How to configure AntiSpam and mail server security
Posted by , Last modified by on 01 August 2012 01:40 PM
It's the most important thing on AntiSpam setting. Once you have open relay, spammers will find you in a moment and put you on a list of OPEN (free to spam from) SMTP servers. After that your server will relay thousands of spam email per second and will be globally blacklisted by many ISPs and RBL services in a short time.
Relaying can be set in Mail service --> Security
As you can see on the picture above, you can define here Trusted IPs as well. These IPs will be no way limited in relaying mail through your mail server, even if it's spam- Anti-Spam engine will be bypassed completely.
As mentioned in Introduction, the power of AntiSpam is in up-to-date spam reference database. Because of that, carefully set the schedule to a time where server is not in busy but is online!
In some cases, you may want to download current database of AntiSpam manually by click on "Update now" button.
As shown on the picture below, enable logging of AntiSpam engine. It can later help you find out what's happened when you need to investigate why a message was/wasn't marked as spam. In large organizations with many email accounts within single domain, it's advised to turn on processing also for outgoing messages. This provides more security for the case when some of your accounts is stolen by a spammer.
Especially in this part of AntiSpam configuration it's very hard to recommend exact values. It really depends on the type of incoming messages and this process will take you some time of trying different values until best results are achieved. You can try to use predefined templates for these settings, but still some adjustments will be required. There are many ways how to configure Spam Reports, Quarantine etc. More information on these topics can be found in other FAQs or in Anti-Spam Guide.
The picture shows some common setting of the engine.
Don't forget to set Quarantine to Active mode in Quarantine node of AntiSpam.
SpamAssassin is a set of powerful tools which really helps avoiding spam. The picture below shows recommended settings of SpamAssasin module. If still some problems appear, you can activate any of the other technologies as necessary.
A useful feature is SpamAssassin reporting. Its exact usage depends on your requirements, for example adding X-Header with the report can help you quickly track which filters have added score to the particular email.
Real-time blackhole lists also contribute to avoiding spam. It's a real-time database of servers which are being used to send spam, so if a hostname of the server appears in message header, SpamAssassin will add specified score to the message.
Because of resource usage, it's recommended to use 3 RBL lists as a maximum.
This function is similar to RBL used in SpamAssassin. Online database in the form of a special DNS server is queried by the server in the course of message receipt process. If the sender's IP is listed in DNSBL, the message can be rejected by closing the session before the message is sent. You can manually define also any other DNSBL servers which can be found on the internet.
The picture below shows also other options enabled, which will reject the message if it's sent from a suspect mail server.
Bayesian statistical function adds score to emails making the AntiSpam more effective if configured properly. Bayesian filter is based on statistical comparison of genuine messages with spam messages. You can improve its precision by using learning functions of Bayesian filter, which can be found in AntiSpam --> Learning rules. Enable both options by checking Active, don't forget to feed the engine with both spam and genuine messages to improve its relevancy.
One of most useful and powerful function, which can be also managed by users, is black & white listing. Turn on message blacklisting for messages which are 100% spam, you can also define your own words to blacklist, so if any of them appears in a message, this message won't be delivered at all.
Greylisting (formerly called tarpitting) on purpose delays receiving of messages from all senders which are not authorized. The sender is authorized after it successfully goes through the greylisting process, meaning that for a specified time he doesn't need to go through it again (before the authorization expires). This avoids spambots sending thousands of messages to different addresses per second, due to the delay between first and second session. Unlike RFC compliant mail servers, they have no time to wait for another session. Time required between the two sessions can be set in Greylisting tab as shown bellow.
If needed, you can manually authorize pending sessions in the dialog which opens after clicking on "Greylisting" button.
To avoid that your domain is involved in sending spam, it's better to use domain limits for outgoing messages. Standard users don't send more than 200 messages a day, so set the limit to number 200. Don't forget to enable usage of domain limits in Domains & Accounts --> Global settings --> Domains --> Limits tab. If any user would like to have more than 200 emails to send out in a day, you can define it seperately in this user's settings. Global settings are done through Domains & Accounts -->Management --> selected domain --> Limits as shown on picture below.
Another useful and important feature of the mail server is Intrusion prevention system, which can eliminate many spam attacks. For example dictionary attack to user mailbox names can be denied by controlling the number of delivery attempts to unknown users. After that you can define for how long will this IP address remain blocked or if all other sessions coming from this IP should be refused automatically.
Screenshot will help you with the setting.
For now that's all you can do against spam that fits into this 5 minute tutorial. Don't forget that all these settings are individual and not all tips need to be applicable to your specific environment. Look for more information in the Anti-Spam documentation.