From UntangleWiki

Untangle Server User's Guide

Spam Blocker

Other Links: Spam Blocker Description Page Spam Blocker Video Demo Spam Blocker Screenshots Spam Blocker Forums Spam Blocker FAQs

---

Contents 1 About Spam Blocker 2 Settings 3 Event Log 3.1 Tarpit Event Log 4 Related Topics 5 Spam Blocker FAQs 5.1 Why doesn't Spam Blocker block all spam? 5.2 When configuring my Untangle Server to mark spam received over IMAP, the subject of the mails changes to [Spam]... only after I click on the message. Why? 5.3 What should I set for strength? 5.4 What is "custom" strength? 5.5 What is tarpit? 5.6 We receive tons of email. Can I adjust the maximum number of messages to be scanned at once? 5.7 My CPU load is always above 7. I still need to test for spam. What do I do? 5.8 Does Spam Blocker's underlying public rules make it less effective? 5.9 If an unwanted email (spam, phishing, etc) is received for an email address that cannot be quarantined, but my rules are set to quarantine, What happens? 5.10 Why is blocking (or quarantining) of emails not an option for POP or IMAP? 5.11 Why can't I block superspam for POP and IMAP emails like I can for SMTP? 5.12 Why does the Event Log report the sender as my bank, yet it was fraudulent? Why does it not report the real sender? 5.13 Why is Subject (or sender) blank for some emails in the Event Log? 5.14 Why is mail not passing between my Exchange servers? 5.15 Can I forward my email to Untangle and then have Untangle forward the email to my mail server? 5.16 Can I have untangle drop mail that is not to valid users? 5.17 How do I stop sending Quarantine Daily Digests? 5.18 I don't send Daily Digests. How can I keep from running low on disk space? 5.19 I need to keep a Quarantine for everyone, but how do I limit who receives a Quarantine Digest? 5.20 How do I resend Quarantine Daily Digests? 5.21 Why are users not receiving a Quarantine Daily Digest? 5.22 What happens to email recipients' email when those recipients are not on the quarantinable address list? 5.23 Why does my Quarantine have emails for people who don't work here? 5.24 I have 600 messages in my quarantine. How can I go through them faster? 5.25 I released an email from my Quarantine Digest. Where did it go? 5.26 I get two copies of the Quarantine Digest. Why? 5.27 Why can't my off-site users get their Quarantine Digests?

About Spam Blocker

Spam Blocker is an intelligent email filter that identifies Spam (unsolicited bulk email) even when that spam is sent through an image. Spam Blocker uses an open source solution: SpamAssassin. Spam Blocker can scan any email that is transported by the following protocols: SMTP, POP, or IMAP. Each protocol has a set of controls to customize how Spam Blocker scans, manages, and notifies users of spam.

Settings

This section reviews the different settings and configuration options available for Spam Blocker.

You can quarantine all SMTP email or you can specify that Spam Blocker quarantine spam for specific users. For POP and IMAP email, you do not have quarantine and you cannot block these types of email because you must download the message to access it. You can, however, mark POP and IMAP as spam.

Before You Begin: If you have web mail (POP mail), configure your email program to download that mail automatically so that Spam Blocker can scan that email:

• Download Gmail To Outlook
• Download Gmail To Eudora
• Download Yahoo Mail To Outlook
• Download Hotmail To Outlook

1. From Spam Blocker, do one of the following:
• If you have a local Microsoft Exchange Server, use the SMTP area.
  • The Drop Super Spam option for SMTP will drop spam that matches without processing it.
• If you use Outlook to download web mail, use the POP3 area.
• If you use an IMAP email client, use the IMAP area.
2. Specify how you want Untangle Server to behave:

Scan SMTP/POP3/IMAP	When the check box is selected, the Untangle Server scans email for spam in both directions unless there is a custom policy that overrides these instructions.
Strength	This controls the sensitivity of the spam scanner. There are five possible values ranging from extreme to very low as well as a custom score. You may wish to use a custom score if some legitimate emails are being classified as spam. Note: The value extreme means most sensitive to spam. Setting the scan strength to extreme will cause the greatest percentage of your mail to be considered spam. For more information, see What should I set for strength?
Action	This controls what actions Untangle Server should take on the message itself, should the message be determined to be spam: Mark. Causes the email message to have its subject changed to start with the phrase [Spam].... Users can then set up email client filter rules to cause such messages to be placed in special folders. Pass. Causes the message to be passed on to the recipient, even though it was detected as spam. Drop. Applies only to SMTP mail. Causes the message to be dropped, meaning the sender believes it was delivered yet it was never forwarded to the recipient. Although neither sender nor recipient know the message was dropped, it will still be noted in the Event Log. Quarantine. Applies only to SMTP mail. Causes the message to be quarantined. For more information on the operation of this feature, please refer to About Quarantine. As outlined in Creating Custom Policies, outgoing mail is not quarantined by default. Note: You may also set a threshold for Super Spam handling. This allows you to discard spam messages above a certain test score which would have otherwise been quarantined instead.

3. Add any advanced configuration options you may wish to use:

   Add Email Headers	When the check box is selected, the Untangle Server will add information to the header of each email that says whether the email was classified as spam, its score, and the tests used for this determination.
   Message Size Limit	Allows you to change the maximum size of a message that will be tested. The default maximum size is 262,144 bytes. Spam will typically be much smaller, as spammers rely on the sheer number of messages sent.
   Enable tarpitting	Applies only to SMTP mail. If selected, enables the DNSBL feature, which refuses connections from email hosts that are blacklisted.
   Close connection on scan failure	Applies only to SMTP mail. If Spam Blocker fails for any reason, this setting determines whether incoming email is allowed in without being tested, or will be blocked until messages can be tested.
   Scan outbound (WAN) SMTP	Applies only to SMTP mail. This setting determines whether Spam Blocker will test outgoing mail as well as incoming mail.
   CPU Load Limit	Applies only to SMTP mail. If CPU Load (as viewed at the top of your Untangle rack) exceeds this number, incoming connections are stopped until CPU load decreases. The default value is 7.
   Concurrent Scan Limit	Applies only to SMTP mail. This is the maximum number of messages that can be scanned at the same time. The default value is 15.

4. Click the Save button.

Next Step: To specify who should or should not manage their quarantined email or to specify who should manage distribution lists' quarantined email, go to Specifying Who Manages Quarantined Email.

Event Log

Use the following terms and definitions to understand the Spam Blocker Event Log:

timestamp	The time the event took place
action	The action taken on the mail. The value depends on the mail protocol, but will contain descriptive text such as block or mark.
client	The client IP Address of the protocol client. Recall that for SMTP this is the sender of the mail, and for IMAP/POP the receiver of the mail.
subject	The subject of the email. This may be blank if the email had no subject.
receiver	The recipient email address of the email.
sender	The sender of the email. Note that for spam, this is frequently blank.
SPAM score	This is the score applied to the email by the spam scanner. Higher values indicate more likely to be spam.
server	The server IP Address. Recall that for SMTP this is the machine receiving the email, and for IMAP/POP the machine holding the inbox.

Tarpit Event Log

Use the following terms and definitions to understand Spam Blocker's Tarpit Event Log:

timestamp	The time the event took place
action	The action taken on the mail. The value depends on the mail protocol, but will contain descriptive text such as block or mark.
sender	The sender of the email. Note that for spam, this is frequently blank.
DNSBL server	The DNSBL server whose list matched the mail.

For more information, see What is tarpit?

Related Topics

• Spyware Blocker
• Phish Blocker
• Ad Blocker

Spam Blocker FAQs

Why doesn't Spam Blocker block all spam?

If you receive some spam in your email inbox, don't be alarmed. Spam Blocker is working as evidenced by the large amount of spam in the quarantine. There are two main reasons why Spam Blocker might not block all your spam:

• Spam Blocker is a player in an "arms race" against spammers.
• Field testing indicates that our pre-configured Spam Blocker settings, which are conservative in labeling email as spam, are the best fit for most businesses. However, selecting a more aggressive scan strength setting from the drop-down menu in Spam Blocker's GUI is very easy, should you find that your business requires it.

When configuring my Untangle Server to mark spam received over IMAP, the subject of the mails changes to [Spam]... only after I click on the message. Why?

Most IMAP clients first fetch summary information about emails (subject, sender) so the end user can see a preview list of messages. Only when the user selects (clicks on) the message is the actual content of the message retrieved from the server. It is then that the Untangle Server is able to scan the message. Unfortunately, some email clients do not detect the change in subject and update their preview list.

What should I set for strength?

Spam Thresholds

Spam Blocker identifies spam based on hundreds of characteristics. An example characteristic is an email greeting that begins with Dear. Another example is an email that is sent with high priority. Spam Blocker does not mark an email as spam simply because an email is sent with high priority. Each characteristic is weighted, producing an overall score. Spam Blocker uses this overall score to determine the probability that the email is spam. This overall score plus a threshold (scan strength), which you can set, determines if Spam Blocker marks email as spam.

By default, Spam Blocker has a medium threshold. This threshold blocks most spam without interfering with legitimate email. If you increase the threshold above medium, Spam Blocker becomes more strict thereby marking some legitimate email as spam. Untangle recommends medium threshold because Untangle aims to achieve zero false positives; in other words, Untangle does want to mark any email spam if it isn't spam. Most businesses prefer this approach. However, your business might be different.

Spam Blocker provides you the ability to increase the threshold. If you want to catch clever spam that Spam Blocker does not catch when set to medium threshold, and don't mind sifting through quarantined email to locate and release legitimate email, you can increase your threshold to high. However, keep in mind that Spam Blocker is constantly identifying new characteristics of clever spam, and so Spam Blocker changes its enforcement rules constantly—to keep up with spammers: spam that appears in your email inbox today, might not tomorrow.

To change the threshold, go to Settings.

What is "custom" strength?

This allows the user to set exactly the scan strength that is required. The lower the more likely email will be caught in the spam filter. This settings is recommended only for people in special circumstances.

What is tarpit?

Tarpit is an option in Spam Blocker. If Tarpit is checked, when an SMTP session is first caught Spam Blocker will check if the client IP is on a DNSBL. If it is it will reject the session, if not, the session will be accepted.

This means that SMTP connections are outright refused from blacklisted servers before they can even send email. This increases the total spam capacity of a given server by quite a bit and also saves bandwidth. However, it may increase false positives as all emails from blacklisted servers are rejected. It will NOT increase spam detection accuracy.

Tarpit events are in the Tarpit Eventlog.

We receive tons of email. Can I adjust the maximum number of messages to be scanned at once?

For SMTP, yes. That is available in advanced configuration. The default maximum number of concurrent messages to be tested is 15. Depending on the hardware you are using, you may be able to adjust that number upwards, but raising it too high could affect your performance overall. If you want to adjust the number, try doing it in small increments, not multiples.

My CPU load is always above 7. I still need to test for spam. What do I do?

Raising the number will allow you to test for spam, but will likely also increase the CPU load. You obviously can't lower the number and still be able to scan emails. If your CPU load is that high, that's an indication that your hardware is not robust enough for your site. If your user count increased since you installed your server, or the volume of the internet traffic has increased substantially, this could be a cause. You may also have been spending as little for hardware as you could get away with. Regardless, you probably also are being impacted in other areas without realizing it. You should determine exactly what the hardware specs are on your server to determine whether you should supplement the existing hardware or replace it with something more robust.

Does Spam Blocker's underlying public rules make it less effective?

No. Actually, the openness makes it more effective whereas security through obscurity is not a effective way to gain security. Spam Blocker's underlying rules are public. Although it is true that public rules provide smart spammers information to help determine how to evade the rules, smart spammers can, and do, use trial-and-error techniques to figure out the rules — without any public information. Even when smart spammers know the rules, they can't always evade them. Many spammers don't read the public rules, and don't understand them as evidenced by old rules that still catch a lot of spam. By making the rules public, the large community of "good guys" improves the existing rules and produces new, clever rules that spammers can't evade. Spam Blocker is constantly updating its rules, so don't disable automatic updates.

Note: If you're a savvy user, and want to add rules to Spam Blocker's underlying rules, you can contribute rules.

If an unwanted email (spam, phishing, etc) is received for an email address that cannot be quarantined, but my rules are set to quarantine, What happens?

The Quarantinable Addresses rules take precedence over the actions for email rules. In this situation, the email would be marked rather than quarantined.

Why is blocking (or quarantining) of emails not an option for POP or IMAP?

POP and IMAP work differently than SMTP. When POP and IMAP are used, the client requests the mail when the user clicks on the email. At that point the message is downloaded from the server and scanned. Even if the application determines the message should not be passed it still must be delivered to the client because the client is waiting and will not be able to read mail unless something is delivered. As a result, only MARK is an option.

Why can't I block superspam for POP and IMAP emails like I can for SMTP?

For the same reason that you can't quarantine POP/IMAP spam. The message is not scanned until it is requested by the mail client. At that point, the message (even if it is spam) must be delivered to the client to complete the transaction.

Why does the Event Log report the sender as my bank, yet it was fraudulent? Why does it not report the real sender?

One of the characteristics of phishing emails is that they use deception to change the apparent sender of an email. Although Untangle Server can detect the email as a phishing attempt, there is no way to determine the true sender.

Why is Subject (or sender) blank for some emails in the Event Log?

Not all emails (especially spam emails) have subjects. Some spammers also use tricks to cause there to be no detectable sender.

Why is mail not passing between my Exchange servers?

The Untangle Server forces Extended SMTP (ESMTP) to fall back to SMTP so that the transmitting emails may be scanned. When two Exchange servers are setup such that they require ESMTP communication, all communications will fail. This is enforced by transparent rewriting of the "EHLO" command to "HELO" and appropriate keywords are also stripped.

This can be avoided by adding a special "No Rack" policy or a Bypass rule for communication for these two servers. To add a "Bypass Rule" go into config->networking->advanced->Bypass Rules and create a rule that describe the traffic between your two servers. To add a "No Rack" policy, enter the Policy Manager, Custom Policies and add two policies to be processed by "No Rack", one from server A to server B port 25, and one from server B to server A port 25. The net effect is that any communications between these two servers will be ignored.

Can I forward my email to Untangle and then have Untangle forward the email to my mail server?

No. Untangle is a network gateway and is meant to be installed "in-line" with the traffic. Untangle does not store-and-forward mail. Untangle will transparently scan mail as it passes through it.

Can I have untangle drop mail that is not to valid users?

No. Untangle does not have a list of valid emails for your site. It is suggested that your configure your email server to not accept mail for invalid users. This is the default for almost all mail servers except Microsoft Exchange. The links below are instructions on how to configure your email server.

• Exchange 2003
• Exchange 2007

How do I stop sending Quarantine Daily Digests?

In Config > Email, you can uncheck the option for Send Daily Quarantine Digest Emails. This will prevent Quarantine Digests from being sent.

I don't send Daily Digests. How can I keep from running low on disk space?

This is generally not a problem, but if you have a small disk drive or you receive a huge volume of spam, you may need to shorten the number of days that you retain quarantined email for. This is adjustable in Config > Email.

I need to keep a Quarantine for everyone, but how do I limit who receives a Quarantine Digest?

You can decide whose spam can be quarantined, but they will receive a digest if you do that. You cannot turn the digest on or off for specific users once you have decided that they will or will not have a quarantine available.

How do I resend Quarantine Daily Digests?

You can resend digests by launching the Untangle Server's Request Quarantine Daily Digest Email window. Go to Resending Quarantined Daily Digests.

Why are users not receiving a Quarantine Daily Digest?

• The untangle server may not be configured to send email correctly. Check Config > Email
• Users might not have anything new in the quarantine. A daily digest is sent only if something new is in the quarantine.
• If this is happening for all users, make sure that you have not turned off the option for Quarantine Daily Digest delivery.

What happens to email recipients' email when those recipients are not on the quarantinable address list?

If you removed the wildcard (*) and created a quarantinable address list, the Spam Blocker passes but marks the email as [Spam]—for those that are not on the list.

Why does my Quarantine have emails for people who don't work here?

Spammers do not discriminate...they send spams in many ways to get their message into your mailbox. Untangle simply scans email for viruses, phishing attempts and spam. It does not look to see if the message is going to a valid recipient. In Config > Email > Quarantine > Quarantinable Addresses, change the Quarantinable Address from "*" to "*@<mycompany> ". Change <mycompany> to your company name. Only mail that is coming to your company will now be quarantined. Please note that spams may still come in for illegitimate email addresses that correspond to your domain name.

I have 600 messages in my quarantine. How can I go through them faster?

Look at the bottom of the Quarantine Digest. You can choose how many messages appear per page. You can set the maximum number to 25, 100, 1000 or all messages. That will help you go through them faster, but be warned. Choosing a high number causes a large web page to be loaded. Depending on how much memory your computer has available, that may cause your browser to crash...or worse.

I released an email from my Quarantine Digest. Where did it go?

It is likely that the email was captured again by Spam Blocker. To make sure this doesn't happen, go to Config > Email > Outgoing Server and note the From Address that is being used by Untangle. Add this address to Config > Email > From-Safe List. This will prevent Untangle from scanning any email being released from Quarantine Digest.

I get two copies of the Quarantine Digest. Why?

You are likely a member of a email distribution list and the quarantine is not configured properly. Let's use an example. You are a member of a list called sales@xyz.com. The list members are joebob@xyz.com, fredbob@xyz.com and bobbob@xyz.com. They all complain that they get two Quarantine Digests daily.

In the Quarantinable Forwards panel (Config > Email > Quarantine > Quarantinable Forwards), there is nothing listed. That means that each of these people gets a Quarantine Digest for their own email address as well as one for sales@xyz.com. Joe Bob is supposed to manage quarantines for the mailing list, so we should make an entry under distribution list address as sales@xyz.com and its corresponding send to address as joebob@xyz.com. That should take care of the problem. Don't forget to save your changes.

If there is a mailing list with a large number of members (hugelist@xyz.com) and you wish to have multiple people responsible for checking the quarantines, create a new email distribution list in your mail server (notsohugelist@xyz.com) that contains the email addresses for the people who have this responsibility, then set the Untangle Quarantine Forwards pair to hugelist@xyz.com and notsohugelist@xyz.com. Only those people who have the responsibility will get Quarantine Digests for the mail list.

Why can't my off-site users get their Quarantine Digests?

The most common reason is that the Quarantine Digest has a URL that has an IP address that is private (on the LAN). They need a URL that is accessible to the public. You can set that up as follows:

1. In Config > Administration > Public Address, define an IP address that is accessible on the outside. Make sure to click the Enabled button.
2. In Config > Administration, make sure that Enable Outside Quarantine Viewing is checked.
3. In Config > Networking > Hostname, determine if you can give a name to the Untangle Server. Enter that if appropriate. If a hostname is defined and it is resolvable on public DNS servers, check the Hostname resolves publicly box. If you wish to use a hostname and one is not available for you, you may wish to use Dynamic DNS to associate a hostname with an IP address. Refer to Configuring Untangle Server To Use Dynamic DNS for more information.