Configuring AntiSpam and Mail server security
Posted by Gary, Last modified by Valentin   on 04 August 2014 06:08 AM

AntiSpam


Introduction


Spam is one of quickest expanding, discomfort making sector of illegal IT activities. Spammers react on each developed counter-measure in a short time so it's very difficult to write some How-To against spam. Take this document as few recommendations how to have preferably as low amount of spam as possible.

 

Tips

 

Create a schedule for automatic updates

  • As mentioned in the Introduction, the power of AntiSpam is in the up-to-date spam reference database. Because of that, carefully set the schedule to a time where the server is not busy but is online!

  • In some cases, you may want to download the most current updates of manually by click on the "Update now" button.

Main Menu > AntiSpam > General > General tab

AntiSpam Update

 

    Enable "Debug" logging for the AntiSpam engine 

  • As shown on the picture below, enable logging of AntiSpam engine. This can later help you find out what's happened when you need to investigate why a message was/was not flagged as spam.

Main Menu > System > Services > General tab

AntiSpam Services

 

AntiSpam processing of outgoing messages 

  • In large organizations with many email accounts within a single domain, it is recommended to also turn on processing for outgoing messages. This provides more security in the case one or some accounts have been compromised. 

 Main Menu > AntiSpam > General > Other tab

 AntiSpam Other

 

 

Carefully set the scores required for actions with messages and enable reporting

  • Especially in this part of the AntiSpam configuration, it is very hard to recommend the exact values. It really depends on the type of incoming messages, and this process will take you some time of trying different values until the best results are achieved. You can try to use predefined templates for these settings, but still some adjustments will be required. There are many ways to configure Spam Reports, Quarantine Reports, etc. More information on these topics can be found in other FAQs or in the AntiSpam Guide. The picture below shows some common setting of the engine.

 

Main Menu > AntiSpam > Action > Action tab 

AntiSpam Action

 

 

Main Menu > AntiSpam > Action > Reports tab

 

AntiSpam Reports

 

Don't forget to Activate the Quarantine module - Main Menu > AntiSpam > Quarantine > Quarantine tab

 

        AntiSpam Quarantine

 

 

Enable SpamAssassin

  • SpamAssassin is a set of powerful tools which really helps avoiding spam. The picture below shows recommended settings of the SpamAssasin module. If you encounter more problems, you can activate any of the other technologies as necessary.
     
  • A useful feature is SpamAssassin reporting. Its exact usage depends on your requirements, for example adding X-Header with the report can help you quickly track which filters have added a score to a particular email.

Main Menu > AntiSpam > SpamAssassin > SpamAssassin tab

 

AntiSpam SpamAssasin

 

 

RBL(Realtime Blackhole lists)

  • Realtime blackhole lists also contribute to avoiding spam. It is a realtime database of servers which are being used to send spam, so if a hostname of the server appears in the message header, SpamAssassin will add the specified score to the message.

  • Because of resource usage, it is recommended to use four RBLs as a maximum.

 

Main Menu > AntiSpam > SpamAssassin > RBL tab

AntiSpam RBL

 

DNSBL

  • The DNS Blackhole List function is similar to the RBL feature used in SpamAssassin. An online database in the form of a special DNS server is queried by the server in the course of the message receipt process. If the sender's IP is listed in the DNSBL, the message can be rejected by closing the session before the message is sent. You can also manually define other DNSBL servers, which can be found on the Internet.

  • The screenshot below shows other options enabled which will reject the message if it is sent from a suspect mail server.

 

Main Menu > Mail > Security > DNS tab 

 AntiSpam DNSBL

 

Use Bayesian database

  • The Bayesian statistical function adds a score to emails, making the AntiSpam more effective if configured properly. The Bayesian filter is based on statistical comparisons of genuine messages with spam messages. You can improve its precision by using the learning functions, which can be found in Main Menu > AntiSpam > Learning rules.

  • Enable both options by checking Active, don't forget to feed the engine with both spam and genuine messages to improve its relevancy.

 
Main Menu > AntiSpam > Bayesian > Bayesian tab

AntiSpam Bayseain

 

 

Enable Black & White lists

  • One of most useful and powerful functions, which can also be managed by users, is Black & White listing. Turn on message blacklisting for messages which are 100% spam, you can also define your own words to the blacklist, so if any of them appear in a message, the message will not be delivered at all.

Main Menu > AntiSpam > Black & White List > Blacklist tab

AntiSpam Blacklist

 

  • Whitelist, on other hand, allows you to define which domains, email addresses, local senders, and key words you trust and want the email to always be delivered; independent on the rating received from AntiSpam. 

Main Menu > AntiSpam > Black & White List > Whitelist tab

AntiSpam Whitelist

 

Greylisting

  • Greylisting (formerly called tarpitting) purposely delays receipt of messages from all senders that are not authorized. The sender is authorized after it successfully goes through the greylisting process, meaning that for a specified time, the sender does not need to go through the process again (before the authorization expires). This avoids spambots sending thousands of messages to different addresses per second, due to the delay between the first and the second session. Unlike RFC compliant mail servers, they have no time to wait for another session. The time required between the two sessions can be set in the Greylisting tab as shown bellow:

 

  • If needed, you can manually authorize pending sessions in the dialog which opens after clicking on the "Greylisting" button.

Main Menu > AntiSpam > Greylisting > Greilisting tab

AntiSpam Greylisting

 

Intrusion Prevention

  • Another useful and important feature of the IceWarp mail server is the Intrusion Prevention system, which can eliminate many spam attacks. For example, a dictionary attack on user mailbox names can be denied by controlling the number of delivery attempts to unknown users. After that you can define how long this IP address will remain blocked, or if all other sessions coming from this IP should be refused automatically.


Main Menu > Mail > Security > Intrusion Prevention tab

AntiSpam Int Prev

 

User's limits

  • To avoid that your domain is involved in sending spam, it is better to use domain limits for outgoing messages. A typical user does not send more than 200 messages per day, so set the limit to 200.

  • To enable domain limits globally, follow the screenshot below: 

Main Menu > Domains & Accounts > Global Settings > Domains tab

 AntiSpam Global Domains

  

Main Menu > Domains & Accounts > Management > "domain_name" >  Limits tab

AntiSpam Domain Limits

 

  • If any user requires sending more than 200 emails per day, you can define this seperately in the user's settings as shown below:

Main Menu > Domains & Accounts > Management > "user_name" > Limits tab

AntiSpam User Limits

 

 

For now, that's all you can do against spam, that fits into this 5 minute tutorial. Don't forget that all these settings are individual, and not all tips need to be applied to your specific environment. For more information, please refer to the AntiSpam Administration Guide.

 

Updated 04.08.2014, by Valentin