Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Howto improve spam filtering
  •  
Dr.Bob

Messages: 57
Karma: 0
Send a private message to this user
Hi all,
would like to hear some of your experiences with configurating the spamfiltering to the max.

And I have 2 questions on which I would like to hear your advise please.

First:
This week I turned on the default Blacklists in the Admin console, all with the setting: Increase spamscore with 1.5. But it looks to me like it isn't working. Cus I see this entry in the security log:

[04/Nov/2005 06:03:44] IP address 218.93.52.180 found in DNS blacklist SORBS DNSBL, mail from <elisabetham<_at_>go2.pl> to <my_address>


And the header of this particular e-mail in my inbox says:

Return-Path: <elisabetham<_at_>go2.pl>
X-Envelope-To: <my_address>
X-Spam-Status: No, hits=2.7 required=4.5
	tests=BAYES_50: 1.567,DATE_IN_PAST_24_48: 0.133
X-Spam-Level: **
Received: from go2.pl ([218.93.52.180])


So, as you see, no 1.5 extra for being on the blacklist! Or am I missing something else?

To show I did activate it correctly, from the config log:
[03/Nov/2005 09:05:57] admin - update DnsBlacklists set Action='1', Score='15' where Domain='dnsbl.sorbs.net'
[03/Nov/2005 09:05:57] admin - update DnsBlacklists set Enabled='1' where Domain='dnsbl.sorbs.net'
[03/Nov/2005 09:05:57] admin - update DnsBlacklists set Enabled='1' where Domain='rhsbl.sorbs.net'
[03/Nov/2005 09:05:57] admin - update DnsBlacklists set Action='1', Score='15' where Domain='rhsbl.sorbs.net'


Anyone a hint?

Second:
My current SMTP/relay control options are set as: Allow only for users authenticated through SMTP for outgoing mail. But I notice that spammers that make a local delivery don't have to authenticate. At least, that's whay I conclude since I did the spamhaus 'Testing your SBL Setup' and received an email back saying "Uh-oh, your SBL block is not working!" But ofcourse is this one also activated from the Blacklists page.

And what I read from their handshake information they sent my by email:
helo sbl.crynwr.com
250 mail.myserver.com
mail from:<>
250 2.1.0 Sender <> ok
rcpt to:<my_address>
250 2.1.5 Recipient <my_address> ok (local)
data


Is there an option that I can close relaying for local delivery, or doesn't that make sense at all ..... (would that block *everything* ...)

Thanx for feedback in advance!
dr.b
  •  
ceejaynet

Messages: 37
Karma: 1
Send a private message to this user
I also have noticed that users who are authenticated, are allowed to send email from any address not just from the address they have on the local system.

Regards.

Craig.
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
Quote:

Return-Path: <elisabetham<_at_>go2.pl>
X-Envelope-To: <my_address>
X-Spam-Status: No, hits=2.7 required=4.5
	tests=BAYES_50: 1.567,DATE_IN_PAST_24_48: 0.133
X-Spam-Level: **
Received: from go2.pl ([218.93.52.180])




When you set up a rule to add to the spam score, it doesn't display in the X-Spam-Status header. The hits total will show the modification to the score, but you won't see it listed in the tests string. The hits listed in the tests in this example total up to 1.7, so there's outside factors also influencing the total hits score.

Quote:

But I notice that spammers that make a local delivery don't have to authenticate.

No one who delivers to a local address has to authenticate. That would prevent your users from getting mail from any outside domain. The only mail you would be able to get would be mail sent by local users.

Quote:

At least, that's whay I conclude since I did the spamhaus 'Testing your SBL Setup' and received an email back saying "Uh-oh, your SBL block is not working!" But ofcourse is this one also activated from the Blacklists page.

This is normal. The SBL tests check to see if the mail they send gets rejected. You're not rejecting mail that's listed in the blacklist, you're adding to the score. By doing that, you are allowing delivery of the message, but flagging it as spam if the total adds up.

Quote:

Is there an option that I can close relaying for local delivery, or doesn't that make sense at all ..... (would that block *everything* ...)

Yes, that would block everything.

HTH

Scott
  •  
Dr.Bob

Messages: 57
Karma: 0
Send a private message to this user
Thanks Scott! That explains everything :-)

dr.b
  •  
jshaw541

Messages: 462
Karma: 0
Send a private message to this user
[Deleted. This was a weird double post]

[Updated on: Fri, 04 November 2005 17:36]


Kerio MailServer 6.7.1 w/AD
Windows Server 2003 SP 1
Dell PowerEdge 2850 (Dual Xeon 3.2ghz and 2 GB RAM)
~1300 users
~1000+ concurrent IMAPS connections
iPhone users
Outlook 2007 KOFF users
Apple iCal 10.5/10.6 users
  •  
jshaw541

Messages: 462
Karma: 0
Send a private message to this user
Imho, while Kerio MailServer is an excellent product overall, it's spam filtering scheme is junk. The blacklist functionality also seems to really choke KMS down (granted this probably isn't KMS's fault, it's probably the fault of not having a local caching DNS server).

Thus I recommend a "spam firewall". The scheme I like best is located at:

http://www200.pair.com/mecham/spam

This solution has a few benefits over using KMS as your spam-fighting solution:

1.) It reduces the load on the KMS server by blocking the onslaught of spam. Currently about 60% of our incoming email is spam. This is significant. Taking the load off of KMS means a faster KMS which means faster webmail, etc.

2.) With the spamassassin/amavisd solution, one can stop/blackhole/quarantine spam messages with an arbitrarily high score. In our organization, we quarantine messages with a spam score of 9.0 or above.

I requested this feature for KMS years ago and it still hasn't been implemented. Now, I'm not so sure I'd find the feature of value if they DID implement it, due to the huge benefits of #1.

It should be noted that I don't really view this as a shortcoming of KMS, but rather a smart email topology that significantly reduces load on the end-user server (eg. the KMS box). We're running ~2000 users on our KMS box, in smaller shops, this is a different story.

3.) You get the flexibility of many small tools in UNIX, which allows you to adapt and deal with many different scenarios. Need A/V? Plug it in. Need another A/V? Plug it in. Need to blacklist a domain? At which stage do you wish to blacklist it, right away or later?

Kerio MailServer 6.7.1 w/AD
Windows Server 2003 SP 1
Dell PowerEdge 2850 (Dual Xeon 3.2ghz and 2 GB RAM)
~1300 users
~1000+ concurrent IMAPS connections
iPhone users
Outlook 2007 KOFF users
Apple iCal 10.5/10.6 users
  •  
Dr.Bob

Messages: 57
Karma: 0
Send a private message to this user
That sounds like a great solution, especially for when running that many mailboxes, thanks for the info!
Previous Topic: Webmail Logo
Next Topic: Feature Request Undo
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Nov 22 06:37:16 CET 2017

Total time taken to generate the page: 0.00397 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.