Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » SMTP Processing & Spam Rejection Method in KMS
  •  
Slaine

Messages: 20
Karma: 0
Send a private message to this user
I've been having a look at the way KMS process spam rejections after a positive response from SpamAssasin and the other filters (message scoring only, not the direct block as is available for the DNS blacklists - these work properly).

It appears that 'rejected messages' are not rejected at all, but rather silently accepted and just not being delivered. The sending server still gets its 250 'Message Accpeted for Delivery'-message.

It seems like the only way a sender would know that his message was rejected is if you enable bounce messages. This is not practical, as you'd just generate a whole lot of bounce messages that will clog up your outgoing mail queue. When they do deliver you will at best anger the administrator of a server that is running a valid domain, but was implicated in the spam-attack (spoofed mail-from domain).

Could anybody see if my analysis is correct in the way spam is 'rejected'?

- Pierre Roux
http://www.ozone.co.za/ (My Job)
http://seven.dfx.co.za/ (My Hobby)
  •  
freakinvibe

Messages: 1552
Karma: 62
Send a private message to this user
This is correct.

The ideal solution would be to give an error to the sending server while it is sending (as it is done with the black lists).

But that is technically not possible as Spamassissin analyses the whole mail only after the message is accepted. There is no way for the mail server to know if a mail is Spam or not while the SMTP session is running.

Regards, Pascal

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
Slaine

Messages: 20
Karma: 0
Send a private message to this user
I also use another mail server that works fine in that regard. I spent a bit of time looking at its behaviour versus that of KMS.

After they received the e-mail "." They don't blindly accept the message, they finish the spam processing first and then response with a 250 message, or a 554 Message with some sort of reason why the message was rejected. In my opinion the reason is extra important to find out why the false positive occurred to trace and fix a problem.

If the spam and anti-virus possessing takes a bit long, a lot of spammer will also give up, similar to the 'Spam Repellent'-Feature in KMS.

Doing it this way the a valid sender receives an error message, and a spammer is deterred. With KMS accepting and then silently discarding the message, 'rejected' in the log, false positives go unnoticed until something important went missing and spammers pump up their performance thinking that their spam is reaching its target, thus wasting more bandwidth.

- Pierre Roux
http://www.ozone.co.za/ (My Job)
http://seven.dfx.co.za/ (My Hobby)
  •  
freakinvibe

Messages: 1552
Karma: 62
Send a private message to this user
Yes, you are right, that would be possible. But KMS does not work that way. It is similar to the virus checking feature: It checks the attachments only after it has acknowledged the successful receipt to the sending server.

Could be an enhancment request to Kerio.

Regards, Pascal

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
Slaine

Messages: 20
Karma: 0
Send a private message to this user
Sent it through to Kerio as an Enhancement Request. I hope it will carry some weight as I think it will make KMS a whole lot better as a secure mail server and in being 'self sufficient'.

It will definately mean a lot less time looking at the spam log files.

- Pierre Roux
http://www.ozone.co.za/ (My Job)
http://seven.dfx.co.za/ (My Hobby)
  •  
Slaine

Messages: 20
Karma: 0
Send a private message to this user
I got the response from the Support chaps today on the previously mentioned suggestion and it doesn't sound too promising too soon. Seems the offline thing is keeping them very busy at the moment, which is understandable.

In the meantime I need to make a plan for a work around or alternative because I've already had my head shouted off for a couple of false negatives that went into the ether unnoticed, as well as the normal spam complaints. Any suggestions?

- Pierre Roux
http://www.ozone.co.za/ (My Job)
http://seven.dfx.co.za/ (My Hobby)
  •  
freakinvibe

Messages: 1552
Karma: 62
Send a private message to this user
You could use a multi-layered approach:

- Spam repellent (Sender will get a timeout message for a false positive)

- Use safe BLs like Spamhaus and Spamcop to reject messages (Sender will get an error for a falso positive)

- Build a custom black-/white-list

- Use Spam assassin and tag messages as Spam for scores from 5 to 10. Silently discard for 10 and over.

- Send tagged messages (score 5 to 10) to the user's Junk E-Mail folder

- Enable the Archive function, so all the messages are kept in monthly folders. If someone complains about missing mail, you can search for it in the Archives

Hope this helps.

Regards, Pascal

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
You could forward all of the tagged/rejected messages to a spam e-mail account, and scroll through it once a day to make sure legit messages aren't getting dropped. I keep an eye on ours that way, and haven't found a single message that scored high enough to get dropped that would count as a false positive.

Scott
  •  
Slaine

Messages: 20
Karma: 0
Send a private message to this user
Good Day,

Thank you for your suggestions.

Unfortunately they defeat the object of lowering the maintenance and management time needed to run the mail solution, which was the whole point for embarking on my current exercise.

I appreciate your time and input though.

- Pierre Roux
http://www.ozone.co.za/ (My Job)
http://seven.dfx.co.za/ (My Hobby)
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
Slaine wrote on Mon, 25 September 2006 12:45

I also use another mail server that works fine in that regard. I spent a bit of time looking at its behaviour versus that of KMS.

After they received the e-mail "." They don't blindly accept the message, they finish the spam processing first and then response with a 250 message, or a 554 Message with some sort of reason why the message was rejected. In my opinion the reason is extra important to find out why the false positive occurred to trace and fix a problem.

If the spam and anti-virus possessing takes a bit long, a lot of spammer will also give up, similar to the 'Spam Repellent'-Feature in KMS.

Doing it this way the a valid sender receives an error message, and a spammer is deterred. With KMS accepting and then silently discarding the message, 'rejected' in the log, false positives go unnoticed until something important went missing and spammers pump up their performance thinking that their spam is reaching its target, thus wasting more bandwidth.



I think your analysis is not correct at some points.
First, spam checking takes a long time. It may be few seconds up to one minute fr each message, depending on enabled tests and speed of your computer. Scanning email in the message queue is much better for overall performance, it reduces the risk that all your SMTP resources will be exhausted.

Second, it usually does not matter if you reject the email right before 'final dot'. Your server has already confirmed that the recipient exists (positive response to RCPT TO command) so the spammer knows that he can send more spams there.

Third, it may produce a lot of "incomprehensible errors" in bounces to regular senders if your server is busy and does not accept emails.

Spam message in KMS is not 'silently discarded'. There is an entry in the spam log, spam email is also in archive folders. It can be also optionally forwarded to 'quarantine' account to make sure that no message is lost, even if it is a spam.
  •  
Slaine

Messages: 20
Karma: 0
Send a private message to this user
Kerio_pdobry wrote on Wed, 27 September 2006 09:42


I think your analysis is not correct at some points.


With all due respect, I think its more a matter of opinion, interpretation, experience, design and choice than one of being correct or not.

Kerio_pdobry wrote on Wed, 27 September 2006 09:42


First, spam checking takes a long time. It may be few seconds up to one minute for each message, depending on enabled tests and speed of your computer. Scanning email in the message queue is much better for overall performance, it reduces the risk that all your SMTP resources will be exhausted.


I've been running various mail servers over the last eight years that does the rejection message after the "." and it has never been an issue and none of them has ever taken up to a minute to analyse spam.

Maybe the volume has never been high enough (max 25 000 messages per day), or I may just plainly have missed it because I currently don't have to inspect my mail logs that often, but it has never been an issue, nor ever given rise to missing e-mail, concerns or, most importantly, complaints.

Looking at the SMTP messages there is room for optimisation in the spam checking process in any case. Stop checking for additional spam criteria the first time you hit anything that 'rejects' the message. Skip to the whitelisting checks. Don't check the rest of the blacklists first and then continue to the whitelisting section.

I have an IP address blacklisted in the local list and that should be sufficient to not accept the message, but the rest of the checks are still performed according to what I see in the log files. This is inefficient.

Kerio_pdobry wrote on Wed, 27 September 2006 09:42

Second, it usually does not matter if you reject the email right before 'final dot'. Your server has already confirmed that the recipient exists (positive response to RCPT TO command) so the spammer knows that he can send more spams there.

(After the ".", not before)

I've always had a secondary mail server, and at times a tertiary, that would have caught any spill-over if the primary became too busy.

Secondary mail servers will always accept mail on a domain, regardless of if the user account exist or not because they just purely don't know if the user account is valid. If the mail can be rejected in the SMTP session it would lessen the amount of processing on the primary as well as conserve bandwidth between the primary and secondary servers, as well as save traffic on the subsequent "user doesn't exits" messages from the secondary.

The majority of incomming spam currently targets the secondary server in our implementation, making efficient rejection even more important.

Kerio_pdobry wrote on Wed, 27 September 2006 09:42


Third, it may produce a lot of "incomprehensible errors" in bounces to regular senders if your server is busy and does not accept emails.


If the mail system is correctly planned, this would be a self rectifying situation.

An error will only be incomprehensible if the resultant messages don't have proper descriptions, like "451 qq temporary problem (#4.3.0)" (This was the response by KWF to what seems to correspond in the mail log as an 'too many recipients' error - still trying to figure it out)

Kerio_pdobry wrote on Wed, 27 September 2006 09:42


Spam message in KMS is not 'silently discarded'. There is an entry in the spam log, spam email is also in archive folders. It can be also optionally forwarded to 'quarantine' account to make sure that no message is lost, even if it is a spam.


What I meant was that it is silent in terms of the other (sending) server. Some of the other mail systems I work with have the options 'mark as spam', 'reject the message (554)' or 'delete the message'.

I have a bit of experience with the lower performance mail servers and the 'lower performance' is measured in seconds, where the suggested maintanance is measured in hours.

My prime requirements for e-mail systems have and will always be low maintenance and management cost, self sustaining reliability and stability. The things that I believe makes up the bigger picture, especially from a business management position.

But, at the end of the day its just an opinion, and its very open for discussion and disagreement, but don't say something is too time consuming to process if you don't have an optimised design in the first place.

- Pierre Roux
http://www.ozone.co.za/ (My Job)
http://seven.dfx.co.za/ (My Hobby)
Previous Topic: mail from the year 1899 ???
Next Topic: Kill a connection
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Nov 19 06:08:26 CET 2017

Total time taken to generate the page: 0.00560 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.