Personal tools

Spam Blocker Lite

From UntangleWiki

Jump to: navigation, search
Image:SpamBlockerLite_128x128.png     Spam Blocker Lite
Other Links:
Spam Blocker Lite Description Page
Spam Blocker Lite Screenshots
Spam Blocker Lite Forums
Spam Blocker Lite FAQs



Contents

About Spam Blocker Lite

Spam Blocker Lite is an intelligent email filter that identifies spam (unsolicited bulk email). It leverages technology from the SpamAssassin project. It can scan any email that is transported via SMTP, POP, or IMAP. Each protocol has a set of controls to customize how Spam Blocker Lite scans, manages, and notifies users of spam.


Settings

This section reviews the different settings and configuration options available for Spam Blocker Lite.


SMTP

These settings apply only to the SMTP protocol.

  • Scan SMTP: This enables or disables SMTP scanning.
  • Strength: If the Spam Score of a message is equal to or greater than this setting your chosen action will be taken on the message. Higher values make Spam Blocker Lite more sensitive to spam.
For more information, see What should I set for strength? in the FAQs below.
  • Action: The action taken on the message if the Spam Score is high enough.
If set to Mark, "[Spam]..." will be prepended to the email subject line and it will be delivered. If set to Pass, the message will be delivered as originally sent. Drop will inform the sending server the mail was sucesfully delivered, but Untangle will drop the mail so it is never delivered. Quarantine will send the mail to users' email quarantine for them to release or delete as they see fit. For more information, refer to Quarantine.
  • Drop Super Spam: If this option is enabled, any emails with a score greater than the Super spam score will be dropped.
  • Super Spam Score: The score emails must reach to be dropped as Super Spam.
  • Advanced SMTP Configuration:
  • Enable tarpitting: This option enables Tarpit - more information is available below in the FAQs.
  • Add email headers: When enabled, Untangle adds information about the Spam Score and the test run to get that score to the headers of the message.
  • Close connection on scan failure: This option will close the connection if the scan fails so the message will be retested. If disabled, a scan failure will allow the email to be delivered without being scanned.
  • Scan outbound (WAN) SMTP: This option enabled scanning of outbound mail rather than just incoming mail.
  • CPU Load Limit: If your CPU Load exceeds this number incoming connections are stopped until the load decreases.
  • Concurrent Scan Limit: This is the maximum number of messages that can be scanned at the same time.
  • Message Size Limit: This option allows you to change the maximum size of a message that will be scanned for spam. The default maximum size is 256KB. Spam will typically be much smaller, as spammers rely on the sheer number of messages sent. Please note this does not control the message size limit of messages passed through Untangle. This does not effect the maximum size of message your server will accept, only the limit on the size of message that will be checked for spam.


POP and IMAP

The settings under each heading apply only to that protocol. They are grouped here together because emails transferred using these protocols cannot be quarantined due to how these protocols operate, only marked or dropped.

  • Scan POP3/IMAP: This enables or disables scanning of the respective protocols.
  • Strength: If the Spam Score of a message is equal to or greater than this setting your chosen action will be taken on the message. Higher values make Spam Blocker Lite more sensitive to spam.
For more information, see What should I set for strength? in the FAQs below.
  • Action: The action taken on the message if the Spam Score is high enough.
If set to Mark, "[Spam]..." will be prepended to the email subject line and it will be delivered. If set to Pass, the message will be delivered as originally sent.
  • Advanced POP3/IMAP Configuration:
  • Add email headers: When enabled, Untangle adds information about the Spam Score and the test run to get that score to the headers of the message.
  • Message Size Limit: This option allows you to change the maximum size of a message that will be scanned for spam. The default maximum size is 256KB. Spam will typically be much smaller, as spammers rely on the sheer number of messages sent. Please note this does not control the message size limit of messages passed through Untangle.


Event Logs

Use the following terms and definitions to understand the Event Logs:


Event Log

Name Description
Timestamp The time the event took place.
Receiver The email address of the recipient.
Sender The email address of the sender - for spam, this is often blank.
Subject The subject of the email.
Action The action taken on the email. An explanation of all actions is available in the FAQs below.
Spam Score The score given to the email after running tests to detect its spam status.
Client The IP address of the client that made the request.
Server The IP address of the server that received the request.


Tarpit Event Log

Name Description
Timestamp The time the event took place.
Action The action taken on the email.
Sender The email address of the sender - for spam, this is often blank.
DNSBL server The DNSBL server which has the sending server listed as a spammer.


Related Topics


Spam Blocker Lite FAQs

What's the difference between Spam Blocker and Spam Blocker Lite?

Both Spam Blocker and Spam Blocker Lite are based on the SpamAssassin project, however Spam Blocker also integrates Commtouch Anti-Spam to improve detection rates.


Why doesn't Spam Blocker block all spam?

There are two main reasons why Spam Blocker might not block all your spam:

  • Spam Blocker is a player in an "arms race" against spammers - new techniques are found to get around filters, which are then updated to catch these new methods. No product can reliably block 100% of spam.
  • Field testing indicates that our pre-configured Spam Blocker settings, which are conservative in email as spam, are good fit for most organizations. Selecting a more aggressive scan strength setting from the drop-down menu in Spam Blocker is very easy if you'd like, just remember you may get more false positives.


What should I set for Strength?

Spam Blocker identifies spam based on hundreds of characteristics. Some example characteristic are emails that begins with Dear, or emails sent with High Priority. Spam Blocker does not mark an email as spam simply because it is sent with high priority; each characteristic is weighted, producing an overall score. Spam Blocker uses this overall score to determine the probability that the email is spam. This overall score is compared to your Strength setting to determine if an email is considered spam.

Spam Blocker's default Strength (Medium) blocks most spam without interfering with legitimate email. If you increase the setting above Medium, Spam Blocker becomes more strict, thereby marking some legitimate email as spam. If you want to catch more spam than is caught with Medium strength and users don't mind sifting through quarantined email to release legitimate email, you can increase your Sterngth to a higher or custom setting. Keep in mind that Spam Blocker is constantly identifying new characteristics of spam, and so Spam Blocker changes its enforcement rules constantly to keep up with spammers - spam that appears in your email inbox today may just be caught tomorrow.


What is tarpit?

If tarpit is enabled, when an SMTP session is first caught Spam Blocker will check if the client IP is on a DNSBL. If it is, the session is rejected before the remote server can even send the email. This increases the capacity of a given server by quite a bit and can also save bandwidth, but it can increase false positives if the remote email server has mistakenly been put on a blacklist. This setting will not increase spam scanning accuracy.


How can I tell why an email was scored the way it was?

You'll need to take a look at the scoring - you can turn on Add email headers, which will write the spam tests into the headers, or take a closer look at /var/log/mail.info on the command line - when you have a list of tests, you can look up more information on them here.


We receive tons of email. Can I adjust the maximum number of messages to be scanned at once?

Yes, but this option is only available for SMTP. The default is 15; depending on the hardware you are using you may be able to adjust that number upwards, but raising it too high could affect overall performance. If you want to adjust the number, try doing it in small increments rather than multiples.


My CPU load is always above 7. I still need to test for spam. What do I do?

Raising the number will allow you to test for spam, but will likely also increase the CPU load. If your CPU load is that high, that's an indication that your hardware may not be robust enough for your site. If your user count increased since you installed your server, or the volume of the internet traffic has increased substantially, this could be a cause. You may also have been spending as little for hardware as you could get away with. Regardless, you probably also are being impacted in other areas without realizing it. You should determine exactly what the hardware specs are on your server to determine whether you should supplement the existing hardware or replace it with something more robust.


Does Spam Blocker's underlying public rules make it less effective?

No. Although it is true that public rules provide smart spammers information to help determine how to evade the rules, smart spammers can, and do, use trial-and-error techniques to figure out the rules - without any public information. Even when smart spammers know the rules, they can't always evade them. Many spammers don't read the public rules, and don't understand them as evidenced by old rules that still catch a lot of spam. By making the rules public, the large community of "good guys" improves the existing rules and produces new, better rules that spammers can't evade. Spam Blocker is constantly updating its rules, so don't disable automatic updates. If you're a savvy user and want to add to Spam Blocker's underlying rules, you can contribute here.


When marking IMAP messages, the subject of the mails changes to [Spam]... only after I click on the message. Why is this?

Most IMAP clients first fetch summary information about emails (subject, sender) so the end user can see a preview list of messages. Only when the user selects the message is the actual content of the message retrieved from the server. It is then that Untangle is able to scan the message. Unfortunately some email clients do not detect the change in subject and update their preview list.


Why do emails with larger attachments sometimes dissapear or are never delivered?

While Untangle is scanning attachments your email server is still waiting for the message, which can trigger a timeout setting. If you're using Exchange, you can try increasing the ConnectionInactivityTimeout setting.


What do the Event Log Actions for Spam Blocker mean?

  • Pass message - The message was determined to not be spam and was passed.
  • Mark message - The message was determined to be spam and marked.
  • Block message - The message was determined to be spam and blocked (silently dropped).
  • Quarantine message - The message was determined to be spam and quarantined.
  • Pass Safelist message - The message was passed because the sender was on the user's or global safe pass-list.
  • Pass Oversize message - The message was passed without being scanned because it was over the spam size limit.
  • Pass Outbound message - The message was passed without being scanned because it was outbound (WAN-bound).
Retrieved from "http://wiki.untangle.com/index.php/Spam_Blocker_Lite"