The 20 Minute E-mail Solution!
TOC PREV NEXT INDEX

Host Configuration


This section explains how to configure the host level anti-spam options. Host configuration tasks include setting up the following: connection filtering, statistical filtering, phrase filtering, a white list and "trusted" IP addresses.

Connection Filtering

DNS black lists options for each host are configured on the Connection Filtering tab shown below. No black lists are enabled by default, so each host administrator must enable them immediately after installation. A black list must be enabled for the server before it is available for use by a host. Black list configuration information for hosts is stored in the spamblks.txt file located in the host's directory.


Host level DNS black lists can be separated into two categories:

Select Delete Message after X matches, to delete the message after it matches the number entered here. The value entered here must not be greater than the number of black lists plus the number of validation options that are enabled.
Select Prefix Subject with to append a word or phrase to the Subject of messages that are identified as spam. Does not apply if you select to delete a message.The default text is X-IMail-SPAM-Connection, but you can customize it to anything you want as long as it does not exceed 255 characters.

Getting to the Connection Filtering tab

  1. In the left panel, expand the localhost folder and select a host with an IP address.
  2. Expand the host, and select the Antispam folder.
  3. In the right panel, click the Connection Filtering tab.

Enabling/Disabling DNS Black lists

To enable a DNS black list for a host, do the following:

  1. Decide whether you want the black list to be a standard DNS black list, or a trusted DNS black list.
  2. Click Add in the appropriate grouping to open the Add DNS Blacklist dialog box.
  3. Select a black list and click OK.
    Note: Only black lists that are configured and enabled for the server are displayed in the Add DNS Blacklist dialog box.
  4. To save the black list, click Apply at the top of the right panel.

Removing a DNS Black List

To remove a DNS black list, do the following:

  1. Select the black list name from either the DNS Black lists box, or the Trusted DNS Black lists box.
  2. Click Remove, and the DNS black list is no longer displayed.
  3. Click Apply, at the top of the right panel, to save your changes. If you do not click Apply, the black list will reappear when the screen is refreshed.

Changing a Black List Type

A black list cannot appear in both the DNS blacklists and Trusted DNS blacklists boxes. To change a DNS black list from one type to another, you must first remove it from its current type. The example below explains how to change a black list from a standard DNS blacklist to a trusted DNS blacklist.

  1. Select the black list name from the DNS Blacklist box on the Connection Filtering tab, and click Remove.
  2. Click Add in the Trusted DNS Blacklists grouping. The Add DNS Black List dialog box opens.
  3. Select the black list name that you previously deleted, and click OK. The black list now appears in the Trusted DNS Blacklist grouping.
  4. Click Apply at the top of the right panel to save your changes.

Validation Tests

Select which of the following validation tests to perform on incoming e-mail messages. If a message fails any of these tests, an X-Header is inserted into the message indicating which test it failed.

Display Labels

Name. The display name that is used to identify the black list in log files and X-Headers. This name does not have to correspond to the actual name of the black list.

Server. The domain name or IP address of the DNS server to contact for black list queries.

Query Domain. The domain to contact for black list queries. This name usually matches the server domain name. However, sometimes a black list will contain multiple domains on their server to differentiate why an IP is black listed. When this is the case, the server name and the query domain will be different. Contact the black list to determine the Query Domain.

Type. Identifies the type of lookup that the black list performs. Select from the following:

Content Filtering

Content filtering uses phrase filtering, statistical filtering and HTML filtering to examine messages and determine if they are spam. Phrase filtering searches for configurable phrases that indicate spam. Statistical filtering compares each word in a message against collected word counts to determine if the message is statistically likely to be spam. HTML filtering examines messages for HTML tags and domain names contained in URLs.

The Content Filtering tab is shown below


Getting to the Content Filtering Tab

  1. In the left panel, expand the localhost folder and select a host with an IP address.
  2. Expand the host, and select the Antispam folder.
  3. In the right panel, click the Content Filtering tab.

Statistical Filtering

Statistical filtering examines each word in the body of an e-mail message to determine if the e-mail is spam. Words are compared against spam and non-spam word counts in the antispam-table.txt file, and assigned a spam probability value. These word counts represent the number of times that the word has occurred in previous spam and non-spam e-mail. The entire message is then assigned a probability based on the assessment of all word values for a message. Non-alphabetic characters, such as numbers and special characters, are not included in spam assessment. For information on how these words are compared to the antispam-table.txt file, see "Configuring the Anti-Spam Engine to Identify Wildcards".

You can also create and maintain a host specific exclude list, specify what action to take when spam is identified, and enable the use of the primary domain's antispam-table.txt file. The list box, under statistical filtering, displays the contents of the exclude list.

Options

None. Disables statistical filtering.

Current Host (default for primary host). Select this option to define statistical filtering settings specific to the current host.

Primary Host (default for non-primary hosts, not available for primary host). Uses the primary host's statistical filtering settings, including the primary host's antispam-table.txt file. Selecting this option saves memory by reading the file directly from the primary host's directory.

Spam Action. Specify one of the following actions to take for a message that is identified as spam:

Prefix Subject With. If selected, the subject of a message identified as spam by the statistical filter, is modified to begin with the text entered in the text box. By default this text is X-IMail-Spam-Statistical, however, you can customize this message to anything you wish as long as it does not exceed 255 characters.
Note: To configure Advanced Statistical Filtering options, see "Advanced Configuration".

Setting Up the Exclude List

To speed up processing and save storage space, you can create a host specific exclude list. The exclude list is a list of words that are not included in the statistical analysis, because they are just as likely to appear in non-spam as spam. These words are ignored and are not entered into the antispam-table.txt file. To add a word to the exclude list, do the following:

  1. Click Add under Statistical Filtering to display the Add a word dialog box.
  2. Enter the word you want to exclude and click OK. The word must be between 1 and 15 characters.
  3. To save the exclude list, click Apply at the top of the right panel.

Phrase Filtering

Phrase Filtering searches for spam phrases within the body of e-mail messages and identifies those messages as spam. The phrases are stored in the phrase-list.txt file, located in the host's directory.

If a message contains one of the phrases in the phrase list, it is identified as spam and you can choose to delete it, forward it to an e-mail address, or insert an X-Header.

Use the Phrase Filtering section of the Content Filtering tab to configure the phrase filtering options. You can enable/disable phrase searching for the current host, create and maintain the host specific phrase list, and specify an action to take when an e-mail contains one of the phrases. The list box displays the contents of the phrase list as shown below.


Setting Up the Phrase List

To add a phrase to the phrase list, do the following:

  1. Under Phrase Filtering, click Add.
  2. Enter the word or phrase in the Add a phrase dialog box, and click OK. The phrase must be between 3 and 32 characters.
  3. The phrase now appears in the list box under Phrase Filtering on the Content Filtering tab.
  4. Click Apply, at the top of the right panel, to save the new phrase-list.txt file.
    Note: To set up an effective phrase list, look at your delivery rules to see what spam words you filter. These words should be entered in the phrase list.

Editing the Phrase List

To edit a phrase in the phrase list, do the following:

  1. Select the word or phrase from the list box under Phrase Filtering and click Edit.
  2. In the Edit the Phrase dialog box, make any desired changes to the phrase and click OK.
  3. Click Apply, at the top of the right panel.

Options

None. Disables phrase filtering.

Current Host (default for primary host). Select this option to define phrase filtering settings specific to the current host.

Primary Host (default for non-primary hosts). Uses the primary host's phrase filtering settings.

Normalize Words. If this option is selected, IMail strips out all non-alphabetic characters (anything other than A-Z, a-z) from words before comparing them to the phrase list.

Scan. Select which part of a message phrase filtering will examine for phrase matches.

Spam Action. Specify one of the following actions to take if a message contains a phrase from the phrase list.

Notes:
  • It is recommended that you select Forward To until you know that the anti-spam features are set correctly. Then, if messages are incorrectly identified as spam, you can forward them to their intended address.
  • For information on setting up other spam actions (Bounce, Copy, Move to mailbox) see "Using Delivery Rules to Filter Spam".

Prefix Subject With. If selected, the subject of a message identified as spam by the phrase filter, is modified to begin with the text entered in the text box. By default this text is X-IMail-Spam-Phrase, however, you can customize this message to anything you wish, as long as it does not exceed 255 characters.

Content Filtering for Authenticated Users. Select this option to enable content filtering for all messages that are received from authenticated users.
Note: When Content Filtering for Authenticated Users is selected, content filtering is not performed on messages sent from system and host administrators. This prevents mail from being filtered twice in case a message is misidentified as spam and the administrator forwards it to the intended recipient.

Merging Multiple Phrase Lists

To combine the contents of multiple phrase list files, you must use the cleanlist.exe command line utility. For more information see "Merging\Cleaning Phrase Lists and URL Domain Black Lists (cleanlist.exe)".

What to Enter in the Phrase List

The phrase list should contain phrases that occur frequently in spam. The best way to obtain this information is to look at your current rules to see which phrases you filter out. You can also download a sample phrase-list.txt file from the Ipswitch web site.

When you enter a domain name into the phrase list, IMail Server filters the domain name if it appears in normal text in the body of a message. To filter domain names found in URLs or links, you must enter the domain name into the URL Domain Black List. The URL Domain Black List filters the domain name if it appears as a link in HTML code within a message, specifically within HREF and IMG SRC tags. For more information see "URL Domain Black List".

HTML Content Filtering

The HTML filtering feature of IMail Server is part of content filtering, but is used only on the HTML portions of a mail message. HTML filtering is important, because spammers use a variety of techniques to get around anti-spam programs that filter on words (such as IMail's statistical filter). The primary way they do this is by disguising the message text in HTML so that is doesn't look like text. Unfortunately, if a word doesn't look like a word, the phrase and statistical filter will not be able to determine if it is spam. HTML filtering in IMail Server consists of the following three components:

The HTML parser is always enabled as part of the anti-spam engine, and can work independently or in collaboration with feature filtering and the URL Domain Black List. The parser decodes HTML code and tags until the text appears as it will when the message is opened. The parser then passes the text on to be processed by statistical and phrase filtering to determine if it is spam.
HTML feature filtering allows you to define certain HTML tags that will be spam indicators. The HTML features include Nested Table, Hyperlink, Script Tag, Invalid Tag, Image Tag, Mailto Hyperlink, Deceptive URL and Embedded Comment. If a message contains a configurable number of these HTML features, it is identified as spam, and the appropriate spam action is taken.
The URL Domain Black List is a configurable list of domain names that are known to send spam. IMail Server extracts the primary domain from an http link to determine if the domain name is in the URL Domain Black List. It does this by looking for domains that are used in HREF and IMG SRC tags in the HTML code. If the primary domain matches any of the domain names in the URL Domain Black List, the e-mail is considered spam and the appropriate spam action is taken.

Getting to the Content Filtering (HTML) tab:

  1. In the left panel, expand the localhost, and select a host with an IP address.
  2. Under the host, select the Antispam folder.
  3. In the right panel, click on the Content Filtering (HTML) tab, which is shown below.

HTML Feature Filtering

Use Feature Filtering to select which HTML features to search for in messages, how many must appear in order for a message to be identified as spam, and the spam action to take. IMail Server processes the text within the angle brackets of an HTML tag by checking to see if the tag is one of the features it has been configured to search for. If it is, the HTML filter counter counts the features found. The e-mail is considered spam if the number of HTML features it contains equals the number configured for the features found count.

Options

None. Disables feature filtering.

Current Host (default for primary host). Select this option to define feature filtering settings specific to the current host.

Primary Host (default for non-primary hosts, not available for primary host). Uses the primary host's feature filtering settings.

Select the following HTML features to search for:

Nested Table

Script Tag

Deceptive URL

Hyperlink

Invalid Tag

Embedded Comment

Image Tag

Mailto Hyperlink

Deceptive Text

The e-mail is spam if ___ of the selected features are detected. Select the number of types of HTML features that must appear in an e-mail before it is identified as spam. The values available depend on how many features are selected. For example, if two features are selected, your choices for this option are 1 and 2.

Spam Action. Specify one of the following actions to take on a message that contains HTML features:

Prefix Subject With. If selected, the subject of a message identified as spam by the feature filter, is modified to begin with the text entered in the text box. By default this text is X-IMail-Spam-Feature, however, you can customize this message to anything you wish, as long as it does not exceed 255 characters.

Example Configuration

Some of the HTML features are common to all HTML messages not just spam (i.e. hyperlinks). Selecting one of these features may cause false positives. As you gain experience with the feature filtering options, you will be able to modify the settings based on your preferences. However, below is a suggested initial configuration that enables you to use the feature filter with success.

  1. Select Embedded Comment and Deceptive URL. Both of these elements, especially when they occur together, are strong indicators of spam. Make sure that all other HTML features are cleared.
  2. Select 2 from The e-mail is spam if __ of the selected features are detected. This requires that both an embedded comment and a deceptive URL be present in a message for it to be considered spam.
  3. For Action to be taken on e-mail determined to be spam, select Insert X-Header.
  4. Since messages are still delivered, you may want to create a delivery rule that moves messages to a mailbox. See also "Using Delivery Rules to Filter Spam".

URL Domain Black List

You can configure IMail Server to search for domain names that appear as URL links in messages, and set the action to take on such messages. These domain names are contained in the URL Domain Black List, which is stored in the url-domain-bl.txt file, located in the IMail top directory. IMail Server extracts the primary domain from an http link, in an HREF or IMG SRC tag, to determine if the domain is in the URL Domain Black List. If it is, the e-mail is identified as spam and the specified spam action is taken. The list box under URL Domain Black List displays domain names that have been entered manually, as well as those entered using antispamseeder.exe. Secondary domains can choose to use the primary domain's URL Domain Black List instead of maintaining their own.

Options

Action to be taken on e-mail that contains one of the above URL Domains. Specify the action to take on a message containing one of the domains in the URL Domain Black List.

Prefix Subject With. If selected, the subject of a message that is identified as spam by the URL Domain Black List, will be modified to begin with the text entered in the text box. By default this text is X-IMail-Spam-URL-DBL, but you can customize it to anything you wish, as long as it does not exceed 255 characters.

Adding a Domain to the URL Domain Black List

  1. On the Content Filtering (HTML) tab, click Add under URL Domain Black List.
  2. In the Add URL Domain Name text box, enter the domain name or IP address that you want to add to the black list. See below for acceptable entries.
  3. Click OK.

The domain name now appears in the URL Domain Black List box on the Content Filtering (HTML) tab.

Acceptable Entries

The following are acceptable entries for the URL Domain Black List:

Editing a Domain in the URL Domain Black List

  1. On the Content Filtering (HTML) tab, find the URL Domain Black List box.
  2. Select the domain name or IP address that you want to modify and click Edit.
  3. In the Edit URL Domain dialog, make any desired modifications, and click OK.

The modified domain name now appears in the URL Domain Black List box on the Content Filtering (HTML) tab

Note: You can also use the antispamseeder.exe utility to create a URL Domain Black List. For more information, see "Creating a URL Domain Black List From a Mailbox".

Merging Multiple URL Domain Black Lists

To combine the contents of multiple URL domain black list files, you must use the cleanlist.exe command line utility. For more information see "Merging\Cleaning Phrase Lists and URL Domain Black Lists (cleanlist.exe)".

Configuring Trusted Addresses

The Trusted Addresses tab allows you to enter IP addresses, subnet masks, e-mail addresses, and domains for which no content filtering is done. The addresses and domains displayed on this tab are stored in the spamskip.txt file, which is located in the host's top directory.


Getting to the Trusted Addresses tab

  1. In the left panel, expand the localhost folder and select a host with an IP address.
  2. Expand the host, and select the Antispam folder.
  3. In the right panel, click the Trusted Addresses tab.

Adding Trusted Addresses

To add an IP address to the trusted address list, do the following:

  1. Click Add on the Trusted Addresses tab, and enter the IP address and subnet into the Add Trusted Address dialog box.
  2. Click OK on the Add Trusted Address dialog box.
  3. Click Apply at the top of the right panel to save your changes.

Display Options

Address. The IP address for which no spam test is performed.

NetMask. The subnet mask for which no spam tests are done.



Ipswitch, Inc.
http://www.ipswitch.com
TOC PREV NEXT INDEX
©Ipswitch 2004