This is an event daemon for Mercury, a new daemon type that was presented in version 2.0 of the Daemon Developer Kit in June 2008. An event daemon has the ability to interact closely with various Mercury modules, in this case the SMTP server module, and change the way a message is processed.

The SmtpEvt daemon is based on the previous RcptEvt and RcptCheck daamons but has some added functionality.

In most cases it's probably a good strategy to leave the option "Accept mail for invalid local addresses" unchecked in MercuryS configuration and have the SMTP server refuse deliveries for non-existent local mailboxes. Still there may be circumstances where you prefer to receive mail even if for instance the recipients address has been slightly misspelled (which is why the option exists, obviously). To avoid bouncing a lot of spam to (usually faked) sender addresses GrayWall is a great tool. Blacklists like Spamhaus, however, that normally are good spam fighting tools, won't help much in this case if set for tagging rather than rejecting, which is the most secure way to use them.

The SmtpEvt daemon will attempt to combine the information known in MercuryS before the message body is received to reject messages for non-existent local mailboxes that most likely are junk. It will check for X-Blocked headers added by blacklists, it will check for sending characteristics often used by spam bots, and will see if the message is a notification (delivery failure notifications to non-existent mailboxes are presumably never worth receiving). If no such indication is found and the RCPT is accepted the daemon will still increment the failed RCPT count for the transaction so the compliance check of failed RCPTs can be performed. Any action taken by the daemon can be seen in the MercuryS console window and log file.

Some testing has shown that this actually works surprisingly well. The daemon itself is very lightweight and should not increase system load noticeably. Still, I would not recommend using it in production unless you have first verified that it behaves satisfactorily in your environment.

To install it, copy SmtpEvt.dll to the Mercury directory and add the following line to the [Daemons] section of DAEMON.INI: 
SmtpEvent=smtpevt.dll

Version 0.9.1 added a check for missing Date header and bulk mail. Date is a required header according to the SMTP RFCs. If there is no Date header and the recipient is an invalid local address the connection will be terminated. If the message has a Precedence: Bulk header and bad recipient the message is received but immediately discarded. Authenticated connections will always be allowed, though. 
In version 0.9.2 the ability to block messages with a bad local sender address was added. If a MAIL FROM command with an address that belongs to a local domain is issued the daemon will check if there actually is such a mailbox in Mercury. If not, the connection will be terminated and log entries created. Note that this check will not be performed for domain mailboxes. 

To activate this function the line in DAEMON.INI will need an extra parameter, and should look like this:
SmtpEvent = smtpevt.dll; 1

If rcptevt.dll or rcptcheck.dll was previously running on the system those lines should be removed from DAEMON.INI.

The first publicly released version after the name change is 1.0.1. The daemon will now let any message from an IP address that has been exempt from transaction filtering in Mercury or has completed authentication pass through without evaluating the address information. Otherwise a message with identical MAIL FROM and RCPT TO will receive an informational header saying "X-Identical: From and Rcpt identical". If furthermore there is just one recipient a X-Blocked header will be added. This header will by default trigger SpamHalter, and can be used for filtering if SpamHalter isn't running. If multiple such messages are received from the same IP address within a short period of time the connection will be terminated and the host added to the short-term blacklist in Mercury.

Another added feature is not for protecting against spam but will watch out for mass mailings with big attachments from local users that will be likely to put the server under heavy load. If the number of recipients is too high and the message is too large the message will be refused. This will however only work if the client uses an ESMTP size declaration, so size restrictions should be switched on in MercuryS configuration. The levels are presently fixed but will later be configurable. The block levels are now:
Rcpts > 10 and message size > 5000000 bytes
Rcpts > 25 and message size > 2500000 bytes
Rcpts > 50 and message size > 1500000 bytes
Rcpts > 100 and message size > 1000000 bytes
Rcpts > 500 and message size > 500000 bytes
Rcpts > 1000 and message size > 250000 bytes


October 23, 2009

Rolf Lindby



Version 1.0.2, December 31, 2009
- Added short-term blacklisting for hosts that repeatedly use a bad local sender address. This will trigger if there are 5 such messages received within 5 minutes, and provided the IP address isn't exempt from transaction filtering in Mercury.

Version 1.0.3, March 14, 2010
- Added experimental support to check the Subject header for spam indicators. In this version only one such indicator will be checked (for some new spam that often bypasses SpamHalter). If there is a match and the message is either for a bad local recipient or the host IP is a DNSBL hit the SMTP session is terminated and the host is added to short-term blacklist.
- Added configuration dialog for the daemon. To enable it add the following line to the [Daemon_Config] section of DAEMON.INI: 
SmtpEvent=smtpevt.dll

Version 1.0.4, April 30, 2010
- Added checks for suspicious HELO greetings. If one is found a X-HELO header will be added to the message.

Version 1.0.4.32, October 31, 2010
- Checks for suspicious HELO greetings extended. Any unqualified hostname will now trigger a scan of the subject header, unless the session has authenticated or IP is exempt from transaction filtering.

Version 1.0.4.34, April 22, 2011
- HELO greeting without any hostname added to tests that trigger a scan of the subject header.

Version 1.0.4.35, June 27, 2011
- Changed behavior for messages with identical MAIL FROM and RCPT TO. If the sender IP address is on a blacklist the connection will be terminated. However, if the RCTP TO is a valid local address there will be no X-Blocked header added, only X-Identical. To intercept messages with X-Identical headers a filtering rule will need to be created in Mercury.

Version 1.1.1.7, July 10, 2013
- Added more options in configuration dialog
- Daemon now has a special section in Mercury statistics, and displays some performance info in the configuration dialog. Prepared for different levels of statstics, but those controls have no effect at the moment.
- Code heavily optimized to bring down the DLL size.

Version 1.1.2.8, February 15, 2014
- Minor fixes.

Version 1.1.2.11 February 20, 2014
- Added filter to block AUTH attacks, where a hostile party attempts to find a valid AUTH password by trying many commonly used passwords from a list. If more than 5 attempts are made from the same IP address within a short amount of time without success the IP address is added to the short-term blacklist. IP addresses that are exempt from transaction filtering in MercuryS will not be subject to test.

Version 1.1.2.74 June 22, 2015
- Added filter to attempt to block DDoS attack where the hostile party connects repeatedly in quick sequence from one or several IP addresses and immediately disconnects.
- Modified AUTH filter code to use the new block list logic used in the DDoS code.
- Added an option to automatically add suspicious Subject headers to the spam filter.

Version 1.2.0.203 January 2016
This version adds major new functionality by introducing 2 optional addons, as well as a number of small efficency improvements and bug fixes. The new addons are:
- DNSBL CACHE. Performs direct DNSBL queries to Spamhaus ZEN (www.spamhaus.org/zen) with detailed response evaluation integrated with other anti-spam functionality in the daemon. Responses are cached for 30 minutes to minimize network traffic on busy servers. SBL hits are immediately blocked, XBL hits are blocked if there are other spam indicators and otherwise tagged with the X-BLOCKED header used by default by Mercury's built-in DNSBL handling. PBL hits will cause extra diligent spam checking, although taking into consideration if mail submission port 587 or 2525 were used, and a special header (X-PBL) is added that can be used in filtering. Actions based on DNSBL responses will be logged in the SMTP console as well as in the MercuryS log file, with some extra information displayed the the system console depending on selected information level. If detailed statistics are selected and debug level reports are requested in Mercury core configuration there will as well be a special log file created in the main Mercury directory, dnsbl.log. Note that it may not be advisable to use the debug setting permanently on a busy system as it will cause some extra load. If the daemon is set to save information to Mercury statistics there will be counters for blacklist hits, cache hits, current cache size, and max cache size. Cache size counters are initially zero and are updated only on cache hits and after cache refresh runs. Such runs happen periodically once the cache contains 100 items ore more. The cache will work best for sizes up to around 1000 items, and should in this version probably not be used on a system that regularly exceeds 10000 in cache size.
- MAILCHECK FOR SECONDARIES. This addon will do a mailbox lookup to the primary server using a private extension to the SMTP protocol and provide information about incorrect RCPTs. This information will be used when determining the spam status of the message, and if the primary server is set to refuse non-existing RCPTs the same rule will apply on the secondary server. If there is no reply from the primary server or some networking error occurs the RCPT will be allowed. Responses will be cached for 5 minutes to limit network traffic.

Version 1.2.0.210 March 2016
Another optional module, trntrack.dll, is introduced to keep track of current SMTP transactions in a more efficient way by maintaining a small internal database, and also implement an internal blacklist with configurable block time. It will be of most use on a high throughput system. Copy trntrack.dll to the main Mercury directory to use this addon.
To set the number of hours an IP address should be blocked, use the new smtpevt.ini file. It contains just one section ([Blacklist]) and the setting is TTL. Default is 3 hours.
 
Version 1.2.0.213 January 2017
A minor update with improved tracking of spam sending IP addresses and some added statistics counters. The daemon will when possible prefer to use its own blacklist rather than Mercury's short-term blacklist. The DNSBL addon has been extended to query Spamhaus DBL (www.spamhaus.org/dbl) to catch known spam sending domain names in MAIL FROM.

DNSBL version 1.0.0.19 December 2018
DNSBL addon updated to work with changed name server addresses at Spamhaus.

Version 1.2.0.224 February 2019
New settings available in the [Blacklist] section of smptevt.ini:
Watchlist_Count - The number of hits (within the specified time frame) that will trigger blacklisting of AUTH failures or suspected DDoS connections. Default is 5.
Watchlist_Minutes - The number of minutes that a suspicious IP address remains in the watchlist. Default is 2.

Version 1.2.0.239 March 2019
New button in the configuration dialog to reset the internal blacklist and re-read the ini file. The reset function clears all entries from the blacklist and prints a line to the system messages console to confirm. Note that it only affects the smtpevt blacklist, not the shorttime blacklist handled by Mercury. Make sure trntrack.dll is copied to the main Mercury directory to use the internal blacklist.



