Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Spam blacklist checking of all relays in mail headers
  •  
gryphon

Messages: 28
Karma: 0
Send a private message to this user
Hi!

From what I understand, when Kerio is recieving an email, it will query the sending server against all enabled dns blacklists that have been configured. This is a gret feature and cuts out a large percentage of spam.

The only problem is that when spam mail has gone through another (legitimate) relay before reaching the kerio server, any previous relays the mail has passed through are not checked against the blacklists. Having a second check against all relays in the header would cut down on spam even further for users who only ever recieve email through a relay (using Bigfoot for example).

If this is how the mail server works already, then please excuse my ignorance, but from what I can see, it isn't done this way currently and doing these added checks can only be beneficial?

Many thanks,
Tom
  •  
gryphon

Messages: 28
Karma: 0
Send a private message to this user
Let me add a little flow diagram if I'm making little sense..

Mail normally goes:

SENDER -> ISP SMTP SERVER -> RECIPIENT SMTP SERVER(kerio) -> RECIPIENT

But for users of bigfoot (or other mail forwarding services), it is more like:

SENDER -> ISP SMTP SERVER -> RELAY SERVER(bigfoot) -> RECIPIENT SMTP SERVER(kerio) -> RECIPIENT

Because kerio looks up the server that is initiating the connection, all mail for the bigfoot users will cause kerio to lookup the bigfoot servers in the blacklists, but not the "ISP" SMTP server. As bigfoot is a legitmate service, the dns blacklist will never block spam for these users. But if kerio was to parse the header and check all previous relays against the blacklist, this would help tremendously for users of legitimate relay services.

I hope this makes things a big clearer.

Thanks,
Tom
  •  
jandoemen

Messages: 36
Karma: 0
Send a private message to this user
No wonder my spam count was way to high. I read your post and indeed, I'm in a similar situation. In my case incoming mail for some domains is received by a sendmail server and in the aliases list it is than sent to 2 other servers. One of them is my test kerio server. I checked the debug list and ... Kerio was checking my "receiving server" all the time, not the hop before.

You could say the the receiving server has to check and than send on but ... what if the receiving server has to forward mail for domains where the customer doesn't want his mail checked and others do?

So I agree in so far that not all hop servers should be checked but maybe Kerio kan add some kind of "ignore hop server" list.

In my case I could then enter the ip/name of my "receiving server" in there. Kerio would than take the last server -> ignores it and checks the one next in line.

Great idea.

Greetz
Jan
  •  
gryphon

Messages: 28
Karma: 0
Send a private message to this user
Its a shame this thread hs had little interest.

Perhaps if Kerio had some kind of API, this function could be implemented externally. I am thinking of making a "syslog server" that would take the log from kerio and run commands based on log data sent to it.

I know this is a cumborsome way to implement new functions, but I don't see any other option right now.

If anyone has any thoughts, please let me know :)

Cheers,
Tom
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
I think the problem with lack of interest is it can't really be done - not to block an incoming connection, anyhow. If it could, many mailservers would have it already.

The only IP address the built in RBL lookup has access to is the one the current connection is coming from. The other headers will come over with the DATA command as text. You'd have to wait for the message to be received, then parse it to get other IP addresses. At that point, you might as well let Spam Assasin take care of it while it's parsing for spam.

Scott
  •  
Kerio_jthomas

Messages: 511
Karma: 1
Send a private message to this user
Scott is correct. RBLing works like this:

1) Remote mailserver connects
2) Query the RBL
3) Is the IP of the remote mailserver in the RBL? If so, drop the connection
4) If not, accept connection and allow mail to be recieved.

So you're recieving the entire mail if you get past the RBL. Spam Assassin can work on it at that point.

Joshua Thomas
Technical Support Manager
2350 Mission College Blvd, Suite 400
Santa Clara, CA 95054
Phone: (408) 496-4500
Fax: (408) 496-6902
http://www.kerio.com/support.html

  •  
gryphon

Messages: 28
Karma: 0
Send a private message to this user
I realised this was the reason why it wasn't done already, but I assumed the anti-spam engine was something you (kerio) could change.

I suppose I would need to put this idea forward to the spam assasin developers? Where could I do this?

Many thanks,
Tom
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
This feature is already built into Spamassassin.

Scott
  •  
gryphon

Messages: 28
Karma: 0
Send a private message to this user
Interesting, but now I'm confused.

Does kerio incorporate spam assassin, or its own spam engine?

I know kerio cant "redirect" mail to another application, so there would be no way to have spam assassin working independantly from kerio, so I would guess Kerio_jthomas is suggesting spam assassin is built in, and therefore it could implement this feature?

Again, I apologise if I have got this all wrong.

Many thanks,
Tom
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
Spamassassin is a separate entity, but it is built into KMS. It's built into a lot of mailserver and anti-spam programs. In KMS, it resides in the <Kerio Install Dir>/MailServer/spamassassin directory. You can tweak the spamassassin configuration within that directory. You can find the documentation at http://spamassassin.apache.org. I believe KMS will override the files during and upgrade, so save your configuration changes. I know it's been requested before to have more control of the spamassassin configuration through the admin console, but so far it hasn't been added.

Scott
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
SpamAssassin engine integrated in KMS performs only local tests, it does not do any DNS lookup to blacklists. DNS blacklist tests are implemented in KMS engine so it is much faster.

[Updated on: Thu, 15 December 2005 15:12]

  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
I'm not arguing that KMS lookups are not faster. I agree it's faster, but spamassassin is capable of doing blacklist lookups if it's set to, and it can lookup multiple Received lines. The only question is how to configure it, and if the underlying dependancies are available.

Scott
  •  
tpalmer

Messages: 61
Karma: 0
Send a private message to this user
I've added some adjustments to the default scoring into my /usr/local/kerio/mailserver/spamassasin/rules/local.cf, including
score RCVD_IN_NJABL 2.200
score RCVD_IN_NJABL_SPAM 2.800
score RCVD_IN_NJABL_PROXY 3.000
score RCVD_IN_NJABL_DIALUP 1.250

I'll hup it tonight and see what happens. Should answer the question.
  •  
gryphon

Messages: 28
Karma: 0
Send a private message to this user
Ah great, please let us know how it goes. I'm sure others will be as interested as I am in the results :)

Thanks,
Tom
  •  
tpalmer

Messages: 61
Karma: 0
Send a private message to this user
Well, the overrides did take, but haven't seen any points for RCVD_IN_* yet. Watch and wait...
Previous Topic: Problem with Kerio Exchange Migration Tool
Next Topic: Spam Score Too Low
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Nov 24 06:26:04 CET 2017

Total time taken to generate the page: 0.00496 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.