Says:

    Gmail accounts seem to be blocked completly. When it resends the first and last timestamps are always the same. I’ll update later if this changes for me. Also is there a way to track which email are passed?

  9. Chris J. Says:

    Micheal: I’ve posted a reply to your question in the community forum –> here.

  10. Michael G Says:

    Ahh Nevermind. Gmail uses multiple servers, blocking by IP address kills these for a while.

  11. Alex Hekstra Says:

    Just read on the forum your question

    “I just need to figure out code wise how to do something like ‘is 123.33.33.22 part of 123.33.32.0/23’.”

    This is simple.
    1) from the /23 part, you generate the subnet mask. This is an unsigned 32 bit integer with the 23 upmost bits set.
    for a /23 subnet, it is i.e. 11111111 11111111 11111110 00000000
    2) compare if the host matches the network range definition

  12. Chris J. Says:

    Hi Alex,
    Thanks! I’ve choosen another path though.
    I’m not converting the IP’s to serials and then do a more then less then comparison between the source ip.
    This will be implemented in the next major version which ‘might’ come in a month or so.

    Cheers,
    Chris

  13. Volker Schierenberg Says:

    Hy Cris,
    we are overjoyed since we use greylist,
    The Spam sank under 5%
    The registration was easy
    It works properly…

    I would have still a small desire..:
    A funktion to import and export source IP and Sender Adress for Whitelist

    Thanks a lot for this Great Programm
    Greetings
    Volker
    PS.
    Sorry my rubbish english :-)

  14. Andrew Way Says:

    1,000,000 spams stopped and counting!

    Hi Chris, just thought I’d pop you a quick note. We’ve got the registered version running on a dozen or so servers now – just on our 8 top servers we have prevented over 1,000,000 spam emails reaching the servers.

    As for the latest (couple of days ago) Trojan that is trying to spread by email – well, all we’ve noticed is the greylist logs are a little bigger.

    Brilliant! Just brilliant!

  15. Angelo Longa Says:

    Thank-you very much for your wonderfull tool: it really works as expecded stopping tons of spam mails per day.
    Thank-you!!!

    A. Longa

  16. Hayden Kirk Says:

    Can this be configured so that it only works on one domain? As I host mail, I do not want to annoy customers while I test this.

  17. Chris J. Says:

    Heyden Kirk: Unfortunately not. The next version (2.0) which is still under development will have a function for ‘learning’. This means that it does all the processing while no mails are blocked so that the filter gets to know you senders email patterns.

  18. Jason Says:

    I had a slight issue with the greylist program recently, it was running amazing for about a week and then all of a sudden it stopped allowing email to get through. I disabled and then re-enabled to see if that made a difference, disabled, deleted the directory downloaded a new copy and started it up and same thing, full blocking of all email to the server. Is there anything I can check because while it worked, it ran like a champ.

  19. Mo U. Says:

    Hey,
    I setup a test exchange box in a new domain. I set forwarding from my gmail account to my newdomain email account on exchange. What i found out was when i check the access database any email that is being forwarded from my gmail will be listed as
    gmailusername+caf_=testdomainusername=testdomain.com@gmail.com

    Problem is, in this way i am not able to identify the original user who is sending email to my gmail account. For example if Sue at sue@hotmail.com sends an email to my gmail account and it gets forwarded to my test domain account it will have the same format in the database as i mentioned earlier. Since from the database i would never know that email came from Sue, what would be the way to identify the original user of the email?
    My guess was that since my gmail account is already been whitelisted, when Sue sends me an email it really dosent matter if i whitelist her email separately because my gmail account is already in the whitelist.

    I apologize if my language here is a bit confusing. Any help on this would be appreciated. I would love to implement this in my real environment.

  20. Jonas Says:

    I have problem to get e-mail through while having greylist enabled. I am running version 1.3.1.

    I have tried disable and then enable it again. I don’t know what to do. I have also tried download a new copy.

    Do you have any idea what to do?

    Greylist have worked great for about 6 months, but now something have happened.

  21. Hayden Kirk Says:

    I have had some problems with this on certain customers servers. Here are some tips to help those of you in trouble.

    After creating a database and enabling the Greylist sink, sometimes all mail will be blocked. Greylist admin will also report nothing.

    To fix this:

    1) Run the disable command
    2) Restart IIS service (type services.msc in the run box)
    3) Delete database files (.mdb, .cfg)
    4) Run Greylist admin.exe recreating the databases
    5) run the enable command

    There is another problem where you have run the enable command too many times. This creates more than one sink. I have found this to be a huge problem and not even realising it.

    To fix:

    1) Run the disable command a few times until it can no longer find the sink
    2) Repeat the steps in the first solution

    I hope this helps some people.

  22. Kristian Says:

    Hi. Just added this great tool to a site. It look fine, but i realized after 1-2 hours that it was not so happy to talk to some mail servers. In the log it said “SMTP – 250”, but on the sending server it said “host dropped connection”. I tried everything of the above things. At last i had to drop using it. Any ideas ??
    P.S. Really sorry about that because greylisting i a smashing good techique.

  23. Lars Winkelmann Says:

    System sbs2003,
    Programm: JEPs not Greylist

    I also noticed that messages with status 250 in log file are dropped.
    has someone any ideas to fix this bug ?

  24. Lars Winkelmann Says:

    i´ve found a interessting problem:

    If i looking at the Jeps Listinger, i see sometimes logs that differs from all other:

    with command: addd
    SourceIP: none (blank)
    recipient: quit
    result: 0

    This mails are “return receipt, delivered or read messages” and JEPs are blocking this messages.
    I think that is a huge bug.

  25. Chris J. Says:

    Lars: Regarding the ‘interesting problem’; it’s not a lot message you see, but the autowhitelist in action.
    When you have it active then when a outbound mail is sent, then the recipient email address gets added to the inbound sender whitelist. This gets logged in the listener like that.
    After x hours then the sender email address gets automatically removed.

    Thus, not a bug – it’s a feature.

  26. Lars Winkelmann Says:

    Chris J.: it seems that some emails are blocked and that are important delivery, receipt or read messages

  27. Jake Says:

    I would just like to say thanks for taking the time to write one of the most amazing programs I’ve ever seen.
    I’m planning on registering our copy as soon as I can get it approved.

    The first hour of operation, 100,000 spam emails were blocked! (with not a single false positive!)

  28. Gigaflopper Says:

    I have just installed this on a server running 2003 and Exchange 2003. Emails are coming straight in from everywhere with no delay at all. he system is also running Symantec’s Mail Security for Exchange, do I need to uninstall this first?? Also, when I telnet to port 25 on the server it still appears that Exchange service is listening, should the SMTP banner look different?

  29. Chris J. Says:

    Gigaflopper:
    Seems like it’s not activated. Have you enabled it?
    Normally Greylist works fine with other spam products, but ofcourse there’s no guarantee. I know that other people use Symantec’s products together with Greylist.

    The banner should not change as it’s not replacing the IIS SMTP service.

    More questions? –> Look in the Greylist forum.

    Cheers,
    Chris

  30. RobertSeattle Says:

    You rock! Thanks for the great tool. A solid Directory Harvesting Attack killer is what I was looking for.

  31. Karl Foley Says:

    This looks great. Thanks, and I’m looking forward to trying this out.

  32. Umar Says:

    i have been using version 2.0 for almost over 3+ weeks and it works great. Blocks tons of spam and very very easy to configure. I did not see anything that i would say is wrong at the moment. Cant wait for the final version.

    I know you said you are 95% done but how much time span are we looking at?

    thanks for all your efforts.

  33. Robert Pacsonyi Says:

    Dear Sir,

    We are one of the Hungarian software-dealers (e.g.: we are Symantec
    Enterprise Sales Partner, Corel and Novell Business Partner.).
    Our customers are interesting in your products:

    Greylist

    We hope that you’ll be able to help us. We plan to order the program
    directly from you. Please write us the terms of reselling and prices too.
    We could pay with credit card. Please write me your fax number too.
    If we order, could you make out the invoice to us, NOT for the enduser?
    This is important for us. Can we download this product or you ship only
    retail box version?

    Waiting for your answer,

  34. Kat Katapaltes Says:

    Forum is not accepting new registrations as process fails when it tries to send you your confirmation email. It looks like the author’s greylist package is stopping the mail?

    Ran into problems sending Mail. Response: 451 4.7.1 Please try again later. Session Greylisted with JEP(S) Greylist http://www.Proxmea.com/. If you’ve received this in error then check http://www.greylisting.org/

    DEBUG MODE

    Line : 153
    File : smtp.php

  35. Robert Pacsonyi Says:

    Dear Sales Team,

    We are one of the Hungarian software-dealers (e.g.: we are Symantec
    Enterprise Sales Partner, Corel and Novell Business Partner and we are
    the Hungarian direct partner of ACDSystems, Ulead, WinZip, StarNet etc.).
    Our customers are interesting in your products:

    Greylist 1.3.1

    We hope that you’ll be able to help us. We plan to order the program
    directly from you. Please write us the terms of reselling and prices too.
    We could pay with credit card. Please write me your fax number too.
    If we order, could you make out the invoice to us, NOT for the enduser?
    This is important for us.

    Waiting for your answer,

    Best regards,

    Robert Pacsonyi
    product manager

  36. Garment Says:

    I used greylist in linux, http://www.logistic-china.combut now Exchanger can use it. Thanks for your job.

  37. Christian Says:

    hi,

    will there be an ‘upgrade license’? we’ve paied for 1.3 just some weeks ago and were pretty satisfied with the solution. now we’re wondering if everybody has to pay these € 150 ..

    regards,
    christian

  38. Chris J. Says:

    Christian: No worries – if you already have a Greylist license then you will recieve a cupon code that can be used for getting a €50 reduction on JEP(S). These codes will be sent out in the next coming weeks.

    Cheers,
    Chris

  39. Rog Says:

    I’ve installed this on several Exchange servers over the past several days. Here are some of my findings / opinions:

    (1) If you get a 250 in your logs *and* mail is not coming in, try stopping any other antispam solution and/or running “iisreset” again. On two servers, I found the following to be the case.
    (1a) Greylisting + Exchange = OK
    (1b) Greylisting + Trend Micro AV = OK
    (1c) Greylisting + Trend Micro AV + Trend Micro antispam = not OK
    (1d) Greylisting + Trend Micro AV + Trend Micro antispam + iisreset = OK

    This last step suggests to me that something is awry with either Trend Micro’s antispam solution and/or this greylisting dll.

    (2) 200 replies in log might be result of blank entries in the whitelist portion of your MS Access DB. When you get a 200 error, you still seem to get mail, even spam. To fix this, try deleting the blank entries and run “iisreset” from the command line. (200 reply = “nonstandard success response”, see RFC 876).

    (3) I created a “greylist-bounce.bat” file in my greylisting folder to “fix” things when mail seemed to mysteriously stop working. For whatever reason, that seemed to work.

    regasm /unregister greylist.dll
    cscript smtpreg.vbs /remove 1 oninboundcommand “Greylist sink”
    iisreset
    regasm /codebase greylist.dll
    cscript smtpreg.vbs /add 1 oninboundcommand “Greylist sink” greylist.eventsink RCPT
    cscript smtpreg.vbs /setprop 1 oninboundcommand “Greylist sink” source priority 77
    iisreset

    (4) Incoming mail from Gmail and Hotmail (dunno about Y!) might a huge problems in some environments. On one server, new mail from Hotmail got bounced a couple of times, and new mail from Gmail would range from like 5 minutes to several hours (like 12). I have my suspicions why this is the case (different IPs, different policies on different servers, etc), but the bottom line is that this could be very frustrating for users and possibly lethal to your job if, say, the CEO sent a super important email from his gmail account to someone to the Exchange server. This criticism is more directed to greylisting as a whole, rather than GRYNX in particular.

    (5) I have found this program to be 90% to 99 to 100% effective. On the server where it was 99 to 100% effective, most of the spam seemed to be dictionary attacks and/or email sent to an old domain that the Exchange server had in its recipient policy (e.g. asdfasdf@olddomain.com, 12345@olddomain.com, info@olddomain.com, hr@olddomain.com, administrator@olddomain.com, etc). On the server where it was 90% effective, a lot of the crap spam seemed like stuff that users had subscribed to (coupons, job board sites, etc). This type of spam is much harder to deal with, as it seems to adhere to proper RFC standards.

    (6) This solution is good quick fix if you’re in a pinch and need something fast and free. Ultimately, if you’re running Exchange and need a “free” greylisting spam solution that is enterprise-worthy, you’ll probably want to put some sort of postfix/tumsgreyspf-like box in front of your Exchange server. GRYNX is a very cool project, and while I thoroughly appreciate the hard work that has gone into it, I think that something like tumsgreyspf is much better suited for mission critical environments (the admins at RealityKings.com use it, in fact). GRYNX “works”, but only if you’re willing to fiddle and goof around a bit before you roll it out on your production servers. If you’ve got that much time to burn, then perhaps consider implementing postfix/tumsgreyspf to begin with.

    As the saying goes, fast, free, and good — pick any two!

    FAST – 9 (Install .NET 2.0, dump to folder, enable, quick config, ready to go…unless you have some funky spam solution that conflicts)
    FREE – 8 (Gratis, but not libre)
    GOOD – 4 (Unlike other greylisting solutions, this is not the sort of program that I could simply install and then just walk away and not worry about. If Exchange Server is your company’s family jewels [as it is for most organizations] then take a few days and put some sort of smarthost or smtp gateway in front of it. Maybe I’ll reconsider my stance once I better understand why things are mysteriously going awry when I start running it on my servers)

    Best,
    Rog

  40. Chris J. Says:

    Hi Rog,
    Thanks for your feedback – this is very valuable to us in developing the new versions.
    We’ve released a new version under a new name, JEP(S), and under another website, http://www.Proxmea.com, which addresses all of the issues in your feedback. Be sure to check it out!
    (1) This is no longer an issue as JEP(S) handles all installation of the sinks. Further is there a smart tool included (View sinks) which helps in positioning JEP(S) correctly together with other mail add-on’s.
    (2) Also no longer an issue, fixed in JEP(S).
    (3) No longer an issue, see 1.
    (4) No longer an issue. JEP(S) can use Realtime White Lists (RWL’s) which identifies especially large companies. When in use then the SourceIP is exluded in the processing.
    (5) We also include tarpitting in JEP(S) which protects against harvesting attacks.
    (6) I hope that you, after reviewing, see that JEP(S) is a lot more mature and that it’s more aimed at the enterprise market – without letting go of all installations in smaller systems.

    I’d love to hear from you if you have a look at JEP(S) and hope that we now can get more then 2 out of 3 😉

    Cheers,
    Chris

Leave a Reply

You must be logged in to post a comment.

Host your project

Write for Grynx:

Do you have what it takes? If you're the right person then email us.

Archives:

Support Grynx:

Help us continue our work with a donation

Website promotion SEO Managed Advertising

5 Most popular articles:

Google

Categories:

Do it yourself - DIY
Our projects collection

18 queries. 1.084 seconds

Home