Spam Checks, RBL and URIBL Lists
SmarterMail comes equipped with a number of antispam features and functions that allow you to be as aggressive as you want when combating spam. Default antispam settings were configured during installation, but these settings can be modified at any time.
Due to the flexible nature of SmarterMail's antispam setup, spam checks can influence the spam decision as much or little as you want. Each spam check has one or more associated weights. When spam protection runs on an email, all enabled spam checks are performed. The total weight of all spam checks is what comprises the final spam weight for the email. A spam probability level (Low, Medium or High) is then assigned to the email using the weights configured by the System Administrator on the Filtering card of the Options tab. Based on the email's total spam weight / probability of being spam, the corresponding spam filtering action is taken.
An added benefit to SmarterMail's antispam administration is the ability to combat both inbound and outbound spam messages. Most mail servers only allow administrators to keep spam from entering the mail server. SmarterMail helps protect mail users from inbound spam and also includes the added benefit of keeping mail servers from actually sending spam, thereby helping to protect the mail server from being blacklisted.
To view and modify the spam checks for your server, log in to SmarterMail as an Administrator and click on the Settings icon. Then click on Antispam in the navigation pane. The Spam Checks, RBLs and URIBLs tabs can be used to create or modify existing spam checks and RBLs for the system.
Note: Only enabled spam checks, RBLs and URIBLs are used when calculating spam weight. To enable or disable a check,
enable the appropriate spam check in its configuration options.
Spam Checks
The Spam Checks tab shows all non-RBL/non-URIBL checks that are performed on a message. These checks can include licensed add-ons such as Cyren and Message Sniffer, as well as standard checks such as DKIM, SPF and more. Any of these checks can be enabled or disabled for Inbound and/or Outbound SMTP, and each can be edited or removed. To edit a check, simply click it to open its settings. To add a new Spam Check, such as adding in an antispam appliance, click the New button.
SmarterMail includes several spam checks by default. Each check is described in detail, below.
In general, one or more of the following options may be available when creating a custom spam check or modifying an existing one:
- Enable Spool Filtering - When enabled, the weight assigned for the spam check is added to the message and used as part of its overall spam score. SmarterMail then handles the message based on the spam settings configured for a domain.
- Enable Inbound SMTP blocking - This option is used in conjunction with the SMTP Blocking settings configured in Antispam Options. When enabled, this spam check is counted toward the weight threshold for the blocking of inbound emails. As SMTP blocks are done at the IP level and not based on message content, some spam checks do not offer SMTP blocking. If this option is not available, then that particular spam check does not offer SMTP blocking and must rely on content filtering instead.
- Enable Outbound SMTP blocking - This option is used in conjunction with the SMTP Blocking settings configured in Antispam Options. When enabled, this spam check is counted toward the weight threshold for the blocking of outbound emails. As SMTP blocks are done at the IP level and not based on message content, some spam checks do not offer SMTP blocking. If this option is not available, then that particular spam check does not offer SMTP blocking and must rely on content filtering instead.
- Weight - The weight range available for the spam check. Each spam check may utilize unique spam weight options.
Creating Custom Rules
Email can be assigned spam weights based on the header, body text or raw content of a message. For example, the administrator can create a rule that assigns a specific spam weight to all messages containing the word "viagra" in the body text. To configure weights for custom rules, click New, then complete the following fields:
- Rule Name - The name of the rule.
- Rule Source - What you want the rule to be based on: a message's header, body text or raw content. When selecting "body text" or "raw content", you'll need to supply additional information that is applied to the Rule Text: whether the Source "contains" the information, whether the a wildcard is used for a range of information or whether you want to supply a regular expression. If you select Header you will need to supply header details separately from the Rule Text.
- Rule Text - The text that will be used in conjunction with the Rule Source. For example, if you use create a Rule Source based on Body, then an additional Rule Source for "Contains", Rule Text can include words such as "Cialis", "Viagra", "male enhancement", etc.
- Weight - The amount to add to the email message's spam weight.
- Match Multiple - Enabling this allows the spam weight calculated for the rule to increase based on multiple instances of the Rule Text that's added. In general, a custom spam check based on any Rule Source will check for the FIRST instance of a word or phrase that's been added to the Rule Text and apply that weight. It doesn't matter if all of the words or phrases are found -- only the FIRST instance is counted and the weight applied. When Match Multiple is enabled, the first instance of ALL words or phrases in the Rule Source is counted and the total score is used. (NOTE: when using Body as the Rule Source, the spam check looks at both the HTML and plain text versions of a message, primarily because these versions may differ in content. As a result, the total weight may vary.)
- Enable Spool Filtering - When enabled, the weight assigned for the spam check is added to the message and used as part of its overall spam score. SmarterMail then handles the message based on the spam settings configured for a domain.
- Enable Outbound SMTP Blocking - See above for details.
Match Multiple Examples
The concept of the Match Multiple settings can get a bit confusing. Below are a couple of examples of how Match Multiple works.
Rule Source: Header
- An incoming email that contains two separate headers of "Test: Pickles" will get a weight of 20 for this spam check. ("Pickles" in the first header will trigger a weight of 10, and "Pickles" in the second header will trigger a weight of 10.)
- An incoming email that contains a single header of "Test: Pickles Pickles" will get a weight of 10 for this spam check. (The first instance of "Pickles" in the header will trigger a weight of 10.)
- An incoming email that contains a header of "Test: Pickles Pickles" and a header of "Test: Tomato" will get a weight of 20 for this spam check. (The first instance of "Pickles" in the first header will trigger a weight of 10, and the instance of "Tomato" in the second header will trigger a weight of 10.)
Rule Source: Body
- An incoming HTML + plain text email that contains "Pickles Tomato" in the message body will get a weight of 40 for this spam check. ("Pickles" in the HTML content will trigger a weight of 10, "Pickles" in the plain text content will trigger a weight of 10, "Tomato" in the HTML content will trigger a weight of 10, and "Tomato" in the plain text content will trigger a weight of 10.)
- An incoming HTML + plain text email that contains"Pickles Pickles Tomato Tomato" in the body will get a weight of 40 for this spam check. (Only the first instance of the Rule Text words in the HTML content and plain text content will trigger the weight.)
- An incoming plain text only email that contains "Pickles Tomato" in the body will get a weight of 20 for this spam check. ("Pickles" in the plain text will trigger a weight of 10, and "Tomato" in the plain text will trigger a weight of 10.)
Cyren Premium Antispam
The Cyren Premium Antispam add-on uses Recurrent Pattern Detection technology to protect against
spam outbreaks in real time as messages are mass-distributed over the Internet.
Rather than evaluating the content of messages, the Cyren Detection Center analyzes
large volumes of Internet traffic in real time, recognizing and protecting against
new spam outbreaks the moment they emerge. For more information, or to purchase
this add-on, visit the SmarterTools
website.
- Enable Spool Filtering - See above for details.
- Enable Outbound SMTP Blocking - See Creating Custom Rules for details.
- Confirmed Weight - The weight that will be assigned if the Cyren Detection Center determines the message as coming from known spam sources.
- Bulk Weight - The weight that will be assigned if the Cyren Detection Center determines the message as sent in bulk. Note: Newsletters or mailing list messages may be included in this classification.
- Suspect Weight - The weight that will be assigned if the Cyren Detection Center suspects the message may be spam because it was sent to a slightly larger than average distribution.
- Unknown Weight - The weight that will be assigned if the Cyren Detection Center is unable to determine the spam probability of a message. This should be treated similarly to a None Weight.
- None Weight - The weight that will be assigned if the Cyren Detection Center deems the message as not spam.
Declude
Declude integration allows you to use Declude products in conjunction with the SmarterMail
weighting system. Declude addresses the major threats facing networks, and are handled
by a multi-layered defense. Configuration of Declude is done through the Declude
product, so all you need to do in SmarterMail is enable the spam check and the Declude
score will be included when calculating the total spam weight of a message. For more information, visit the Mail's Best Friend website as they currently manage and support the Declude product.
- Low Spam Weight - The weight that will be assigned if Declude determines a low probability of spam.
- Medium Spam Weight - The weight that will be assigned if Declude determines a medium probability of spam.
- High Spam Weight - The weight that will be assigned if Declude determines a high probability of spam.
DKIM and DomainKeys
DomainKeys and DKIM are an email authentication system designed to verify the DNS domain of an email sender and the authenticity of a message. While a possible source for determining whether an email is spam or not, neither is universally adopted so any weights assigned for failing these checks should be minimal. In addition, because the DomainKey method has become obsolete; we recommend utilizing DKIM instead.
- Enable Spool Filtering - See above for details.
- Pass Weight - Indicates that the email sender and message integrity were successfully verified (less likely spam). The weight you set may be 0 (for no effect)
or a negative number, thereby reducing the spam rating.
- Fail Weight - Indicates that the email sender and message integrity verifications failed (most likely spam). Set this to a relatively high weight, as
the probability that the email was spoofed is very high.
- None Weight - Indicates that there was not a valid DomainKey/DKIM signature found to validate the sender and message integrity. Except in very special circumstances, leave
this set to 0.
- Max message size to verify (MB) (0 = Unlimited) - The maximum inbound message size you want the mail server to verify.
Honey Pot
A "honey pot" spam check derives its name because implementing it can attract spammers -- or, more likely, spam bots -- like "bees to honey." Basically, a system administrator populates the honey pot spam check with email addresses that are designed to be seen by, or otherwise used by, spammers. These addresses can be commonly used addresses that spammers will automatically target such as admin@your-domain.com, info@your-domain.com, hr@your-domain.com, etc. These types of addresses are commonly targeted, but SHOULD NOT be addresses that are actually used by any user of a given domain. You don't want to add admin@your-domain.com IF that is an actual address used BY a user on that domain. In fact, any addresses added as honey pot addresses DO NOT need to be an actual account. So if you DO use admin@yourdomain.com as a honey pot address, you do NOT need to add that as an actual account TO the domain. In addition, there's no limit to the number of addresses you can add. It's totally up to the system admin.
Another common way to instantiate a honey pot spam check is to add a hidden email address to a form used on a website. Spam bots can scrape email addresses from these forms, then populate spam lists that are used by, or potentially sold to, spammers. By adding in a hidden (using CSS) honey pot email address to a form, you can essentially trick these bots into scraping that email address, then block any sender who uses the address.
Regardless of HOW you set your trap, honey pots can be a simple, yet effective, way of finding, scoring and then disposing of email spam for your users as well as blocking sending IP addresses.
- Enable Spool Filtering - See above for details.
- Reject found entries at SMTP level - Enabling this will automatically reject the message prior to it being delivered if the IP of the sending mail server has already been listed. NOTE: This will occur as long as the IP is not whitelisted, is not a gateway and is not IP Bypassed.
- Pass Weight - The weight you set may be 0 (for no effect) or a negative number, thereby reducing the spam rating. (Setting negative numbers is not recommended.)
- Listed Weight - This is the weight that is assigned to a message sent from an IP address that was already part of the honey pot.
- Triggered Weight - This is the weight that is assigned to a message that is sent to one of your Honey Pot Addresses. The email address must match one in the list of Honey Pot Addresses for this weight to be added to the message.
- Honey Pot Addresses - These are the actual, full email addresses you're targeting for use by spammers. For example, generic email addresses can be used such as info@example.com or contact@example.com.These should NOT be actual email addresses that are used by anyone on any domain. Ideally, they're addresses that are general enough that spammers would target them with blanket spam attacks, but not addresses that are posted anywhere or used to actually send email. They are explictly to be used ONLY for trapping potential spammers.
Message Sniffer
The Message Sniffer add-on is an intelligent antispam scanner that uses advanced pattern recognition and collaborative learning technologies to accurately identify spam, scams, viruses, and other email borne malware before it gets to a user’s mailbox. For more information, or to purchase this add-on, visit the SmarterTools website.
- Enable Spool Filtering - See above for details.
- Enable Outbound SMTP Blocking - See above for details.
- Confirmed Weight - The weight that will be assigned if Message Sniffer determines the message as coming from known spam sources.
- None Weight - The weight that will be assigned if Message Sniffer deems the message is not spam.
Null Sender
A common spam technique is to send messages with missing, or "Null" sender values. That means that the message appears to come from no one as the sender details are blank. This check allows you to assign a spam weight to messages that meet this criteria.
- Enable Spool Filtering - See above for details.
- Enable Outbound SMTP Blocking - See above for details.
- Weight - The weight assigned to messages that fail this check.
Remote SpamAssassin
SpamAssassin itself is a powerful, third party open source mail filter used to identify spam that can be easily used alongside SmarterMail. It utilizes a wide array of tools to identify and report spam. By default, SpamAssassin will run on 127.0.0.1:783. For more information, or to download SpamAssassin, visit spamassassin.apache.org.
SmarterMail can use SpamAssassin with its weighting system:
- Enable Spool Filtering - See above for details.
- Enable Outbound SMTP Blocking - See above for details.
- Low Spam Weight - The weight that will be assigned if SpamAssassin determines a low probability of spam.
- Medium Spam Weight - The weight that will be assigned if SpamAssassin determines a medium probability of spam.
- High Spam Weight - The weight that will be assigned if SpamAssassin determines a high probability of spam.
- Client Timeout (seconds) - The timeout that SmarterMail will impose on a server if it cannot connect.
- Max Attempts per Message - The number of times SmarterMail will attempt to acquire a SpamAssasassin score for an email.
- Failures Before Disable - The number of times a remote SpamAssassin server can fail before it is disabled.
- Disable Time (minutes) - The length of time before the SpamAssassin server is re-enabled.
- Header Log Level - The amount of information SpamAssassin inserts into the header of the message
Reverse DNS
Reverse DNS checks to make sure that the IP address used to send the email has a friendly name associated with it.
- Enable Spool Filtering - See above for details.
- Enable Inbound SMTP Blocking - See above for details.
- Weight - The default weight for this spam check. If an email sender does not have a reverse DNS entry, this is the value that will be added to the message's total spam weight.
- Forward Confirm Fail Weight - Forward Confirm Reverse DNS means that an hostname has both forward and reverse DNS entries that utilize the same IP address. Using this check, SmarterMail checks the rDNS and fDNS and if there is no A record, the check fails.
- Forward Confirm Mismatch Weight - Using this check, SmarterMail checks the rDNS and fDNS and if the IPs exist, but don't match, the check fails.
SpamAssassin-Based Pattern Matching
SmarterMail includes a proprietary pattern matching engine built upon the SpamAssassin technology as part of the default installation of the product. It includes a number of spam detection techniques, including DNS-based and fuzzy-checksum-based spam detection, Bayesian filtering and more.
- Enable Spool Filtering - See above for details.
- Enable Outbound SMTP Blocking - See above for details.
- Low Spam Weight - The weight that will be assigned if the pattern matching
engine determines a low probability of spam.
- Medium Spam Weight - The weight that will be assigned if the pattern matching
engine determines a medium probability of spam.
- High Spam Weight - The weight that will be assigned if the pattern matching
engine determines a high probability of spam.
- Header Log Level - The amount of information the pattern matching engine
inserts into the header of the message.
SPF (Sender Policy Framework)
SPF is a method of verifying that the sender of an email message went through the appropriate email server when sending. Therefore, as it's verifying the sending server, SPF is set up by the sending server's System Administrator or the domain owner as a DNS record. (More information can be found at DMARC Analyzer.) As more and more companies add SPF information to their domain DNS records, this check will prevent spoofing at an increasing rate.
- Enable Spool Filtering - See above for details.
- Enable Inbound SMTP Blocking - See above for details.
- Scan From header instead of Return Path - Enabling this means the check will use the From address for the SPF check as opposed to the message's RETURN-PATH, which is where NDRs (bounce messages) are sent. Many times spammers will spoof messages by changing the From address to make it appear like a message is coming from a legitimate person/organization even though the RETURN-PATH may be for the actual source of the message. While it is possible to spoof a message's RETURN-PATH, spoofing the From address is a much more common method used by spammers.
- Pass Weight - Indicates that the email was sent from the server specified
by the SPF record (more likely good mail). The weight you set may be 0 (for no effect)
or a negative number, thereby reducing the spam rating.
- Fail Weight - Indicates that the email was sent from a server prohibited
by the SPF record (highly likely spam). Set this to a relatively high weight, as
the probability that the email was spoofed is very high.
- SoftFail Weight - Indicates that the email was sent by a server that is questionable
in the SPF record. This should either be set to 0 or a low spam weight.
- Neutral Weight - Indicates that the SPF record makes no statement for or
against the server that sent the email. Except in very special circumstances, leave
this set to 0.
- PermError Weight - Indicates that there is a syntax error in the SPF record.
Since SPF is relatively new, some domains have published improperly formatted SPF
records. It is recommended that you leave this at 0 until SPF becomes more widely
adopted.
- None Weight - Indicates that the domain has no published SPF record. Since
SPF is relatively new, many legitimate domains do not have SPF records. It is recommended
that you leave this at 0 until SPF becomes more widely adopted.
RBLs and URIBLs
RBL lists (also known as IP4R Lists) and URIBL lists are publicly accessible lists of known spammer IP addresses. These lists can be a very important part of spam protection. To attach a list, navigate to the appropriate tab and then click New. Dependent on the list you’re adding, the following settings are available:
- Name - A friendly name for the list that will help you and your customers
identify it.
- Description - This field allows you to store additional information about
the list.
- Weight - The default weight for this spam check. If an email sender is listed
with the spam list, this is the value that will be added to the message's total
spam weight.
- Max Weight - The maximum weight that a single URIBL check can add to the message.
- Hostname - The hostname of the blacklist being added. For example, uribl.spameatingmonkey.net.
- Lookup Prefix - Many subscription-based RBLs and URIBLs require some type of authorization or login token to be added to the front of the RBL/URIBL. When using such a service, that token is entered here.
- Required Lookup Values - The expected value(s) returned from an RBL if the sender's
IP is listed with the RBL provider. Note: Multiple lookup values may be entered, separated by a comma. These values are generally available from the RBL/URIBL provider in their set up documentation.
- Enable Spool Filtering - See above for details.
- Enable Inbound SMTP blocking - This option is used in conjunction with the SMTP Blocking settings configured in Antispam Options. When enabled, this RBL/URIBL is counted toward the weight threshold for the blocking of inbound emails.
- Enable for Outbound SMTP blocking - This option is used in conjunction with the SMTP Blocking settings configured in Antispam Options. When enabled, this RBL/URIBL is counted toward the weight threshold for the blocking of outbound emails.
- Enable bitmap checking - Enable this option if the RBL supports bitmapping. Bitmap checking can be used for RBL’s and URIBL’s that support this kind of spam check. For example, SURBL utilizes a multi-blacklist check. For more information and documentation on the appropriate usage, please visit www.surbl.org/lists.
Copyright © SmarterTools Inc. All rights reserved.