Back to Community Threads

Mitigating spam

Question asked by Brian Henson - 4/29/2015 at 3:03 PM

Unanswered

One of our users is getting a fairly large amount of spam. I want to help reduce the amount of spam that comes in.

Currently, any spam messages with a weight of more of 20 or more are sent to user's junk e-mail folders.

Under SMTP Blocking, Incoming Weight Threshold is enabled and set to 30.

Greylist and Outgoing weights are not enabled

Spam Checks include:

Enabled for Filtering:
Bayesian Filtering (weight 3)
DomainKeys (-2 pass weight, 2 fail weight)
DKIM (-2, 2)
URIBL: SURBL (4)
URIBL: URIBL (4)

Enabled for Filtering, Incoming SMTP blocking, and Outgoing SMTP blocking:
SPF (-2, 30)
Reverse DNS (30)

Enabled for Filtering and Incoming SMTP blocking
RBL: Five-Ten (3)
RBL: HostKarma - Blacklist (4)
RBL: HostKarma - Brownlist (3)
RBL: HostKarma - Whitelist (-4)
RBL: RHSBL (3)
RBL: SORBS - Abuse (2)
RBL: SORBS - Dynamic IP (3)
RBL: SORBS - Proxy (1)
RBL: SORBS - Socks (1)
RBL: SpamCop (4)
RBL: Spamhaus - PBL (2)
RBL: Spamhaus - PBL2 (2)
RBL: Spamhaus - SBL (5)
RBL: Spamhaus - XBL (5)
RBL: Spamhaus - XBL2 (5)
RBL: UCEProtect Level 1 (1)
RBL: UCEProtect Level 2 (2)
RBL: UCEProtect Level 3 (3)

17 Replies

Reply to Thread

CCWH Replied

4/30/2015 at 11:08 AM

Do you use Bruce's FANTASTIC guide:

https://www.chicagonettech.com/docs/pdf/Antispam%20Settings%20-%20SmarterMail.pdf

If not...go for it!

Brian Henson Replied

10/22/2015 at 1:34 PM

So the problem I'm still having is that there's a lot of spam coming in that passes all of our filters except RHSBL (which seems to flag EVERYTHING as spam).

I think our weight settings are fine, but we need some better filters.

Bruce Barnes Replied

10/22/2015 at 1:52 PM

New antispam document link -- please use this link for all future downloads: https://portal.chicagonettech.com/kb/a171/smartermail-antispam-settings-document.aspx

Bruce Barnes

ChicagoNetTech Inc

brucecnt@comcast.net

Phonr: (773) 491-9019

Phone: (224) 444-0169

E-Mail and DNS Security Specialist

Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com

Website: https://www.ChicagoNetTech.com

Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

Derek Sims Replied

10/23/2015 at 6:07 PM

@Brian

RHSBL has been shutdown, and to get people to stop using their service, they return a positive result for every query.

See: www.ahbl dot org/content/last-notice-wildcarding-services-jan-1st

Brian Henson Replied

10/29/2015 at 11:20 AM

@Derek

Good to know.

@Bruce

I've updated our filtering to match your document, but we still have a lot of spam getting through. I even increased the weight of the Bayesian filter, JWSPAMSPY and UCEPROTECT LEVEL 2 up to 15 each, so failing any one of them will put a message in the spam filter. But we're getting a lot of spam that is passing every single filter.

Are there other blacklists I should look at?

Bruce Barnes Replied

10/29/2015 at 12:17 PM

Did you ENABLE GREYLISTING, according to the settings?

Did you DISABLE the ability for users and domains to override spam settings?

What do you have WHITELISTED - ideally, it should be NOTHING.

Bruce Barnes

ChicagoNetTech Inc

brucecnt@comcast.net

Phonr: (773) 491-9019

Phone: (224) 444-0169

E-Mail and DNS Security Specialist

Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com

Website: https://www.ChicagoNetTech.com

Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

Brian Henson Replied

4/7/2016 at 3:48 PM

Bruce,

Greylisting is enabled.

Spam settings can be overridden by users, but I've checked each user account and none of them are overriding them.

I have our internal network's subnet whitelisted. Nothing else.

Bruce Barnes Replied

4/7/2016 at 5:25 PM

Disable the user's ability to override spam setti gs and make certain that nothing is white listed. If you allow users to override spam settings, youcare shooting yourself in the foot because you, effectivelly, loose all control.

Bruce Barnes

ChicagoNetTech Inc

brucecnt@comcast.net

Phonr: (773) 491-9019

Phone: (224) 444-0169

E-Mail and DNS Security Specialist

Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com

Website: https://www.ChicagoNetTech.com

Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

Brian Henson Replied

4/8/2016 at 8:20 AM

I'm concerned that removing our IP addresses from the white list could cause problems. We use SmarterMail as a back-end SMTP service for our web apps in addition to our standard office email system.

I can remove the ability to override spam settings, but that does nothing to address the spam we're currently already getting. None of the users have overridden the system spam settings thus far but we're still getting quite a bit of spam.

Bruce Barnes Replied

4/8/2016 at 12:02 PM

Configure you web apps to use,SMTP authentication. Whitelisting will end up getting you blocked by Yahoo!, Outlook hosted domains, Comcast, and many other major providers because they are all tightening down on spam. The rules have changed, and we all must comply or face non-delivery.

Bruce Barnes

ChicagoNetTech Inc

brucecnt@comcast.net

Phonr: (773) 491-9019

Phone: (224) 444-0169

E-Mail and DNS Security Specialist

Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com

Website: https://www.ChicagoNetTech.com

Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

Brian Henson Replied

4/11/2016 at 11:00 AM

OK, good to know. Will work on that.

In the mean time, I'm still trying to figure out what else we can do to reduce incoming spam volume.

Curtis Kropar www.HawaiianHope.org Replied

4/12/2016 at 5:37 AM

Are you a service provider or a single company ?

Users as individuals, or users as a corporate email system ?

Who is having the problem :

Mostly a single user ?

multiple users, same domain ?

multiple users, multiple domains ?

Once you get on the list of spammers, there is no getting off, it will only increase. Even with the best filtering. Its like trying to catch water with a strainer, and a bunch of paper towels lining the strainer. Eventually you reach saturation and its starts flowing.

We have a few clients that complain about spam, but are constantly signing up for "free" things like daily inspirational quotes, publishers clearing house contests, and a bunch of other things. They cant seem to understand the relationship about signing up for stuff and then getting bombarded with junk.

I put together a plan for one of our clients (a school) to migrate everyone to new email addresses on the domain as many of the staff were getting bombarded with junk. Its a strict plan that i can share with you the procedure. Part of the plan includes user training, and a list of new policies and in addition an "acceptable use policy" explaining that the companies email is to be used for company/business purposes only, and not personal things. ( "airline miles", "daily coupons", etc) And if they do need to sign up for something a new temporary email address is created for it till it is determined to be legitimate.

Its a little extra work, but it makes a tremendous difference.

www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !

Hemen Shah Replied

4/12/2016 at 7:27 AM

Agreed with Curtis,

As we say spam but many a times most of mails are marketing related and as part of my job i keep informing customers to hit unsubscribe from mails which are not useful which is helping me a lot.

Thanks

Brian Henson Replied

5/5/2016 at 8:44 AM

Curtis,

We use SmarterMail as our internal corporate email system. Our users are our employees.

We have multiple domains but only one that our employees use and it's the one that gets spam.

My boss (the CEO) gets the most spam, but his email has also been around the longest (since the 90s). I expect him to get more spam than our other users if for no other reason than how long his email address has been around, but we have a few other users that also get quite a bit of spam.

I started off using Bruce's antispam settings PDF, but when this wasn't enough I upped the weighting of both the bayesian filter and UCE Protect Level 2, so that failing either one would send a message straight to the spam folder.

We are getting a lot of messages that are obviously spam, that any human user would immediately identify as spam, but they're still getting through.

Matthew Leyda Replied

5/5/2016 at 9:13 AM

Curtis,
Take a look at Protected Sky (psky.me) This is a newer RBL that seems to have a low false positive and has worked well for us.

Name Protected Sky - Yellow
Description Protected Sky - Yellow
Weight 10
Hostname bad.psky.me
Required Lookup Value(s) 127.0.0.3

Name Protected Sky - Red
Description Protected Sky - Red
Weight 30
Hostname bad.psky.me
Required Lookup Value(s) 127.0.0.2

Matt

Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP

Bruce Barnes Replied

5/5/2016 at 3:31 PM

Great find, Curtiss. I'll test, and potentially, add this to my antispam document.

Bruce Barnes

ChicagoNetTech Inc

brucecnt@comcast.net

Phonr: (773) 491-9019

Phone: (224) 444-0169

E-Mail and DNS Security Specialist

Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com

Website: https://www.ChicagoNetTech.com

Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

Linda Pagillo Replied

5/9/2016 at 8:12 AM

Hi Brian. We offer a free anti-spam program called Declude. I feel it will really help you because we include a filter that will catch pre-tested spam. If you are interested, please check it out at http://mailsbestfriend.com/downloads. If you have any questions about it, I will be happy to help. Thanks.

Linda Pagillo
Mail's Best Friend
Email: linda.pagillo@mailsbestfriend.com
Web: www.mailsbestfriend.com

Authorized SmarterTools Reseller

Authorized Message Sniffer Reseller

Back to Community Threads

Please leave this box unchecked

Reply to Thread

Enter the verification text