Scam-grey is a milter which filters mail originating from infected zombie PCs. It provides you the ability to mitigate the flow of spam from these computers using greylisting.
Scam-grey milter is simple to configure. It includes features such as:
Scam-grey milter was designed to be light-weight. It can be used on a mail server with a slow CPU and 128 MB of memory.
How it works
On the first delivery attempt from a PC running Windows, Scam-grey generates a temporary error message. Subsequent delivery attempts made after the delay period will be allowed through. Unlike standard mail servers, virus, trojan infected hosts and zombies are not designed to retry the delivery after a temporary failure.
as a record and returns a temporary failure (SMTP code 450 extended code 4.7.1) if the host is greylisted. The default greylisting delay is eight minutes.
The record is expired if there is no connection for the matching record within the next 24 hours. Click here to see a sample of mail servers which are currently greylisted.
Scam-grey has a configurable whitelist of IP addresses or a range of IP addresses (CIDR). This feature can be used to accept mail from known MS Windows sending servers without any delay.
Hosts with a second level reverse DNS (www.example.com) are not greylisted.
Accept mail from users
Mail from end-users running MS Windows can be accepted without any delay by using any of the following methods:
Users should configure their mail clients (MS Outlook, Eudora, Mozilla Thunderbird) to use the port 587 (MSA) instead of the SMTP port to send mail through the mail server running Scam-grey.
Scam-grey measures the number of hops between the mail server and the computer sending the email. This feature can be used to accept the mail immediately if it falls within five hops.
Scam-grey will accept mail if the connection was authenticated through SMTP AUTH.
Please read the INSTALL and README files for more information.
You should have sendmail version 8.12.x or higher installed. Sendmail should
You should have the milter library and development kit installed
Download and install P0F ( http://lcamtuf.coredump.cx/p0f.shtml )
1. Extract the scam-grey tarball
2. Change the current directory to the one where the scam-grey source code
3. If you are using FreeBSD, OpenBSD or NetBSD, rename the Makefile.bsd file
If you are using a Linux distribution, rename the Makefile.linux file to Makefile
4. Type make and press Enter to compile scam-grey
1. Copy the scam-grey file created above to the appropriate location
2. Generate a new sendmail configuration (sendmail.cf) with the following
3. Add known external Windows servers to the scam.conf file and copy it to
4. Create a user (scamgrey for example) which will be used to run the milter
5. Create the /var/spool/scam directory
6. Verify that the user created in step 4 has read-write access to the
1. Login as root and start P0F with the following parameters
p0f -K -U -c 500 -Q /var/spool/scam/p0f.sock -d -q -o /dev/null -u scamgrey 'dst port 25'
A shell script (p0f.sh) is available. You should edit that file before
2. Change the owner of the p0f.sock socket so that it is read-writable by scamgrey
chown scamgrey /var/spool/scam/p0f.sock
3. Start scam-grey milter as a daemon
scam-grey -p unix:/var/spool/scam/scam-grey.sock -u scamgrey -D
4. Restart sendmail if you have generated a new sendmail configuration when
Type the following command to stop scam-grey
kill -USR1 `cat /var/spool/scam/scam-grey.pid`
Verify whether the default scam.conf file that comes with Scam-grey fits your
The following syntax is valid when adding entries to bypass greylisting.
The regular expression should be in between slashes. Add i at the end
The following syntax can be used to greylist hosts which
You can also greylist hosts based on the helo string.
These are the default settings:
This is the number of hops detected between the remote host and your mail server.
A remote host is greylisted for 500 seconds.
The greylist entries expire after a day.
Greylisting hosts without reverse DNS
Start Scam-grey with the -R switch.
If Scam-grey is started with the -t switch, the connection will not be greylisted. A X-Scam-grey: positive header will be inserted to the message instead.
Interaction with antispam filters
Scam-grey inserts a X-Scam-grey: delay 500 seconds header in messages from hosts that have been greylisted. If you are using an antispam filter such as SpamAssassin, you can use the following rule to increase the score for messages sent from Windows hosts or hosts using dynamic IP addresses:
Greylisting hosts by ASN
Some mail servers block mail from specific countries. Based on the topology of the Internet, it is better to filter by network than by geography. Scam-grey now queries Team Cymru's DNS service to map the IP address of the host to an ASN. You can either greylist
by ASN. You can perform an IP to ASN lookup at http://asn.cymru.com.
The DNS query to find the ASN can be disabled with the following setting:
If you are running scam-grey on a high volume mail server, please notify Team Cymru of the amount of queries that may be performed daily.
Greylisting hosts by DNSBL
It is common to use blacklists (DNSBL) for blocking connections. Some backlists may be too aggressive or may cause false positives. You can minimize the impact of these DNSBLs by using them to greylist hosts.
The syntax to query a DNSBL is:
where bl.example.org is the zone. You can define several DNSBLs by adding a line for each of them.
Copyright © 2004-2010 Eland Systems All Rights Reserved.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The download is provided free of charge subject to our license agreement.
Scam-grey source code version 1.6.4 (24 KB)
Scam-grey source code version 1.6.3 (24 KB)
Scam-grey source code version 1.6.2 (24 KB)
Scam-grey source code version 1.6.1 (23 KB)
Scam-grey source code version 1.6 (22 KB)
Scam-grey source code version 1.5 (22 KB)
Scam-grey source code version 1.4 (19 KB)
Scam-grey source code version 1.3 (18 KB)
Scam-grey source code version 1.2 (18 KB)
Scam-grey source code version 1.1 (18 KB)
Scam-grey source code version 1.0.1 (15 KB)
Scam-grey source code version 1.0 (15 KB)
Please send your comments and bug reports to firstname.lastname@example.org.
P0f - passive OS fingerprinting - Michal Zalewski
We would like to thank Team Cymru for providing an IP to ASN Lookup service.
Scam-grey in action
Mail sent from the following IP addresses are currently greylisted.