marciohumpris
Posts: 362
Score: 2
Joined: 5/1/2008
Status: offline
|
Hi, Sherwood
Ok, you asked for it :) Heres a huge email with a reply. Hope it helps.
Its an interesting topic, since IceWarp's antispam has several cenarios of usage and possible configurations. I was thinking of posting a message to discuss cenarios of usage, etc. so I will reply to your mail hoping others can participate also. IceWarp has some documents for download on their site with suggestions regarding security and antispam. I think we can ask them to possibly document the several cenarios that can be setup. My comments with ***
These are our currents settings:
GENERAL/OTHER
*** Here I prefer to mark to not process outgoing messages. Also important is the setting regarding autowhitelisting (antispam mode - maybe this could be renamed to autowhitelisting to be clearer), for an ISP cenario for example, user level is recommended (when a user sends a msg out, recipient goes just to his whitelist). Also very important here is to activate debug + summary logging so you can understand spam marking, etc. Local users mode I like to use the 1st or last option in the drop down menu. Finally, I like to put the minimum size to scan for spam a bit higher then 128 KB, like 512 KB. And process uknown accounts can be useful if you have backup domains where you want to scan for spam and pass messages on to another mail server.
ACTION:
Action:
(greyed)Score required to quarantine message
(Checked)Score required to classify message as spam = 3.00
(Checked)score required to refuse message = 9
Refusal REJECT
*** I personally would not reject messages, seems to be against RFC. Also you can do a test, make a content filter, where score is 9.9 or higher (Merak's max. score is 10), copy messags to some account. At least I found there are several false positive, msgs that have spam characteristics. So not sure if its a good idea to reject messages.
1) Cenario 1 - Quarantine 0, Mark as spam 4, both set to per account access mode
This part regarding scoring is really important to be understood and thus we have several cenarios. The one I personally use is, I set quarantine and antispam both to Use account options (so they can be enabled/disabled per user). What I do then is set quarantine to score 0 and mark as spam to 4 points. By default all my users have mark as spam [Possible spam]. But I tell them, if they want, they have an alternative which is quarantine. Since I set quarantine to score 0 (and I also enable challenge response inside Quarantine), if they mark just quarantine in their account, they have a challenge response system for all emails they receive. Its a system which many people dislike, but its an inteligent solution, where sender will be challenged just once and since spammers rarely confirm an email, this system works. And together with autowhitelisting, its really nice, so people you send mail to do not need to do the confirmation process.
The only strange thing about this cenario is IF the user marks both options, quarantine and spam marking. In my case, what would happen is from 0 to 4 it would quarantine and 4 and up it would mark as spam. But as I said, I tell users to choose one or the other.
2) Cenario 2 - The medium template setting. This one I believe was recommended by IceWarp. You can keep both quarantine and mark as spam to All accounts (so you cant disable it in any account). And you set Quarantine to 3 and mark as spam to 5. In this way, Quarantine is a type of first barrier to spam marking. So from 3 to 5 points it will quarantine and it can send a challenge email if you set quarantine to do so. 5 and up will mark as spam.
The big problem IMHO when involving quarantine is that things start getting too complex. Do your users know that they have something called quarantine? That if you dont enable the challenge response, they might need to manually accept a message which is in their quarantine? If they have a spam folder, it can get confusing, they will have a quarantine folder, a spam folder... It just makes things a bit too complicated.
3) Your cenario, using just Mark as spam. Maybe its the most simple and easier for customers to understand... The spam folder is something important to consider. It works ONLY for IMAP and Webmail. So Ive seen people setup the Spam folder on by default (in Action, if you mark checkbox to place spam msgs in spam folders, it means it is on in all users by default), then their users are NOT AWARE of spam folder and they use an email client. So the users beleive they are "losing emails", because it goes to a spam folder which they are unaware of or they dont have access to because they use POP!
The spam reports is a great solution to this, but the fact that it can only have 1 global schedule for all users can be hard. For example if I set spam reports to be sent every hour, some users will dislike that. Ive suggested for the new spam reports IceWarp is working on, to be able to define a schedule on a Domain level.
Anyways, the spam report is yet one more feature you have to tell your users about, how to activate, how it works, etc.
4) There are many other cenarios. Ive seen some companies, for example, use JUST quarantine with 4 points or so. Quarantine is interesting because it lets you define a spam administrator that can manage other user's quarantine folder (I have a feature request to be able to do the same with the spam folder). So some companies that want to have someone like secretary or IT department management user's spam, can benefit from using just Quarantine...
Ive seen many other cenarios. Some people #2 cenario, they put mark as spam with lets say 4 points and quarantine with 7 points or so, so only the very probably spams are challenged.
Maybe we can think of some comparison table of all these and other cenarios and advantages of each one. Also notice maybe the console could avoid conflicts. For example, the console lets you set same score for both mark as spam and quarantine. But what would happen then? :) And one other suggestion Ive sent is to make it clearer that one score is related to the other. If you set mark as spam 3 and quarantine 6, it will mark as spam from 3 to 6 and quarantine 6 and up. So maybe the sliders could somehow indicate this in a clearer way.
QUARANTINE:
NOT Active
SPAMASSASSIN:
SpamAssasin:
(checked)Active
(Checked)Use SURBL
(not checked)Use SPF
(not checked)Use Razor2
(not checked)Use DKIM
(Not Checked)Reporting
*** I also check SPF as LOW, so it scores 0.1 in case of a Soft fail. I mark Razor2, it seems to work nicely. DKIM I do not mark.
Reporting is important for you to mark, it can help you better understand message scoring, along with antispam logs. I use the first option to add Spamassassin scores to the header. I also use the daily statistics, it can help you fine tune your spamassassin (a bit more advanced), see what rules have more hits, change scores of SA tests or remove some tests, etc.
RBL:
(Checked)Active
(all checked)(possible to add more here?)
*** RBL's are present in 2 places. In Mail Service/Security you are really rejecting msgs from systems on the defined blacklists. In Security I have set zen.spamhaus.org which AFAIK is the best DNSBL out there and I also setup bl.spamcop.net, although I never personally liked it too much as I myself have been wrongly blacklist there (they work in part according to customer complaints...). But it seems to be working fine nowadays, I havent had complains. So I add these 2 and the 2 first checkboxes (Use DNSBL and close connections).
In Security, there are more options to consider. The one that rejects msgs from domains that don't exist I would mark. The one to reject msgs without an RDNS is up to you. If you mark it you will block A LOT OF SPAM, but then again, many systems do NOT have an RDNS setup, although according to RFC they should. If you want to be on the safe side, you can make a content filter to audit all messages
! Where rDNS (PTR) matches .+ (so this means, if there's no text, no RDNS, if its blank)
and Where Sender is remote (here we are making sure it will go into action just for remote non authenticated users)
and ! Where SMTP AUTH
and ! Where remote IP not 10.0.0.3;10.0.0.4 (your local IPs)
copy to some email account (Make sure the account doesnt have a size limit, to avoid bounce backs)
And later you can add Reject...
This way you can see the results of RDNS before deciding to use it. Also a nice advantage and 1 more feature request I added is that, via content filter you can customize the SMTP error. The default is "Sender must resolve". But if you make the filter, the title of the filter is shown as the error, so you can add a title like "You dont have an RDNS, check here www.yourdomain.com/rdns for info" and create some page with info about it, possibly like to some online RDNS test, etc. I think its worth using this option, eliminates A LOT of spam. And you always have the bypass to create exceptions.
Now back to DNSBLs inside Spamassassin, here I use fulldom.rfc-ignorant.org. Remember to not use much more then 3 or 4 DNSBLs or else you can have performance issues. Also its possible to audit blacklists, you can use IceWarp Log Analyser (new in 9.3.2) or make content filters that reject due to DNSBL and also audit the filtered/rejected messages to specific accounts.
LIVE
*** I wont go into this one as Im still testing it, etc. and its a service you pay extra for.
BAYESIAN:
Bayesian:
(Not Checked)Active
*** Bayes is not so effective nowadays. I would leave it off or even on, but never use auto learning (creates spam/spam.db.usr) which can mess up things badly.
GREYLISTING:
(Checked)Active
Allow new session authorization after 120
Expire pending sessions after 24
Delete authorized sessions after 30
Greylisting mode: Sender
Owner mode: Email
SMTP Response (blank)
*** Sure, greylisting is really effective and I use it also with the deault settings.
LEARNING RULES:
None
*** This is if you want to teach Bayes, which is surely not worth the time. There are other nice features here, like possibility of mapping a specific IMAP folder and making a white and blacklist in your IMAP, so you just drag msgs to such folders and at midnite, Merak adds it to your antispam black or whitelist. But you have to map 1 by 1 (there could be maybe some feature to do this in more automated way).
MISCELLANEOUS:
Content:
(All Checked)
Score HTML messages with different html and text parts 1.50
Score HTML messages with external images 1.50
Score HTML message with no text content 1.50
Score HTML messages containing embedded images 1.50
Score messages containing blank subject and blank body 1.00
Score messages delivered with no intermediary server 1.00
*** I keep them all checked. The first 3 are 1.50. The last 3 1 point. Thats the default Afaik. I believe you changed score for embedded images to 1.5, right?
Charset:
Forbidden charsets: gb2312;big5
(checked)Score messages with forbidden charsets: 2.00
(Checked)Score messages with missing charsets and non us-ancii characters 2.00
*** Have the same here, its also the default. Helps to score chinese spam, etc.
Sender:
None checked
*** I mark only the middle option Score messages where HELO does not resolve to remote IP. The other 2 I had quite a few false positives and they are processor intensive as noted in f1 help.
Also, you didnt mention Black and whitelist sections. In blacklist, I would mark both checkboxes. If you dont mark "delete messages", blacklisting wont work (unless you use Reject in Action), it will just add x points... Also you can add keywords, such as viagra, that add x points. Gotta be really careful when specifying keywords.
In whitelist, I enabled it and mark the 1st (which is more strict then the second one which just checks domain name - goal here is to avoid local to local msgs marked as spam), third and last checkboxes.
One thing Id still like to test, besides Live:
- Many systems are rejecting mail in case of SPF Hard fail. I though of making a content filter to do the same with IceWarp and measure results.
That's it and we also have a bunch of filters weve created to use over time, such as to reject messages with text viagra or enlarge your penis, ADSL IPs, etc.
Antispam is working very nicely for us and Ive tried to find ways to audit it somehow, but its not easy. Maybe the best method is to check your own account and see how many false positives, false negatives, etc you get. The statistics in IceWarp (Status/statistics) is also useful, although it shows data just for the time in which SMTP is up... And now IceWarp Log Analyser also has some interesting features that can help understand antispam's effectiveness.
Hope it helps. Im really interested in discussing the usage cenarios, if anyone has any tips or uses IceWarp's antispam in a different way, please reply with details :)
regards,
Marcio
|
Printable Version
Spam settings ideas. - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread