7
When Using Gateway, Spam Checks are Repeated
Problem reported by Scott Forsythe - October 9, 2015 at 12:10 PM
Submitted
Hello,
 
We're trying to reduce the load on our primary SmarterMail server by setting up a SmarterMail gateway per this article: https://portal.smartertools.com/kb/a2669/free-gateway.aspx.
 
I successfully set up an incoming gateway using SmarterMail. I used the "Domain Forward" mode and could verify mailboxes with "SmarterMail Gateway Mode".
 
On the Spam tab of the Incoming Gateway I selected "Pass Score To SmarterMail" for the Medium and High Action. The scores are successfully passed to the primary but the primary server does the same spam checks again (RBLs, URIBLs, etc).
 
We would prefer the primary server just take action on the Medium and High gateway score per the filtering tab or better yet just run any additional spam checks that were not done on the gateway. For example, have the primary just check the gateway messages for Cyren and Bayes. No need to run the RBLs, URIBLs, and SpamAssassin again on the primary.
 
Thanks,
Scott

6 Replies

Reply to Thread
0
Scarab Replied
October 12, 2015 at 12:04 PM
Although it may seem otherwise, this is normal behavior.
 
We have set out Incoming Gateways in SmarterMail Gateway Mode to do Spam Checks and "Pass Score to SmarterMail". The Primary Server has all Incoming Spam Checks disabled and only does Outgoing Spam Checks. Everything works as intended configured as such.
 
The limitation of this is that your Primary cannot be listed as one of the MX Records in DNS, otherwise it will be receiving Incoming email from sources other than your Gateway(s), and won't be able to do Incoming Spam Checks.
 
Of course you can enable Incoming Spam Checks on the Primary that are not used on the Gateways, but ultimately if you have duplicate Spam Checks on both the Gateway and Primary then those checks will be run twice. To my knowledge there is no other way around this behavior.
2
Scott Forsythe Replied
October 13, 2015 at 7:06 AM
Thanks for the reply Scarab. I figured it was normal behavior. It would be nice to have the gateway and the primary server better work together though. For example, have the primary server add Cyren scores to messages from the gateway. A message with a low score could then get enough points to score high. This would be a nice feature since Cyren is not available on the Free Version.
3
Scott Forsythe Replied
October 19, 2015 at 1:29 PM
This doesn't make any sense. Can SmarterTools check to see if it's a bug?
  1. The spam checks run on the gateway and pass the score to the primary.
  2. The primary runs all the spam checks again, but uses the score from the gateway???
This makes no sense. Why would you run all the checks again?  I'm hoping SmarterMail is 'smarter' than this and I'm missing a setting.
5
kevind Replied
December 7, 2015 at 4:03 PM
During the holidays, email traffic is at an all-time high due to the Black Friday, Cyber Monday, etc. It would be really nice if the SmarterMail server and gateway would work together to handle the increased traffic.
 
The incoming gateway runs the RBL tests, SMTP blocking, plus SpamAssassin to offload CPU from the primary server. Then it passes the score to the primary server. As Scott pointed out, this is documented (http://portal.smartertools.com/kb/a2669/gateway.aspx), works fine, and no changes are necessary.
 
However, when the message is passed to the primary server:
  • SM runs all the RBL tests + SpamAssassin + Bayes + Cyren again! This is a waste of effort because it doesn't even use the results (it uses the score passed from the gateway).
To fix, make this small adjustment on the primary server:
  1. Don't run RBL or SA on messages that have a gateway score.
  2. Do run Bayes & Cyren (good, because users can teach the system). Then add the results to the gateway score.
Looking forward to this simple fix which would help everyone who runs SM as an incoming gateway.
 
Thanks,
Kevin
0
David Fisher Replied
December 14, 2015 at 12:17 PM
Hi,
 
  I have been running inbound SmarterMail Gateway's for many years now.  I have been improvement in them, but there are still a lot of issues with them.  I used to run 4 inbound ones, until Greylisting delayed the emails for too long.  Now I am running two, and that is still an issue, as if one gateway gets the email and greylists it, then the other one might get the email later and grelists (soft refuses it) it again because it doesn't know it already as attempted once before.
 
  Another issue is with expired accounts and over quota accounts, it doesn't do a good job checking it again, as in the SMTP level, once it was rejected for a reason, it doesn't know about any new reasons.  Example, the customer was over quota, so the email sits in the inbound server waiting and retrying, later now the account is expired and set to reject mail, it still thinks it is over quota.
 
  I have had several tickets opened regarding issues with inbound gateways, gave feedback in old forums and beta forums, and there has been improvement made.
 
   I was hoping the Message Sniffer feature would allow my inbound gateways to use it, however it seems all anti-spam paid services are per user bases and can only be run on the main mailserver that has the users.
 
  One thing you can do it only allow the main server to communicate with the gateway, it won't work in my situation, as I do not use the inbound gateways for all my domains, some domains MX records point directly to the main server, so th spam checks will have to be ran, if you do not do that, you could set it that the main SmarterMail server doesn't answer on port 25 for the public but only to the inbound gateway.  Thus you could disable all spam checking on the main server.
 
  From my understanding, if you "Pass Score to SmarterMail" and the score is BIG enough to trigger a move filtering rule, it shouldn't scan it again.  I thought that is how it used to work, I will need to look at my tickets and see, if I can find anything.  I do see that it is scanning it again on the main server.  But if it is BIG enough and you have it set to delete on the inbound server the main server shouldn't see it.
 
  I will look everything over again, and try to update this thread with any new information.  I know I am fighting spam a lot more lately with my setup, so I am sure something is not correct.
 
Thanks,
-dave
5
kevind Replied
January 31, 2016 at 1:11 PM
For anyone following this thread, some of these items were addressed in version 14.5 which was released a few days ago. Now the RBL checks don't run twice (just on gateway). Thanks ST!
 
However, it could still be better. For messages coming from gateway:
  • Run Cyren on primary (so we don't have to license another copy)
  • Run Bayes on primary (good, because users can teach the system)
  • Then add the above results (Cyren+Bayes) to the gateway score (RBLs+SA) for a composite spam score.
Thanks.

Reply to Thread