SmarterMail Antispam Settings Document Updated
Problem reported by Bruce Barnes - September 20, 2014 at 12:14 PM
Not A Problem
The SmarterMail Antispam Settings document, originally published in September, 2009 has been significantly updated to include four new RBL tests.
 
These tests include a request from Steve Reid to add the RAZOR2 RBL to SmarterMail's list of usable RBLs.
 
The new tests, which have been included in this revision, are:

In addition to the new RBL tests listed above, the GREYLISTING timing has been adjusted as follows:

 

Greylisting Timing Adjustments made in latest revision of ChicagoNetTech Antispam Document - released 19 September, 2014
Greylisting Timing Adjustments made in latest revision of
ChicagoNetTech's Antispam Document - released 19 September, 2014

 

The newest revisions to the SmarterMail Antispam Settings document, which are also applicable to almost any other MX server setup, can be found at: SmarterMail Antispam Settings Document

PLEASE NOTE: THE EFFICACY OF THE SETTINGS IN THIS DOCUMENT ARE PREDICATED ON THE FACT THAT:

  • WHITELISTING IS MINIMIZED
  • HOSTED DOMAINS ARE NOT ABLE TO OVERRIDE SPAM SETTINGS
  • HOSTED DOMAINS ARE NOT ABLE TO OVERRIDE GREYLISTING SETTINGS
  • USERS ARE NOT ABLE TO OVERRIDE GREYLISTING SETTINGS
  • USERS ARE NOT ABLE TO OVERRIDE SPAM SETTINGS

This is a new KB article, and will always contain a link to the most recent revision of the document. 

Legacy links will be retired in one year.

Bruce Barnes
ChicagoNetTech

Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

91 Replies

Reply to Thread
0
Robbie Wright Replied
Bruce, as always, thanks for the great contributions to the SM community. This is a great resource. Just a typo I would assume, but in the second paragraph of the preface, you're recommending to use ~all in the spf record indicating that email sent from a server outside of the spf record should soft fail. -all signifies that it should hard fail. 
 
Do you recommend to use ~all for soft fail or -all for hard fail?
0
Bruce Barnes Replied
Great catch, Robbie!  Thanks for pointing that out.  I will get that corrected and update the current document to show "-all" for hard fails.
 
With the exception of those domains who use Constant Contact for mass mailings, we are running -all for hard fail on all of our SPF records.    The only reason we've modified the settings for Constant Contact users is that they still have issues with domains who have DMARC records and make people jump through the hoops to make messages which originate from Constant Contact deliverable.
 
This not to say that Constant Contact doesn't have a solution, but their solution is extremely convoluted and difficult to implement for most small companies and not-for-profits who don't have dedicated IT people to troubleshoot and chase down issues which should, in my opinion, be much easier to implement.
 
As an FYI, the addition of the RAZOR2 and GBUdb RBLs have almost completely eliminated the remaining spam.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Robbie Wright Replied
Cool, thanks Bruce. Just wanted to make sure I wasn't crazy. We use -all for nearly all of our domains as well. Only issues we have our with clients that run HubSpot. Their SPF record has some issues.
0
Mark Lee Replied
I have been using your pdf doc for a long time to tweak my smartermail setup... gonna adjust for this new one... which in the file says Rev 4.0550: 22-Sep-2014 --------  The actual file name for the .pdf is....  Antispam Settings - SmarterMail - REV 4 - March 2013.pdf....  little confusing...
 
I will still implement these new settings because I see they are different...
 
Regards,
Mark L. Lee
0
Bruce Barnes Replied
The file name has never been changed because that's the name of the PDF which was used to make the file available and has been linked on the internet in more than 600 postings since 2009.
 
The new, permanent link, which will do away with any file names, is located at: SmarterMail Anti-Spam Settings Document and will always contain the most recent version of the document.
 
The last portion of the inside document title will always contain a REV number and DATE.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Robert Pinkerton Replied
Thanks again, Bruce. An invaluable resource. Totally minor nit: the screen shot for the RAZOR2 RBL on Page 24 shows the Enabled checkbox to be unchecked, I'm assuming that should be checked? (Told you it was a nit!)
0
Bruce Barnes Replied
Thanks for the compliment, Robert.
 
EDIT: Modified to reflect the removal of the RAZOR2 RBL

With regard to the RAZOR2 RBL: YES, the checkbox MUST be unchecked for that, and several other RBL tests.
 
I can usually justify the reason for this, but RAZOR2 is a group of Apache people and responses to questions are slow to flow back, so I cannot give you the justification at this time.
 
Additionally, you MUST USE LOCAL DNS SERVERS for these RBLs to work.  If you are using a DNS server, or servers, which make more than 100,000 to 200,000 queries per day to the individual RBLs you WILL experience false positives.
 
The RBL maintainers are beginning to enforce the number of queries allowed for any single DNS server in a 24 hour period because they want high-volume users to install locally cached RBLs, periodically download the databases, and query them locally.

The only way the RBL managers, with one or two exceptions, have come up with successfully enforcing their limits is by FAILING queries - which means you may encounter false positives if you are using GOOGLE DNS, COMCAST DNS, or other high-volume public DNS servers.
 
Again, thanks for bringing this to my attention.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Mark Lee Replied
OK Cool makes sense... thank you...
0
Mark Lee Replied
Thanks for all of your work...
 
 
I have implemented the related antispam settings in your document and now a lot of good mail is getting dumped...
 
Basically I see that any mail coming from cfl.rr.com (Roadrunner) is getting deleted because it is getting a 20 weight which is getting deleted because your new default to delete is 15 weight...
 
Here is one example of many... the cfl.rr.com domain itself passes all RBL checks but is still shows FAILED with some of the smartermail checks....
 
____________________________
 
[2014.09.23] 10:34:11 [95769] Delivery started for xxxxxxxx@cfl.rr.com at 10:34:11 AM
[2014.09.23] 10:34:15 [95769] Spam check results: [_SPF: Pass], [BARCUDA - BRBL: passed], [CBL - ABUSE SEAT: passed], [HOSTKARMA - BLACKLIST: passed], [HOSTKARMA - BROWNLIST: passed], [HOSTKARMA - YELLOWLIST: failed], [SORBS - ABUSE: passed], [SORBS - DYNAMIC IP: passed], [SORBS - PROXY: passed], [SORBS - SMTP: passed], [SORBS - SOCKS: passed], [SPAMHAUS - CBL: passed], [SPAMHAUS - CSS: passed], [SPAMHAUS - PBL: passed], [SPAMHAUS - PBL2: passed], [SPAMHAUS - SBL: passed], [UCEPROTECT LEVEL 1: failed], [UCEPROTECT LEVEL 2: failed], [UCEPROTECT LEVEL 3: passed], [VIRUS RBL - MSRBL: passed], [_REVERSEDNSLOOKUP: passed], [_DK: None], [_DKIM: None], [HOSTKARMA - WHITELIST: passed], [SURBL - ABUSE BUSTER: passed], [SURBL - JWSPAMSPY: passed], [SURBL - MALWARE: passed], [SURBL - SPAMASSASSIN: passed], [SURBL - SPAMCOP: passed], [SURBL -PHISHING: passed], [URIBL - BLACK: passed], [URIBL - GREY: passed], [URIBL - MULTI: passed], [URIBL - RED: passed]
[2014.09.23] 10:34:17 [95769] Starting local delivery to xxxxx@xxxxxxxxx.com
[2014.09.23] 10:34:17 [95769] Delivery for xxxxxx@cfl.rr.com to xxxxx@xxxxxxxxx.com has completed (Deleted) Filter: Spam (Weight: 20)
[2014.09.23] 10:34:17 [95769] End delivery to xxxxx@xxxxxxxx.com
 
 
____________________________
 
I have changed my medium weight threshold to 25 to let the mail through...
 
 
Any ideas?
 
Regards,
Mark L. Lee
 
0
Scarab Replied
We've always used GBUDB and have been happy with it. Our Declude has always used the MailSpike RBLs. Nice to see all of those make the list.
 
However the Razor2 was a new one we tried today, but sadly we had to disable it as it failed **EVERYTHING**. Not a single piece of email passed the Razor2 RBL. That resulted in about 50K of false-negatives for us. And yes, we run our own NameServers used exclusively by our Mail service. I even triple-checked our settings with the one shown here and in your pdf and still no dice.
 
Nevertheless, thanks for the updated pdf.
0
Robert Pinkerton Replied
I had the same issue as Scarab. Tow of my major clients are trusted senders and they got rejected when I implemented Razor2. Had to disable.
0
Bruce Barnes Replied
EDIT: Edited to reflect the removal of RAZOR2
 
RAZOR2 alleges to be extremely accurate. 
 
RAZOR2 does AGGRESSIVELY place anyone with invalid, or missing, rDNS on their RBL lists.  There is no way to request removal, when they see the issue corrected, listed domains/IP addresses will "fall off" a few days later.
 
We had another client, hosted on Google, with their own domain name, which was not properly setup in DNS and did not have rDNS setup on any of their IP addresses.
 
In cases of improperly configured DNS, or lack of rDNS, it is not the RBL's issue, but the domain owner's issue, and their responsibility to resolve the issues.
 
If you supply their domain names they can be checked externally to see if there are issues which caused them to be placed on the RAZOR2 list.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Robert Pinkerton Replied
BTW: Has anyone else seen a ridiculous amount of spam being sent from static.hostnoc.net? The IP address of the mail server is 209.124.95.85 and the sending address from a domain called funbent.com? Static.hostnoc.net is privately registered with Tucows. The IP address is assigned to an ISP in the UK called Dragon Networks (www.dragonnetwurx.com)  and funbent.com is registered through enom to a guy called Adam James in San Diego. I am receiving a connection from their mail server every second for five seconds and then a 15-20 minutes pause before repeating 5 new delivery attempts and repeating the cycle throughout the day - all day, every day. Very determined mail server!!!
0
Bruce Barnes Replied
Looks like someone may have hacked the network at HOSTNOC.NET, because the IP address posted by Robert Pinkerton does not match any of their MX servers:
 
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Bruce Barnes Replied
Above data is from: http://www.dnsinspect.com/hostnoc.net/1411523030
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Steve Reid Replied
I noticed an email this morning that was marked by the new Razor 2 RBL I added, but curiously it was not marked by the Razor 2 in my SpamAssassin in a box as Razor 2
0
Steve Reid Replied
Yeah I cannot find even one RAZOR 2: passed in my delivery log... I have disabled it for now
0
Steve Reid Replied
I have disabled razor 2 for now since I've confirmed it is failing everything.
0
Webio Replied
Yep. I've also disabled Razor 2. It was marking all of my messages as spam.
0
Bruce Barnes Replied
The latest version of the document will be updated this week and RAZOR2 will be removed from the RBL test list.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Hany Sobhy Replied
Hello Bruce and all,
 
I need to know how could setting Denial of Service (Dos) - POP 50 in 10 min effect the POP incoming service with a scenario like this one in my question (single dmain / client company network) ?

I've changed to Denial of Service (Dos) - POP 150 in 10 min and they are working fine .. does this change effect my Abuse detection efficiency ?
 
Thanks
3
Bruce Barnes Replied
The most recent version of my SmarterMail Antispam document is now available for download as a PDF.
 
This document includes both the changes listed in the previous postings of this thread; a clarification of the DNS entry for DOMAINKEY record format, when using Microsoft DNS, on page 62 of the document.
 
The link to the newly updated document is located at:https://www.chicagonettech.com/docs/pdf/Antispam%20Settings%20-%20SmarterMail.pdf [this will open a new window and the PDF can be saved to your local workstation].
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Chris Fischesser Replied
Bruce,
 
Thank you so much, this is a huge asset.  Just getting around to making the updates from your '09 document which worked flawlessly for so long.
 
Chris
0
Bruce Barnes Replied
Thanks for the compliment, Chris.  Like spammers tactics, the document is a constant work in progress.
 
The new permalink will always contain the most recent updates.  Check it frequently, because I won't necessarily be posting a notice of every change here.
 
As a reference for others, here's the permalink - an up-to-date date reference will always be at the top of the document: 
 
 
this will open a new window and the PDF can be saved to your local workstation.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Dave Kidd Replied
Hi Bruce,
 
I have walked through your excellent document and applied all of the RBL/URIBL filtering you have outlined (along with greylisting etc) and have seen a dramatic drop in spam which is great news for us. My one question is that we currently also have the Cyren Premium Antispam enabled for filtering with a weight of 0-30, and when we are sending out some test email shots to multiple addresses internally they are getting flagged as :-
 
X-SmarterMail-Spam: SPF_Pass, Commtouch 30 [value: Bulk], ISpamAssassin 0 [raw: 0], DK_Pass, DKIM_Pass
 
Therefore I was wondering if having Cyren active is overkill on the spam filtering front (as I noticed you didn't have Commtouch enabled in your example list in your document) and whether there is much point in using that as it wasn't doing much in regards to blocking spam before I added your latest suggested settings?
 
Dave 
0
Bruce Barnes Replied
First, I took our portal down for a few weeks, and will re-post a new link later today.
 
Second, we use nothing but what's reflected in the document.
 
We enforce GreyListing, for egeryone, no exceptions: with a 1 minute retry time, and we do not allow any custom settings by users. There was some foot stomping and screaming at first, but when we implimented a "spam/virus/worm" charge of USD $50.00, for the first 15 minutes, the din got earily quite.
 
We also do not service XP operating systems any more.  All of the A/V scanners and software providers pulled support for XP, and we were getting swamped with "repeat cleanup requests" from clients who denanded the, work at no cost.  All it takes is opening one infected email, and Trend Micro's HouseCall must be liaded, and run, in safe mode.
 
Sorry, that's not my job. 2003 ends at the end of June, and so does our support for all 2003 products. It's a hard road to hoe, but when a product life cycle ends, so does our support.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
2
Bruce Barnes Replied
Here is the new link to the SmarterMail antispam document:
 
 
Remember, there are MAJOR CHANGES between this document and all previous versions.
 
Many RBLs shut down, others completely changed their RBL lookup servers.
 
The implementation of document is predicated on the fact that:
 
  • The entire document is READ, and UNDERSTOOD before implementing!
     
  • all control stays with the Smarter Admin;
     
  • domain admins and end-users only add additional problems to enforcement;
     
  • Greylisting is enforced for ALL USERS and ALL DOMAINS -- with a one-minute initial retry time, and 360 day listing in the database, to ensure that no additional lookups are required. - no exceptions;
     
  • SmarterMail is running under TLS and the SSL patches, do disable SSL, and enable all available TLS protocols, is enabled, based on the operating system.
     
  • TLS is properly tested against the tests at https://www.ssllabs.com/ssltest/index.html  to ensure that the server is operating with a grade of at least A-, or better.  Remember, Windows Server 2003 is depreciated, and all support ends, on 30 June, 2015.
     
  • PROPER setup of DomainKey, DKIM, and DMARC are implemented for each domain hosted.  This includes the configuration of both the necessary KEYS, and also the proper setup in DNS - again, required for EACH E-MAIL DOMAIN HOSTED by the SmarterMail server.
     
  • FEEDBACK LOOPS are properly setup with the 14 ISPs who now require them.
     
  • NO WHITELISTING - everyone must AUTHENTICATE!  If an outside server sends mass messages, they must be sent via a dedicated account on the SmarterMail server;
     
  • no customization is allowed by domains or end users;
     
  • no outside antispam tools are used;
     
  • There is NO GUARANTEE that 100% of the spam will be eliminated.  You will notice a drastic reduction, but some new spammers are fully compliant with all of the anti-spam tests and slip through for a day or two.
     
Sorry if this sounds "draconian" to a few of you, but our customers love the security,  It works, and it prevents worms, viruses, keystroke loggers and hackers from gaining access to our servers and data. 
 
We service several moderate sized law-enforcement agencies, a couple of good-sized hospitals, several law firms, and several accounting agencies, and pride ourselves in old-fashioned customer service - locally stored, not in a cloud, full backup, and all date and technical support is kept, 100%, in the United States.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
2
CCWH Replied
Hi Bruce,
 
Once again, thanks for your time, effort and expertise with the antispam settings guide.  Always so useful!
 
We have implemented the changes and will keep an eye on the impact.
 
To give a little feedback, when implementing the settings we found the following in the guide:
 
 - Page 23 - Duplication of 'RBL: SORBS 04 - MISC' - First one has incorrect config inc image
 - Page 31 - Duplication of 'RBL: SPAMHAUS - SBL 2'
 - Page 36 - Incorrect Config Image - 'RBL: SPAMHAUS-UCE PROTECT LEVEL 2'
 
Again, really appreciate the ongoing guide and updates....saves a HUGE amount of time!
1
Bruce Barnes Replied
Please remember:
  • this is a VOLUNTEER EFFORT;
     
  • the RBL / BRBL area is changing every day - with providers pulling the plug and other absorbing databases;
     
  • queries are LIMITED, and must be made by your LOCAL, PRIVATE DNS to be valid - too many from the same DNS server IP address in a single day will cause all to fail.
     
  • There is no regular update schedule, so check back at least once a month.
     
  • Individual questions and comments will not be responded to.
     
  • Anyone wanting personalized assistance will have to pay for it - my work is not free.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
3
David Maggard Replied
I am sure I speak for a lot of people when I say I REALLY appreciate the work you put in to this and it REALLY helps.
0
Alex Clarke Replied
Your portal link doesn't work for me.
 
So, I'm using the other link you posted on February 3 at 15:08.
 
The version of the document I have is 6.150119 and dated 19th Jan 2015.
 
Is this the latest?
0
CCWH Replied
That's the latest I have
0
Andrew Stein Replied
Figured I'd try again.   We are still struggling with snowshoe spam, going back to June of last year.   My settings match Bruce's most recent document, but the spam that slips through are all formatted correctly with proper PTR and SPF records and can take awhile before they are caught by any of the blacklists.   Here is a portion of the header:
 
Return-Path: <lilalyons@larrykerilee.rexwoodwork.com>
Received: from larrykerilee.rexwoodwork.com (larrykerilee.rexwoodwork.com [207.188.184.40]) by mail.advantagetel.com with SMTP;
   Thu, 19 Feb 2015 13:32:33 -0500
 
I started checking mxtoolbox's blacklist tool and it it took an hour before 207.188.184.40 or rexwoodwork.com was picked up by any of the RBLs.
 
I've taken to blacklisting the /24 blocks as the spam comes in, which gives some relief for the rest of the day, but it is a never ending process.   Has anyone come up with any better tools for fighting this?
0
Steve Reid Replied
I am also using SpamAssassin in a box to pickup the ones Smartermail misses.
0
Andrew Stein Replied
I tried SAIB and it made the problem worse. It was assigning negative scores to the spam because of some of the tests they passed. Thus some of the ones that would have filtered due to blacklists made it through.
0
Steve Reid Replied
Yes I had that problem too... I had to tune SAIB to customize the negative scores to be 0. I also upped some of the other score tests that were obvious indicators of spam.
0
Andrew Stein Replied
I guess I can try it again. Any chance you can post your rules or know any guides I can follow to configure it?
0
Steve Reid Replied
http://portal.smartertools.com/community/a2008/spamassassin-in-a-box-local_cf-customization.aspx
0
Andrew Stein Replied
I actually installed Declude and Message Sniffer and so far it is catching things that made it past the RBLs. I'll just need to keep a close eye on it for false positives for now.
0
Steve Reid Replied
In my testing I found message sniffer to be very similar to SA... Except you are paying more for them to tune it.
0
Andrew Stein Replied
I have to say that the amount of false negatives has dropped to almost zero. I had only one spam sneak into my own mailbox in the past week. I had some false positives, but that was fixed with some tweaks to URIBLs in SM. Sniffer apparently includes anti-virus, so that would take care of replacing ClamAV, although I'm still evaluating its efficacy. I'm pretty happy with it so far and it may be worth the price.
0
Paul White Replied
I have finally been able to stop 99% of spammers using the following setup.
 
First I implimented a 5 minute greylist
Then I setup a new website in IIS, and shared my SmarterMail Logs directory as a Virtual Folder.
I wrote a script that when run will read the SMTP logs and if it finds any lines that match specific search phrases, it will read the IP address from that line and then Add it to my Firewall.
I setup this script to run every 4 minutes. which gives it enough time for the spammer to try to send a message and be denied by the greylist, allowing the script to pickup the attempt by the spammer, before they are able to return the second time and get the message through the door.
 
I have stored a list of badwords in mysql that my script reads from.  Seems spammers are starting to use uncommon top level domains like ".click", ".biz", ".eu", ".in.net", ".us", ".work" as well as others.  So I am firewalling any requests that match these toplevel domains.  I do have a whitelist that will override these for clients that do need communication from specific domains at these toplevel domains.  Thus far I have over 1000 IPs firewalled and its only been 3 days.  Number of Spam that have gotten through 0.  
 
What would be great is if SmarterMail could be setup to return a "user Not found" message to the spammers which might encourage them to remove the email address from their lists.  That of course assumes they care about keeping their lists clean.  
WhiteSites.com
Blog.whitesites.com
0
Paul White Replied
See my post. I had to code my own but its working
WhiteSites.com
Blog.whitesites.com
0
Antony Replied
Spammers are using any available domain. A while back we tried doing something similar and found it wasn't a long term workable solution. Too many false positives. The 'user not found' message sounds like a good idea but it can be used against you in that it also allows people to find addresses that ARE valid. I also have my doubts whether spammers even look at the individual bounce messages. Putting myself in their shoes I would only look at the overall number of bounces to see if the email list was worth the money. I like the idea of adding bad ip's to the firewall Linux has something that does this called fail2ban (http://www.fail2ban.org/). I haven't found anything as comprehensive though for windows. Antony
0
Paul Blank Replied
https://portal.chicagonettech.com/kb/a171/smartermail-antispam-settings-document.aspx ; does not work, and, far as I can tell, hasn't been working for some time.
 
Indeed, no response either from simply https://portal.chicagonettech.com
 
I did try this from different parts of the Universe (from different computers at different physical locations and different ISPs).
 
 
 
 
 
0
CCWH Replied
As stated, the main portal might go down... But the link to the document is still live: https://www.chicagonettech.com/docs/pdf/Antispam%20Settings%20-%20SmarterMail.pdf
0
Hemen Shah Replied
Hi Bruce, was referring your updated antispam doc, had some query inregards to Spamhaus rbl, as per website it says only ZEN to be used which is combination of all, but as per your doc you have shown SBL, PBL and Zen too which i feel is not needed or might end up slowing the queue, if i remove PBL, SBL, XBL and only add ZEN then do i need to add 8 records for 120.0.0.2 to 11 ? Thanks for all this efforts.