Greylisting in Exchange 2003

Posted on January 8, 2009 by Daniel Petri in Exchange Server with 0 Comments

Greylisting seems to be the right method to effectively lower the spam levels your mail servers get daily. Read more about it on my Combating Spam with Greylisting article.

There are quite a few Greylisting implementations available for a wide variety of SMTP mail servers. So far I was only able to find one freeware Exchange 2000/2003 implementation (if you know of any other freely available tool please let me know).

JEP(S) Greylist

JEP(S) is a spam filter which intercepts mail sessions before the mail is actually received. This is done by using several different technologies like greylisting, dynamic black- and whitelists and static whitelists. By doing this it drastically reduces the load on the mail server as the spam mail is never received. When JEP(S) suspects that a mail session is spam related it will send back a response to the sending mail server which indicates that the session has failed and that the mail has to be resent. The sending mail server will then queue the mail to be resent and retry at a later time. JEP(S) keeps track of this and when the mail is resent after a configured delay (normally 2 minutes) it will be allowed to be pass through to the mail system.

The benefit of refusing the mail before it’s delivered is that you have never received the email that you’re refusing. By doing this the sending mail system is informed while the session is still open that you’re refusing the mail. If, for whatever reason, something goes wrong with the re-transmittal of the email then the sending user will be informed in clear text about what action was taken on the mail.

Note: JEP(S) is the predecessor of a fine tool called Graylist, also by the same author.

Features of JEP(S)

JEP(S) currently combines three technologies to filter spam; greylisting, RBL’s (Realtime BlackLists) and RWL’s (Realtime WhiteLists). These three in combination gives you good spam protection with an extremely low rate of false positives in comparison with other spam filters. A low rate of false positives means that it’s unlikely that legitimate email will be treated as spam and blocked. And the block rate of your JEP(S) installation will of course vary depending on the volume and the type of email you’re receiving, but most of our implementations show an effective block rate of 94-98% on the greylist filter itself without taking into account the affect of the RBL feature.

The free version features:

  • Spam protection through grey listing
  • Support for Exchange 2000/2003 and IIS SMTP
  • Tarpitting
  • White listing of email addresses and IPs
  • Easy adjustable parameters
  • Stand alone realtime monitoring utility
  • Easy install through admin interface
  • No time limit
  • No spyware – No adware

As an add-on to JEP(S) it is possible to purchase a license to enable the advanced functionality. See authors website for more info on that.

To run JEP(S) you need:

Component overview:

  • JEP(S) Sink – Handles the connection on the SMTP service. Sends intercepted session information to the JEP(S) server for analysis.
  • JEP(S) Server – Receives queries from the JEP(S) sink and responds with Pass or Block depending on the outcome of the analysis.
  • JEP(S) Admin – Administrates all settings and installs/uninstalls both the sink and the server.
  • JEP(S) Listener – Listens to the outcome of the JEP(S) server result and displays this in real time.

Installation and usage:

  1. Extract JEP(S) into the directory you’d like it to live in. For example – create the directory C:\Program Files\JEP(S)\ and extract it into here.
  2. Double click on JEP(S) Admin.
  3. Go to the database tab.
  4. In the ‘Create local database connection’ click Browse – Ok – Create database. The connect string is displayed (you can also use the SQL fields to achieve the same if you have access to a SQL server).
  5. Click ‘Use this connection string’.
  6. Go to Greylist server and select Install and then start. The JEP(S) server is now accepting traffic from the JEP(S) Sink.
  7. Go to Greylist sink and select Enable in and Enable out. The JEP(S) sink is now active and will intercept incoming and outgoing SMTP sessions.
  8. Select Apply to save your settings.
  9. Send a test message from a known good mail server (external to yours) to test successful reception of the message.
  10. Go back to the Status page and confirm that you have at least 1 record according this screen. JEP(S) is now running in learning mode. This means that no connections will be blocked, but it will learn the patterns of sending mail servers and this will be used later when it’s enabled. This is used for a smooth transition on high volume mail systems but in most cases you can enable JEP(S) blocking functionality immediately without a negative impact.
  11. To enable blocking go to Greylist sink and select Mode – Enabled and press Apply. This change is instantly applied. The outbound sink (or Enable out) will log any outgoing traffic and whitelist this for a couple of days (this function is only available in licensed mode). That setting is changeable on the server page. Use the JEP(S) listener to connect to the server and see the traffic in real time.

To read more about JEP(S) please see the authors website

Sponsored

Sponsored
To download JEP(S) use THIS link

From my initial testing, using Greylist on Exchange 2003 production servers has dropped the number of spam messages being received by IMF (read Block Spam with Exchange 2003 Intelligent Message Filter) significantly.

As always, read the readme file for more information.

Got a question? Post it on our Exchange Server Forums!

Sponsored