Spam & Phishing FAQs
From UntangleWiki
Why doesn't Spam Blocker block all spam?
If you receive some spam in your email inbox, don't be alarmed. Spam Blocker is working as evidenced by the large amount of spam in the quarantine. There are two main reasons why Spam Blocker might not block all your spam:
- Spam Blocker is a player in an "arms race" against spammers.
- Field testing indicates that our pre-configured Spam Blocker settings, which are conservative in labeling email as spam, are the best fit for most businesses. However, selecting a more aggressive scan strength setting from the drop-down menu in Spam Blocker's GUI is very easy, should you find that your business requires it.
Does Spam Blocker's underlying public rules make it less effective?
No. Actually, the openness makes it more effective whereas security through obscurity is not a effective way to gain security. Spam Blocker's underlying rules are public. Although it is true that public rules provide smart spammers information to help determine how to evade the rules, smart spammers can, and do, use trial-and-error techniques to figure out the rules — without any public information. Even when smart spammers know the rules, they can't always evade them. Many spammers don't read the public rules, and don't understand them as evidenced by old rules that still catch a lot of spam. By making the rules public, the large community of "good guys" improves the existing rules and produces new, clever rules that spammers can't evade. Spam Blocker is constantly updating its rules, so don't disable automatic updates.
Note: If you're a savvy user, and want to add rules to Spam Blocker's underlying rules, you can contribute rules.
If an unwanted email (spam, phishing, etc) is received for an email address that cannot be quarantined, but my rules are set to quarantine, What happens?
The Quarantinable Addresses rules take precedence over the actions for email rules. In this situation, the email would be marked rather than quarantined.
Why is blocking (or quarantining) of detected spam/phishing emails not always an option?
Internet standards dictate that only SMTP email can be blocked, and can therefore be quarantined. POP and IMAP must be delivered to the user, so Untangle cannot block or quarantine them. These mails are delivered to user mailboxes. See the next two FAQ items for more information on this subject.
When configuring my Untangle Server to mark phishing emails received over IMAP, the subject of the mails changes to [PHISH]... only after I click on the message. Why?
Most IMAP clients first fetch summary information about emails (subject, sender) so the end user can see a preview list of messages. Only when the user selects (clicks on) the message is the actual content of the message retrieved from the server. It is then that the Untangle Server is able to scan the message. Unfortunately, some email clients do not detect the change in subject and update their preview list.
When configuring my Untangle Server to mark spam received over IMAP, the subject of the mails changes to [Spam]... only after I click on the message. Why?
Most IMAP clients first fetch summary information about emails (subject, sender) so the end user can see a preview list of messages. Only when the user selects (clicks on) the message is the actual content of the message retrieved from the server. It is then that the Untangle Server is able to scan the message. Unfortunately, some email clients do not detect the change in subject and update their preview list.
Why does the Event Log report the sender as my bank, yet it was fraudulent? Why does it not report the real sender?
One of the characteristics of phishing emails is that they use deception to change the apparent sender of an email. Although Untangle Server can detect the email as a phishing attempt, there is no way to determine the true sender.
Why is Subject (or sender) blank for some emails in the Event Log?
Not all emails (especially spam emails) have subjects. Some spammers also use tricks to cause there to be no detectable sender.
Why is mail not passing between my Exchange servers when I enable Spam Blocker, Phish Blocker, or Virus Blocker scanning on SMTP?
The Untangle Server forces Extended SMTP (ESMTP) to fall back to SMTP so that the transmitting emails may be scanned. When two Exchange servers are setup such that they require ESMTP communication, all communications will fail. This is enforced by transparent rewriting of the "EHLO" command to "HELO" and appropriate keywords are also stripped.
This can be avoided by adding a special policy for communication for these two servers. To do so, enter the Policy Manager, Custom Policies and add two policies to be processed by "No Rack", one from server A to server B port 25, and one from server B to server A port 25. The net effect is that any communications between these two servers will be ignored.
How do I enable end-users to manage their own Quarantined email?
You must configure Spam Blocker to send users a Quarantine Daily Digest. Go to Specifying Who Manages Quarantined Email.
How do I resend Quarantined Daily Digests?
You can resend digests by launching the Untangle Server's Request Quarantine Daily Digest Email window. Go to Resending Quarantined Daily Digests.
Why are users not receiving a Quarantine Daily Digest?
- Spam Blocker might not be configured to send users a Quarantine Daily Digest. Go to Specifying Who Manages Quarantined Email.
- Users might not be receiving Spam.
What happens to email recipients' email when those recipients are not on the quarantinable address list?
If you removed the wildcard (*), and created a quarantinable address list as discussed in Configuring Email Scanning and Quarantine, the Spam Blocker passes, but marks the email as [Spam]—for those that are not on the list.
What is tarpit?
Tarpit is an option in Spam Blocker. If Tarpit is checked, when an SMTP session is first caught Spam Blocker will check if the client IP is on a DNSBL. If it is it will reject the session, if not, the session will be accepted.
This means that SMTP connections are outright refused from blacklisted servers before they can even send email. This increases the total spam capacity of a given server by quite a bit and also saves bandwidth. However, it may increase false positives as all emails from blacklisted servers are rejected.
Tarpit events are in the DNSBL Eventlog.
Disabling tarpit does not disable DNSBL usage, it only disables the preemptive check during session initiation time. DNSBLs will continue to be checked and positive hits will increase the spam. score. Tarpitting will also not significantly effect your spam effectiveness, it just slows down the sender thus saving resources like CPU and bandwidth.
