Spam Blocker FAQs

From Edge Threat Management Wiki - Arista
Jump to: navigation, search

Spam Blocker FAQs

What's the difference between Spam Blocker and Spam Blocker Lite?

Both Spam Blocker and Spam Blocker Lite are based on the SpamAssassin project, however Spam Blocker also integrates a commercial spam engine to boost and improve detection rates.

Why doesn't Spam Blocker block all spam?

There are two main reasons why Spam Blocker might not block all your spam:

  • Spam Blocker is a player in an "arms race" against spammers - new techniques are found to get around filters, which are then updated to catch these new methods. No product can reliably block 100% of spam.
  • Field testing indicates that our pre-configured Spam Blocker settings, which are conservative in email as spam, are good fit for most organizations. Selecting a more aggressive scan strength setting from the drop-down menu in Spam Blocker is very easy if you'd like, just remember you may get more false positives.

What should I set for strength?

Spam Blocker identifies spam based on hundreds of characteristics. Some example characteristic are emails that begins with Dear, or emails sent with High Priority. Spam Blocker does not mark an email as spam simply because it is sent with high priority; each characteristic is weighted, producing an overall score. Spam Blocker uses this overall score to determine the probability that the email is spam. This overall score is compared to your Strength setting to determine if an email is considered spam.

Spam Blocker's default Strength (Medium) blocks most spam without interfering with legitimate email. If you increase the setting above Medium, Spam Blocker becomes more strict thus catching more spam but also increasing the chance of incorrectly flagging legitimate email as spam (a "false positive"). If you want to catch more spam than is caught with Medium strength and users don't mind sifting through quarantined email to release legitimate email, you can increase your strength to a higher or custom setting. If your organization just wants to cut out most spam, but not have to deal with false positives, then Low may be a better setting.

How can I tell why an email was scored the way it was?

You'll need to take a look at the scoring - you can turn on Add email headers, which will write the spam tests into the headers, or take a closer look at /var/log/ on the command line - when you have a list of tests, you can look up more information on them here.

My CPU load is always above 7. I still need to test for spam. What do I do?

Raising the number will allow you to test for spam, but will likely also increase the CPU load. If your CPU load is that high, that's an indication that your hardware may not be robust enough for your site. If your user count increased since you installed your server, or the volume of the internet traffic has increased substantially, this could be a cause. You may also have been spending as little for hardware as you could get away with. Regardless, you probably also are being impacted in other areas without realizing it. You should determine exactly what the hardware specs are on your server to determine whether you should supplement the existing hardware or replace it with something more robust.

Why do emails with larger attachments sometimes not get delivered?

While NG Firewall is scanning attachments your email server is still waiting for the message, which can trigger a timeout setting. If you're using Exchange, you can try increasing the ConnectionInactivityTimeout setting.

What do the Event Log Actions for Spam Blocker mean?

  • pass message - The message was determined to not be spam and was passed.
  • mark message - The message was determined to be spam and marked.
  • block message - The message was determined to be spam and blocked (silently dropped).
  • quarantine message - The message was determined to be spam and quarantined.
  • pass Safelist message - The message was passed because the sender was on the user's or global safe pass-list.
  • pass Oversize message - The message was passed without being scanned because it was over the spam size limit.
  • pass Outbound message - The message was passed without being scanned because it was outbound (WAN-bound).
  • block message (scan failure) - The message was blocked because the scan failed and Close connection on scan failure is enabled.
  • pass message (scan failure) - The message was blocked because the scan failed and Close connection on scan failure is disabled.

How do I stop sending daily Quarantine Digests?

Use the Send Daily Quarantine Digest Emails at Config > Email > Quarantine.

Why are users not receiving a Quarantine Daily Digest?

Verify your email configuration at Config > Email - make sure they receive the test email. If they do not, you can check the mailer log on the NG Firewall to see if there was an error, the file is /var/log/exim4/mainlog.

Why can't my off-site users get their Quarantine Digests?

The most common reason is that the Quarantine Digest has a URL with a private IP while they need a URL with a public IP. You'll need to verify a few settings:

  1. Under Config > Administration, make sure that Enable Outside HTTPS Administration is checked.
  2. Under Config > Administration > Public Address, choose Use Hostname or Use Manually Specified IP as appropriate.
  3. If using Use Hostname, make sure your hostname is properly configured and publicly resolvable at Config > Networking > Hostname. If you're using a Dynamic IP, it's recommended to set up Dynamic DNS on the same page.

What happens to email when the recipient is not on the quarantinable address list?

If you removed the wildcard and manually created a quarantinable address list, the Spam Blocker passes but marks the email as [Spam] for those that are not on the list.

What will happen if my rules are set to quarantine but the receiver's address cannot be quarantined?

The Quarantinable Addresses rules take precedence over the actions for email rules. In this situation, the email would be marked rather than quarantined.

Can I have NG Firewall drop mail that is not to valid users?

No as NG Firewall does not have a list of valid emails for your site. It is suggested that your configure your email server to not accept mail for invalid users. This is the default for almost all mail servers except Microsoft Exchange - the links below are instructions on how to configure your email server.

Why is mail not passing between my Exchange servers?

The NG Firewall forces Extended SMTP (ESMTP) to fall back to SMTP so that the transmitting emails may be scanned. When two Exchange servers are setup such that they require ESMTP communication, all communications will fail. This is enforced by transparent rewriting of the "EHLO" command to "HELO" and appropriate keywords are also stripped.

This can be fixed by adding a Bypass Rule for communication between the servers.