SmarterMail Help

Antispam | Spam Checks, RBL and URIBL Lists

SmarterMail comes equipped with a number of antispam features and functions that allow you to be as aggressive as you want when combating spam. Default antispam settings were configured during installation, but these settings can be modified at any time.

Due to the flexible nature of SmarterMail's antispam setup, spam checks can influence the spam decision as much or little as you want. Each spam check has one or more associated weights. When spam protection runs on an email, all enabled spam checks are performed. The total weight of all spam check tests is what comprises the spam weight for the email. A spam probability level (Low, Medium or High) is then assigned to the email using the weight chosen by the administrator on the Filtering card of the Options tab. Based on the email's total spam weight / probability of being spam, the corresponding spam filtering action is taken.

An added benefit to SmarterMail's antispam administration is the ability to combat both incoming and outgoing spam messages. Most mail servers only allow administrators to keep spam from entering the mail server. SmarterMail helps protect mail users from incoming spam and also includes the added benefit of keeping mail servers from actually sending spam, thereby helping to protect the mail server from being blacklisted.

To view and modify the spam checks for your server, log in to SmarterMail as an Administrator and click on the Settings icon. Then click on Antispam in the navigation pane. The Spam Checks, RBLs and URIBLs tabs can be used to create or modify existing spam checks and RBLs for the system.

Note: Only enabled spam checks, RBLs and URIBLs are used when calculating spam weight. To enable or disable a check, enable the appropriate spam check in its configuration options.

Spam Checks

In general, the following options may be available when creating a custom spam check or modifying an existing one:

  • Enable Spool Filtering - When enabled, the weight assigned for the spam check is added to the message and used as part of its overall spam score. SmarterMail then handles the message based on the spam settings configured for a domain.
  • Enable Incoming SMTP blocking - This option is used in conjunction with the SMTP Blocking settings configured in Antispam Options. When enabled, this spam check is counted toward to weight threshold for the blocking of incoming emails. As SMTP blocks are done at the IP level and not based on message content, some spam checks do not offer SMTP blocking. If this option is not available, then that particular spam check does not offer SMTP blocking and must rely on content filtering instead.
  • Enable for Outgoing SMTP blocking - This option is used in conjunction with the SMTP Blocking settings configured in Antispam Options. When enabled, this spam check is counted toward to weight threshold for the blocking of outgoing emails. As SMTP blocks are done at the IP level and not based on message content, some spam checks do not offer SMTP blocking. If this option is not available, then that particular spam check does not offer SMTP blocking and must rely on content filtering instead.
  • Weight - The weight range available for the spam check. Each spam check may utilize unique spam weight options.

Creating Custom Rules

Email can be assigned spam weights based on the header, body text or raw content of a message. For example, the administrator can create a rule that assigns a specific spam weight to all messages containing the word "viagra" in the body text. To configure weights for custom rules, click New, then complete the following fields:

  • Rule Name - The name of the rule.
  • Rule Source - What you want the rule to be based on: a message's header, body text or raw content. When selecting "body text" or "raw content", you'll need to supply additional information that is applied to the Rule Text: whether the Source "contains" the information, whether the a wildcard is used for a range of information or whether you want to supply a regular expression. If you select Header you will need to supply header details separately from the Rule Text.
  • Rule Text - The text that will be used in conjunction with the Rule Source. For example, if you use create a Rule Source based on Body, then an additional Rule Source for "Contains", Rule Text can include words such as "Cialis", "Viagra", etc.
  • Weight - The amount to add to the email message's spam weight.
  • Enable Spool Filtering - See above for details.
  • Enable Outgoing SMTP Blocking - See above for details.

Cyren Premium Antispam

The Cyren Premium Antispam add-on uses Recurrent Pattern Detection technology to protect against spam outbreaks in real time as messages are mass-distributed over the Internet. Rather than evaluating the content of messages, the Cyren Detection Center analyzes large volumes of Internet traffic in real time, recognizing and protecting against new spam outbreaks the moment they emerge. For more information, or to purchase this add-on, visit the SmarterTools website.

  • Enable Spool Filtering - See above for details.
  • Enable Outgoing SMTP Blocking - See above for details.
  • Confirmed Weight - The weight that will be assigned if the Cyren Detection Center determines the message as coming from known spam sources.
  • Bulk Weight - The weight that will be assigned if the Cyren Detection Center determines the message as sent in bulk. Note: Newsletters or mailing list messages may be included in this classification.
  • Suspect Weight - The weight that will be assigned if the Cyren Detection Center suspects the message may be spam because it was sent to a slightly larger than average distribution.
  • Unknown Weight - The weight that will be assigned if the Cyren Detection Center is unable to determine the spam probability of a message. This should be treated similarly to a None Weight.
  • None Weight - The weight that will be assigned if the Cyren Detection Center deems the message as not spam.

Declude

Declude integration allows you to use Declude products in conjunction with the SmarterMail weighting system. Declude addresses the major threats facing networks, and are handled by a multi-layered defense. Configuration of Declude is done through the Declude product, so all you need to do in SmarterMail is enable the spam check and the Declude score will be included when calculating the total spam weight of a message. For more information, visit www.declude.com.

  • Low Spam Weight - The weight that will be assigned if Declude determines a low probability of spam.
  • Medium Spam Weight - The weight that will be assigned if Declude determines a medium probability of spam.
  • High Spam Weight - The weight that will be assigned if Declude determines a high probability of spam.

DKIM and DomainKeys

DomainKeys and DKIM are an email authentication system designed to verify the DNS domain of an email sender and the authenticity of a message. While a possible source for determining whether an email is spam or not, neither is universally adopted so any weights assigned for failing these checks should be minimal. In addition, because the DomainKey method has become obsolete; we recommend utilizing DKIM instead.

  • Enable Spool Filtering - See above for details.
  • Pass Weight - Indicates that the email sender and message integrity were successfully verified (less likely spam). The weight you set may be 0 (for no effect) or a negative number, thereby reducing the spam rating.
  • Fail Weight - Indicates that the email sender and message integrity verifications failed (most likely spam). Set this to a relatively high weight, as the probability that the email was spoofed is very high.
  • None Weight - Indicates that there was not a valid DomainKey/DKIM signature found to validate the sender and message integrity. Except in very special circumstances, leave this set to 0.
  • Max message size to verify - The maximum incoming message size you want the mail server to verify.

Honey Pot

A "honey pot" spam check derives its name because implementing it can attract spammers -- or, more likely, spam bots -- like "bees to honey." Basically, a system administrator populates the honey pot spam check with email addresses that are designed to be seen by, or otherwise used by, spammers. These addresses can be commonly used addresses that spammers will automatically target such as admin@your-domain.com, info@your-domain.com, hr@your-domain.com, etc. These types of addresses are commonly targeted, but SHOULD NOT be addresses that are actually used by any user of a given domain. You don't want to add admin@your-domain.com IF that is an actual address used BY a user on that domain. In fact, any addresses added as honey pot addresses DO NOT need to be an actual account. So if you DO use admin@yourdomain.com as a honey pot address, you do NOT need to add that as an actual account TO the domain. In addition, there's no limit to the number of addresses you can add. It's totally up to the system admin.

Another common way to instantiate a honey pot spam check is to add a hidden email address to a form used on a website. Spam bots can scrape email address from these forms, then populate spam lists that are used by, or potentially sold to, spammers. By adding in a hidden (using CSS) honey pot email address to a form, you can essentially trick these bots into scraping that email address, then block any sender who uses the address.

Regardless of HOW you set your trap, honey pots can be a simple, yet effective, way of finding, scoring and then disposing of email spam for your users as well as blocking sending IP addresses.

  • Enable Spool Filtering - See above for details.
  • Reject found entries at SMTP level - Enabling this will automatically reject the message prior to it being delivered if the IP of the sending mail server has already been listed. NOTE: This will occur as long as the IP is not whitelisted, is not a gateway and is not IP Bypassed.
  • Pass Weight - The weight you set may be 0 (for no effect) or a negative number, thereby reducing the spam rating. (Setting negative numbers is not recommended.)
  • Listed Weight - This is the weight that is assigned to a message sent from an IP address that was already part of the honey pot.
  • Triggered Weight - This is the weight that is assigned to a message that is sent to one of your Honey Pot Addresses. The email address must match one in the list of Honey Pot Addresses for this weight to be added to the message.
  • Honey Pot Addresses - These are the actual, full email addresses you're targeting for use by spammers. These should NOT be actual email addresses that are used by anyone on any domain. They are explictly to be used ONLY for trapping potential spammers.

Message Sniffer

The Message Sniffer add-on is an intelligent antispam scanner that uses advanced pattern recognition and collaborative learning technologies to accurately identify spam, scams, viruses, and other email borne malware before it gets to a user’s mailbox. For more information, or to purchase this add-on, visit the SmarterTools website.

  • Enable Spool Filtering - See above for details.
  • Enable Outgoing SMTP Blocking - See above for details.
  • Confirmed Weight - The weight that will be assigned if Message Sniffer determines the message as coming from known spam sources.
  • None Weight - The weight that will be assigned if Message Sniffer deems the message is not spam.

Null Sender

A common spam technique is to send messages with missing, or "Null" sender values. That means that the message appears to come from no one as the sender details are blank. This check allows you to assign a spam weight to messages that meet this criteria.

  • Enable Spool Filtering - See above for details.
  • Enable Outgoing SMTP Blocking - See above for details.
  • Weight - The weight assigned to messages that fail this check.

Remote SpamAssassin

SpamAssassin itself is a powerful, third party open source mail filter used to identify spam that can be easily used alongside SmarterMail. It utilizes a wide array of tools to identify and report spam. By default, SpamAssassin will run on 127.0.0.1:783. For more information, or to download SpamAssassin, visit spamassassin.apache.org.

SmarterMail can use SpamAssassin with its weighting system:

  • Enable Spool Filtering - See above for details.
  • Enable Outgoing SMTP Blocking - See above for details.
  • Low Spam Weight - The weight that will be assigned if SpamAssassin determines a low probability of spam.
  • Medium Spam Weight - The weight that will be assigned if SpamAssassin determines a medium probability of spam.
  • High Spam Weight - The weight that will be assigned if SpamAssassin determines a high probability of spam.
  • Client Timeout - The timeout that SmarterMail will impose on a server if it cannot connect.
  • Max Attempts per Message - The number of times SmarterMail will attempt to acquire a SpamAssasassin score for an email.
  • Failures Before Disable - The number of times a remote SpamAssassin server can fail before it is disabled.
  • Disable Time - The length of time before the SpamAssassin server is re-enabled.
  • Header Log Level - The amount of information SpamAssassin inserts into the header of the message

Reverse DNS

Reverse DNS checks to make sure that the IP address used to send the email has a friendly name associated with it.

  • Enable Spool Filtering - See above for details.
  • Enable Incoming SMTP Blocking - See above for details.
  • Weight - The default weight for this spam check. If an email sender does not have a reverse DNS entry, this is the value that will be added to the message's total spam weight.
  • Forward Confirm Fail Weight - Forward Confirm Reverse DNS means that an hostname has both forward and reverse DNS entries that utilize the same IP address. Using this check, SmarterMail checks the rDNS and fDNS and if there is no A record, the check fails.
  • Forward Confirm Mismatch Weight - Using this check, SmarterMail checks the rDNS and fDNS and if the IPs exist, but don't match, the check fails.

SpamAssassin-Based Pattern Matching

SmarterMail includes a proprietary pattern matching engine built upon the SpamAssassin technology as part of the default installation of the product. It includes a number of spam detection techniques, including DNS-based and fuzzy-checksum-based spam detection, Bayesian filtering and more.

  • Enable Spool Filtering - See above for details.
  • Enable Outgoing SMTP Blocking - See above for details.
  • Low Spam Weight - The weight that will be assigned if the pattern matching engine determines a low probability of spam.
  • Medium Spam Weight - The weight that will be assigned if the pattern matching engine determines a medium probability of spam.
  • High Spam Weight - The weight that will be assigned if the pattern matching engine determines a high probability of spam.
  • Header Log Level - The amount of information the pattern matching engine inserts into the header of the message.

SPF (Sender Policy Framework)

SPF is a method of verifying that the sender of an email message went through the appropriate email server when sending. As more and more companies add SPF information to their domain DNS records, this check will prevent spoofing at an increasing rate.

  • Enable Spool Filtering - See above for details.
  • Enable Incoming SMTP Blocking - See above for details.
  • Scan From header instead of Return Path - Enabling this means the check will use the From address for the SPF check as opposed to the message's RETURN-PATH, which is where NDRs (bounce messages) are sent. Many times spammers will spoof messages by changing the From address to make it appear like a message is coming from a legitimate person/organization even though the RETURN-PATH may be for the actual source of the message. While it is possible to spoof a message's RETURN-PATH, spoofing the From address is a much more common method used by spammers.
  • Pass Weight - Indicates that the email was sent from the server specified by the SPF record (more likely good mail). The weight you set may be 0 (for no effect) or a negative number, thereby reducing the spam rating.
  • Fail Weight - Indicates that the email was sent from a server prohibited by the SPF record (highly likely spam). Set this to a relatively high weight, as the probability that the email was spoofed is very high.
  • SoftFail Weight - Indicates that the email was sent by a server that is questionable in the SPF record. This should either be set to 0 or a low spam weight.
  • Neutral Weight - Indicates that the SPF record makes no statement for or against the server that sent the email. Except in very special circumstances, leave this set to 0.
  • PermError Weight - Indicates that there is a syntax error in the SPF record. Since SPF is relatively new, some domains have published improperly formatted SPF records. It is recommended that you leave this at 0 until SPF becomes more widely adopted.
  • None Weight - Indicates that the domain has no published SPF record. Since SPF is relatively new, many legitimate domains do not have SPF records. It is recommended that you leave this at 0 until SPF becomes more widely adopted.

RBL Lists and URIBL Lists (Real-Time Blacklists)

RBL lists (also known as IP4R Lists) and URIBL lists are publicly accessible lists of known spammer IP addresses. These lists can be a very important part of spam protection. To attach a list, navigate to the appropriate tab and then click New. Dependent on the list you’re adding, the following settings are available:

  • Name - A friendly name for the list that will help you and your customers identify it.
  • Description - This field allows you to store additional information about the list.
  • Weight - The default weight for this spam check. If an email sender is listed with the spam list, this is the value that will be added to the message's total spam weight.
  • Max Weight - The maximum weight that a single URIBL check can add to the message.
  • Hostname - The hostname of the RBL.
  • Lookup Prefix -
  • Required Lookup Values - The expected value(s) returned from an RBL if the sender's IP is listed with the RBL provider. Note: Multiple lookup values may be entered, separated by a comma.
  • Enable Spool Filtering - When enabled, the weight assigned for the spam check is added to the message and used as part of its overall spam score. SmarterMail then handles the message based on the spam settings configured for a domain.
  • Enable Incoming SMTP blocking - This option is used in conjunction with the SMTP Blocking settings configured in Antispam Options. When enabled, this RBL/URIBL is counted toward the weight threshold for the blocking of incoming emails.
  • Enable for Outgoing SMTP blocking - This option is used in conjunction with the SMTP Blocking settings configured in Antispam Options. When enabled, this RBL/URIBL is counted toward the weight threshold for the blocking of outgoing emails.
  • Enable bitmap checking - Enable this option if the RBL supports bitmapping. Bitmap checking can be used for RBL’s and URIBL’s that support this kind of spam check. For example, SURBL utilizes a multi-blacklist check. For more information and documentation on the appropriate usage, please visit www.surbl.org/lists.