15
SmarterMail Antispam Settings Document Updated
Problem reported by Bruce Barnes - 9/20/2014 at 12:14 PM
Not A Problem
The SmarterMail Antispam Settings document, originally published in September, 2009 has been significantly updated to include four new RBL tests.
 
These tests include a request from Steve Reid to add the RAZOR2 RBL to SmarterMail's list of usable RBLs.
 
The new tests, which have been included in this revision, are:

In addition to the new RBL tests listed above, the GREYLISTING timing has been adjusted as follows:

 

Greylisting Timing Adjustments made in latest revision of ChicagoNetTech Antispam Document - released 19 September, 2014
Greylisting Timing Adjustments made in latest revision of
ChicagoNetTech's Antispam Document - released 19 September, 2014

 

The newest revisions to the SmarterMail Antispam Settings document, which are also applicable to almost any other MX server setup, can be found at: SmarterMail Antispam Settings Document

PLEASE NOTE: THE EFFICACY OF THE SETTINGS IN THIS DOCUMENT ARE PREDICATED ON THE FACT THAT:

  • WHITELISTING IS MINIMIZED
  • HOSTED DOMAINS ARE NOT ABLE TO OVERRIDE SPAM SETTINGS
  • HOSTED DOMAINS ARE NOT ABLE TO OVERRIDE GREYLISTING SETTINGS
  • USERS ARE NOT ABLE TO OVERRIDE GREYLISTING SETTINGS
  • USERS ARE NOT ABLE TO OVERRIDE SPAM SETTINGS

This is a new KB article, and will always contain a link to the most recent revision of the document. 

Legacy links will be retired in one year.

Bruce Barnes
ChicagoNetTech

Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

90 Replies

Reply to Thread
0
Robbie Wright Replied
Bruce, as always, thanks for the great contributions to the SM community. This is a great resource. Just a typo I would assume, but in the second paragraph of the preface, you're recommending to use ~all in the spf record indicating that email sent from a server outside of the spf record should soft fail. -all signifies that it should hard fail. 
 
Do you recommend to use ~all for soft fail or -all for hard fail?
0
Bruce Barnes Replied
Great catch, Robbie!  Thanks for pointing that out.  I will get that corrected and update the current document to show "-all" for hard fails.
 
With the exception of those domains who use Constant Contact for mass mailings, we are running -all for hard fail on all of our SPF records.    The only reason we've modified the settings for Constant Contact users is that they still have issues with domains who have DMARC records and make people jump through the hoops to make messages which originate from Constant Contact deliverable.
 
This not to say that Constant Contact doesn't have a solution, but their solution is extremely convoluted and difficult to implement for most small companies and not-for-profits who don't have dedicated IT people to troubleshoot and chase down issues which should, in my opinion, be much easier to implement.
 
As an FYI, the addition of the RAZOR2 and GBUdb RBLs have almost completely eliminated the remaining spam.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Robbie Wright Replied
Cool, thanks Bruce. Just wanted to make sure I wasn't crazy. We use -all for nearly all of our domains as well. Only issues we have our with clients that run HubSpot. Their SPF record has some issues.
0
Mark Lee Replied
I have been using your pdf doc for a long time to tweak my smartermail setup... gonna adjust for this new one... which in the file says Rev 4.0550: 22-Sep-2014 --------  The actual file name for the .pdf is....  Antispam Settings - SmarterMail - REV 4 - March 2013.pdf....  little confusing...
 
I will still implement these new settings because I see they are different...
 
Regards,
Mark L. Lee
0
Bruce Barnes Replied
The file name has never been changed because that's the name of the PDF which was used to make the file available and has been linked on the internet in more than 600 postings since 2009.
 
The new, permanent link, which will do away with any file names, is located at: SmarterMail Anti-Spam Settings Document and will always contain the most recent version of the document.
 
The last portion of the inside document title will always contain a REV number and DATE.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Robert Pinkerton Replied
Thanks again, Bruce. An invaluable resource. Totally minor nit: the screen shot for the RAZOR2 RBL on Page 24 shows the Enabled checkbox to be unchecked, I'm assuming that should be checked? (Told you it was a nit!)
0
Bruce Barnes Replied
Thanks for the compliment, Robert.
 
EDIT: Modified to reflect the removal of the RAZOR2 RBL

With regard to the RAZOR2 RBL: YES, the checkbox MUST be unchecked for that, and several other RBL tests.
 
I can usually justify the reason for this, but RAZOR2 is a group of Apache people and responses to questions are slow to flow back, so I cannot give you the justification at this time.
 
Additionally, you MUST USE LOCAL DNS SERVERS for these RBLs to work.  If you are using a DNS server, or servers, which make more than 100,000 to 200,000 queries per day to the individual RBLs you WILL experience false positives.
 
The RBL maintainers are beginning to enforce the number of queries allowed for any single DNS server in a 24 hour period because they want high-volume users to install locally cached RBLs, periodically download the databases, and query them locally.

The only way the RBL managers, with one or two exceptions, have come up with successfully enforcing their limits is by FAILING queries - which means you may encounter false positives if you are using GOOGLE DNS, COMCAST DNS, or other high-volume public DNS servers.
 
Again, thanks for bringing this to my attention.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Mark Lee Replied
OK Cool makes sense... thank you...
0
Mark Lee Replied
Thanks for all of your work...
 
 
I have implemented the related antispam settings in your document and now a lot of good mail is getting dumped...
 
Basically I see that any mail coming from cfl.rr.com (Roadrunner) is getting deleted because it is getting a 20 weight which is getting deleted because your new default to delete is 15 weight...
 
Here is one example of many... the cfl.rr.com domain itself passes all RBL checks but is still shows FAILED with some of the smartermail checks....
 
____________________________
 
[2014.09.23] 10:34:11 [95769] Delivery started for xxxxxxxx@cfl.rr.com at 10:34:11 AM
[2014.09.23] 10:34:15 [95769] Spam check results: [_SPF: Pass], [BARCUDA - BRBL: passed], [CBL - ABUSE SEAT: passed], [HOSTKARMA - BLACKLIST: passed], [HOSTKARMA - BROWNLIST: passed], [HOSTKARMA - YELLOWLIST: failed], [SORBS - ABUSE: passed], [SORBS - DYNAMIC IP: passed], [SORBS - PROXY: passed], [SORBS - SMTP: passed], [SORBS - SOCKS: passed], [SPAMHAUS - CBL: passed], [SPAMHAUS - CSS: passed], [SPAMHAUS - PBL: passed], [SPAMHAUS - PBL2: passed], [SPAMHAUS - SBL: passed], [UCEPROTECT LEVEL 1: failed], [UCEPROTECT LEVEL 2: failed], [UCEPROTECT LEVEL 3: passed], [VIRUS RBL - MSRBL: passed], [_REVERSEDNSLOOKUP: passed], [_DK: None], [_DKIM: None], [HOSTKARMA - WHITELIST: passed], [SURBL - ABUSE BUSTER: passed], [SURBL - JWSPAMSPY: passed], [SURBL - MALWARE: passed], [SURBL - SPAMASSASSIN: passed], [SURBL - SPAMCOP: passed], [SURBL -PHISHING: passed], [URIBL - BLACK: passed], [URIBL - GREY: passed], [URIBL - MULTI: passed], [URIBL - RED: passed]
[2014.09.23] 10:34:17 [95769] Starting local delivery to xxxxx@xxxxxxxxx.com
[2014.09.23] 10:34:17 [95769] Delivery for xxxxxx@cfl.rr.com to xxxxx@xxxxxxxxx.com has completed (Deleted) Filter: Spam (Weight: 20)
[2014.09.23] 10:34:17 [95769] End delivery to xxxxx@xxxxxxxx.com
 
 
____________________________
 
I have changed my medium weight threshold to 25 to let the mail through...
 
 
Any ideas?
 
Regards,
Mark L. Lee
 
0
Scarab Replied
We've always used GBUDB and have been happy with it. Our Declude has always used the MailSpike RBLs. Nice to see all of those make the list.
 
However the Razor2 was a new one we tried today, but sadly we had to disable it as it failed **EVERYTHING**. Not a single piece of email passed the Razor2 RBL. That resulted in about 50K of false-negatives for us. And yes, we run our own NameServers used exclusively by our Mail service. I even triple-checked our settings with the one shown here and in your pdf and still no dice.
 
Nevertheless, thanks for the updated pdf.
0
Robert Pinkerton Replied
I had the same issue as Scarab. Tow of my major clients are trusted senders and they got rejected when I implemented Razor2. Had to disable.
0
Bruce Barnes Replied
EDIT: Edited to reflect the removal of RAZOR2
 
RAZOR2 alleges to be extremely accurate. 
 
RAZOR2 does AGGRESSIVELY place anyone with invalid, or missing, rDNS on their RBL lists.  There is no way to request removal, when they see the issue corrected, listed domains/IP addresses will "fall off" a few days later.
 
We had another client, hosted on Google, with their own domain name, which was not properly setup in DNS and did not have rDNS setup on any of their IP addresses.
 
In cases of improperly configured DNS, or lack of rDNS, it is not the RBL's issue, but the domain owner's issue, and their responsibility to resolve the issues.
 
If you supply their domain names they can be checked externally to see if there are issues which caused them to be placed on the RAZOR2 list.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Robert Pinkerton Replied
BTW: Has anyone else seen a ridiculous amount of spam being sent from static.hostnoc.net? The IP address of the mail server is 209.124.95.85 and the sending address from a domain called funbent.com? Static.hostnoc.net is privately registered with Tucows. The IP address is assigned to an ISP in the UK called Dragon Networks (www.dragonnetwurx.com)  and funbent.com is registered through enom to a guy called Adam James in San Diego. I am receiving a connection from their mail server every second for five seconds and then a 15-20 minutes pause before repeating 5 new delivery attempts and repeating the cycle throughout the day - all day, every day. Very determined mail server!!!
0
Bruce Barnes Replied
Looks like someone may have hacked the network at HOSTNOC.NET, because the IP address posted by Robert Pinkerton does not match any of their MX servers:
 
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Bruce Barnes Replied
Above data is from: http://www.dnsinspect.com/hostnoc.net/1411523030
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Steve Reid Replied
I noticed an email this morning that was marked by the new Razor 2 RBL I added, but curiously it was not marked by the Razor 2 in my SpamAssassin in a box as Razor 2
0
Steve Reid Replied
Yeah I cannot find even one RAZOR 2: passed in my delivery log... I have disabled it for now
0
Steve Reid Replied
I have disabled razor 2 for now since I've confirmed it is failing everything.
0
Webio Replied
Yep. I've also disabled Razor 2. It was marking all of my messages as spam.
0
Bruce Barnes Replied
The latest version of the document will be updated this week and RAZOR2 will be removed from the RBL test list.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Hany Sobhy Replied
Hello Bruce and all,
 
I need to know how could setting Denial of Service (Dos) - POP 50 in 10 min effect the POP incoming service with a scenario like this one in my question (single dmain / client company network) ?

I've changed to Denial of Service (Dos) - POP 150 in 10 min and they are working fine .. does this change effect my Abuse detection efficiency ?
 
Thanks
3
Bruce Barnes Replied
The most recent version of my SmarterMail Antispam document is now available for download as a PDF.
 
This document includes both the changes listed in the previous postings of this thread; a clarification of the DNS entry for DOMAINKEY record format, when using Microsoft DNS, on page 62 of the document.
 
The link to the newly updated document is located at:https://www.chicagonettech.com/docs/pdf/Antispam%20Settings%20-%20SmarterMail.pdf [this will open a new window and the PDF can be saved to your local workstation].
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Chris Fischesser Replied
Bruce,
 
Thank you so much, this is a huge asset.  Just getting around to making the updates from your '09 document which worked flawlessly for so long.
 
Chris
0
Bruce Barnes Replied
Thanks for the compliment, Chris.  Like spammers tactics, the document is a constant work in progress.
 
The new permalink will always contain the most recent updates.  Check it frequently, because I won't necessarily be posting a notice of every change here.
 
As a reference for others, here's the permalink - an up-to-date date reference will always be at the top of the document: 
 
 
this will open a new window and the PDF can be saved to your local workstation.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Dave Kidd Replied
Hi Bruce,
 
I have walked through your excellent document and applied all of the RBL/URIBL filtering you have outlined (along with greylisting etc) and have seen a dramatic drop in spam which is great news for us. My one question is that we currently also have the Cyren Premium Antispam enabled for filtering with a weight of 0-30, and when we are sending out some test email shots to multiple addresses internally they are getting flagged as :-
 
X-SmarterMail-Spam: SPF_Pass, Commtouch 30 [value: Bulk], ISpamAssassin 0 [raw: 0], DK_Pass, DKIM_Pass
 
Therefore I was wondering if having Cyren active is overkill on the spam filtering front (as I noticed you didn't have Commtouch enabled in your example list in your document) and whether there is much point in using that as it wasn't doing much in regards to blocking spam before I added your latest suggested settings?
 
Dave 
0
Bruce Barnes Replied
First, I took our portal down for a few weeks, and will re-post a new link later today.
 
Second, we use nothing but what's reflected in the document.
 
We enforce GreyListing, for egeryone, no exceptions: with a 1 minute retry time, and we do not allow any custom settings by users. There was some foot stomping and screaming at first, but when we implimented a "spam/virus/worm" charge of USD $50.00, for the first 15 minutes, the din got earily quite.
 
We also do not service XP operating systems any more.  All of the A/V scanners and software providers pulled support for XP, and we were getting swamped with "repeat cleanup requests" from clients who denanded the, work at no cost.  All it takes is opening one infected email, and Trend Micro's HouseCall must be liaded, and run, in safe mode.
 
Sorry, that's not my job. 2003 ends at the end of June, and so does our support for all 2003 products. It's a hard road to hoe, but when a product life cycle ends, so does our support.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
2
Bruce Barnes Replied
Here is the new link to the SmarterMail antispam document:
 
 
Remember, there are MAJOR CHANGES between this document and all previous versions.
 
Many RBLs shut down, others completely changed their RBL lookup servers.
 
The implementation of document is predicated on the fact that:
 
  • The entire document is READ, and UNDERSTOOD before implementing!
     
  • all control stays with the Smarter Admin;
     
  • domain admins and end-users only add additional problems to enforcement;
     
  • Greylisting is enforced for ALL USERS and ALL DOMAINS -- with a one-minute initial retry time, and 360 day listing in the database, to ensure that no additional lookups are required. - no exceptions;
     
  • SmarterMail is running under TLS and the SSL patches, do disable SSL, and enable all available TLS protocols, is enabled, based on the operating system.
     
  • TLS is properly tested against the tests at https://www.ssllabs.com/ssltest/index.html  to ensure that the server is operating with a grade of at least A-, or better.  Remember, Windows Server 2003 is depreciated, and all support ends, on 30 June, 2015.
     
  • PROPER setup of DomainKey, DKIM, and DMARC are implemented for each domain hosted.  This includes the configuration of both the necessary KEYS, and also the proper setup in DNS - again, required for EACH E-MAIL DOMAIN HOSTED by the SmarterMail server.
     
  • FEEDBACK LOOPS are properly setup with the 14 ISPs who now require them.
     
  • NO WHITELISTING - everyone must AUTHENTICATE!  If an outside server sends mass messages, they must be sent via a dedicated account on the SmarterMail server;
     
  • no customization is allowed by domains or end users;
     
  • no outside antispam tools are used;
     
  • There is NO GUARANTEE that 100% of the spam will be eliminated.  You will notice a drastic reduction, but some new spammers are fully compliant with all of the anti-spam tests and slip through for a day or two.
     
Sorry if this sounds "draconian" to a few of you, but our customers love the security,  It works, and it prevents worms, viruses, keystroke loggers and hackers from gaining access to our servers and data. 
 
We service several moderate sized law-enforcement agencies, a couple of good-sized hospitals, several law firms, and several accounting agencies, and pride ourselves in old-fashioned customer service - locally stored, not in a cloud, full backup, and all date and technical support is kept, 100%, in the United States.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
2
CCWH Replied
Hi Bruce,
 
Once again, thanks for your time, effort and expertise with the antispam settings guide.  Always so useful!
 
We have implemented the changes and will keep an eye on the impact.
 
To give a little feedback, when implementing the settings we found the following in the guide:
 
 - Page 23 - Duplication of 'RBL: SORBS 04 - MISC' - First one has incorrect config inc image
 - Page 31 - Duplication of 'RBL: SPAMHAUS - SBL 2'
 - Page 36 - Incorrect Config Image - 'RBL: SPAMHAUS-UCE PROTECT LEVEL 2'
 
Again, really appreciate the ongoing guide and updates....saves a HUGE amount of time!
1
Bruce Barnes Replied
Please remember:
  • this is a VOLUNTEER EFFORT;
     
  • the RBL / BRBL area is changing every day - with providers pulling the plug and other absorbing databases;
     
  • queries are LIMITED, and must be made by your LOCAL, PRIVATE DNS to be valid - too many from the same DNS server IP address in a single day will cause all to fail.
     
  • There is no regular update schedule, so check back at least once a month.
     
  • Individual questions and comments will not be responded to.
     
  • Anyone wanting personalized assistance will have to pay for it - my work is not free.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
3
David Maggard Replied
I am sure I speak for a lot of people when I say I REALLY appreciate the work you put in to this and it REALLY helps.
0
Alex Clarke Replied
Your portal link doesn't work for me.
 
So, I'm using the other link you posted on February 3 at 15:08.
 
The version of the document I have is 6.150119 and dated 19th Jan 2015.
 
Is this the latest?
0
CCWH Replied
That's the latest I have
0
Andrew Stein Replied
Figured I'd try again.   We are still struggling with snowshoe spam, going back to June of last year.   My settings match Bruce's most recent document, but the spam that slips through are all formatted correctly with proper PTR and SPF records and can take awhile before they are caught by any of the blacklists.   Here is a portion of the header:
 
Return-Path: <lilalyons@larrykerilee.rexwoodwork.com>
Received: from larrykerilee.rexwoodwork.com (larrykerilee.rexwoodwork.com [207.188.184.40]) by mail.advantagetel.com with SMTP;
   Thu, 19 Feb 2015 13:32:33 -0500
 
I started checking mxtoolbox's blacklist tool and it it took an hour before 207.188.184.40 or rexwoodwork.com was picked up by any of the RBLs.
 
I've taken to blacklisting the /24 blocks as the spam comes in, which gives some relief for the rest of the day, but it is a never ending process.   Has anyone come up with any better tools for fighting this?
0
Steve Reid Replied
I am also using SpamAssassin in a box to pickup the ones Smartermail misses.
0
Andrew Stein Replied
I tried SAIB and it made the problem worse. It was assigning negative scores to the spam because of some of the tests they passed. Thus some of the ones that would have filtered due to blacklists made it through.
0
Steve Reid Replied
Yes I had that problem too... I had to tune SAIB to customize the negative scores to be 0. I also upped some of the other score tests that were obvious indicators of spam.
0
Andrew Stein Replied
I guess I can try it again. Any chance you can post your rules or know any guides I can follow to configure it?
0
Steve Reid Replied
http://portal.smartertools.com/community/a2008/spamassassin-in-a-box-local_cf-customization.aspx
0
Andrew Stein Replied
I actually installed Declude and Message Sniffer and so far it is catching things that made it past the RBLs. I'll just need to keep a close eye on it for false positives for now.
0
Steve Reid Replied
In my testing I found message sniffer to be very similar to SA... Except you are paying more for them to tune it.
0
Andrew Stein Replied
I have to say that the amount of false negatives has dropped to almost zero. I had only one spam sneak into my own mailbox in the past week. I had some false positives, but that was fixed with some tweaks to URIBLs in SM. Sniffer apparently includes anti-virus, so that would take care of replacing ClamAV, although I'm still evaluating its efficacy. I'm pretty happy with it so far and it may be worth the price.
0
Paul White Replied
I have finally been able to stop 99% of spammers using the following setup.
 
First I implimented a 5 minute greylist
Then I setup a new website in IIS, and shared my SmarterMail Logs directory as a Virtual Folder.
I wrote a script that when run will read the SMTP logs and if it finds any lines that match specific search phrases, it will read the IP address from that line and then Add it to my Firewall.
I setup this script to run every 4 minutes. which gives it enough time for the spammer to try to send a message and be denied by the greylist, allowing the script to pickup the attempt by the spammer, before they are able to return the second time and get the message through the door.
 
I have stored a list of badwords in mysql that my script reads from.  Seems spammers are starting to use uncommon top level domains like ".click", ".biz", ".eu", ".in.net", ".us", ".work" as well as others.  So I am firewalling any requests that match these toplevel domains.  I do have a whitelist that will override these for clients that do need communication from specific domains at these toplevel domains.  Thus far I have over 1000 IPs firewalled and its only been 3 days.  Number of Spam that have gotten through 0.  
 
What would be great is if SmarterMail could be setup to return a "user Not found" message to the spammers which might encourage them to remove the email address from their lists.  That of course assumes they care about keeping their lists clean.  
WhiteSites.com Blog.whitesites.com
0
Paul White Replied
See my post. I had to code my own but its working
WhiteSites.com Blog.whitesites.com
0
Antony Replied
Spammers are using any available domain. A while back we tried doing something similar and found it wasn't a long term workable solution. Too many false positives. The 'user not found' message sounds like a good idea but it can be used against you in that it also allows people to find addresses that ARE valid. I also have my doubts whether spammers even look at the individual bounce messages. Putting myself in their shoes I would only look at the overall number of bounces to see if the email list was worth the money. I like the idea of adding bad ip's to the firewall Linux has something that does this called fail2ban (http://www.fail2ban.org/). I haven't found anything as comprehensive though for windows. Antony
0
Paul Blank Replied
https://portal.chicagonettech.com/kb/a171/smartermail-antispam-settings-document.aspx ; does not work, and, far as I can tell, hasn't been working for some time.
 
Indeed, no response either from simply https://portal.chicagonettech.com
 
I did try this from different parts of the Universe (from different computers at different physical locations and different ISPs).
 
 
 
 
 
0
CCWH Replied
As stated, the main portal might go down... But the link to the document is still live: https://www.chicagonettech.com/docs/pdf/Antispam%20Settings%20-%20SmarterMail.pdf
0
Hemen Shah Replied
Hi Bruce, was referring your updated antispam doc, had some query inregards to Spamhaus rbl, as per website it says only ZEN to be used which is combination of all, but as per your doc you have shown SBL, PBL and Zen too which i feel is not needed or might end up slowing the queue, if i remove PBL, SBL, XBL and only add ZEN then do i need to add 8 records for 120.0.0.2 to 11 ? Thanks for all this efforts.
0
Bruce Barnes Replied
Heman;
 
 Make certain you have the MOST RECENT VERSION of the document, which can be found at:
 
 
There were many changes to antispam database providers which took place in December, 2014 and January, 2015.
 
There will be more changes coming up in early April when I publish another revision of the document.
 
Bruce
 
 
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Hemen Shah Replied
Hi Bruce, My query was based on your most recent updated Jan15 version. Thanks
0
Bruce Barnes Replied
And I posted the new URL in my response.  My signature also states that the portal is offline.  We had a SCSI card fail and are in the process of bidding new hardware to upgrade our 2003 servers and move everything to 2012 in our new data center.
 
The portal is on the bottom of the list and the url for the antispam was listed in my response to you.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Hemen Shah Replied
Hi, have checked that too in that also you have shown using sbl, pbl, xbl + zen
0
Bruce Barnes Replied
Everything shown in the current document is in use on my, and several other SmarterMail servers.
 
There will be adjustments to the APRIL document, which will be pushed out sometime after the 15th - TAX DAY, but I will not discuss issues or changes between new document versions.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
David Maggard Replied
So you are using a hardware failure as an excuse to upgrade your servers? :)
0
Bruce Barnes Replied
No, we're doing a large build out and the hardware failure (and the hundreds of hours of free advice I gave away every month) are on hold until we are done with the bank and partners.
 
Remember, we donate all of our time, and I have hundreds of hours in the document you are unhappy with.
 
If this kind of intimidation continues, I will pull it completely and share it only with paying customers.
 
End of discussion.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Robbie Wright Replied
Bruce, where do we send you beer at? Keep up the good work.
0
Bruce Barnes Replied
Thanks, Robbie, but Costco has barrels of Jack Daniels available :)
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
David Maggard Replied
If that was directed at my comment I apologize for the apparent confusion, it wasn't a criticism, I just thought you were using the hw failure as an opportunity to upgrade rather than rebuild. I know often its hard to justify upgrading/replacing a working server but if it fails there is more justification. I greatly appreciate the documentation and the work behind it, I have been using it for nearly 2 years (approx 3/28/13) and its quite effective
0
Scarab Replied
Best of luck on your 2003 to 2012 Migration, Bruce. We are in the same boat but waiting on new hardware to arrive before we begin, leaving us approximately three dozen servers in our data center that should have been decommissioned years ago to be migrated at the very last minute. As such, I can totally empathize with your situation. Keep up the good work. Your contribution to the SmarterMail community has always been appreciated.
0
Bruce Barnes Replied

Thanks, Scarab.

We finally approved the hardware and placed the order for the first round of servers today.  Our first round is coming in at about USD $28,000, and that doesn't count the Server 2012 licensing.  We found some pretty good deals on sealed licensing and that will help a lot.

It's amazing the number of our customers who have no concept of the fact that Server 2003 goes bye-bye on 30 June, 2015.    Based on what I am hearing from vendors, all of the antivirus support, and much of the support for other critical products will end simultaneously.

We still have customers using XP, and there is ZERO in the way of good antivirus solutions for them now - they're acquiring infections on machines still connected to the internet and it's a royal pain in the butt.  I've been carrying some of them, from a support standpoint, but pretty much pulled the plug on that as of yesterday, telling them they had to upgrade - the free ride was over:  it's time to move to Windows 7 and get the free upgrade to 10 when Microsoft pushes it out (see: http://rcpmag.com/articles/2015/01/21/windows-10-free-upgrade.aspx).

Sometime during the middle of this project we're also moving everything: - house, office, the whole works.  We've lived in the same house for 33 years, and we're literally leaving Chicago and moving out to the country. 

The taxes on our bandwidth infrastructure, telephones, cell phones, electricity and natural gas delivery went up an astounding $125.00 per month - collectively, across all of our billing, in February, adding $1,500.00 per year to our business operating costs, and it's only expected to get worse because of the City of Chicago, Cook county and State of Illinois' desperate financial situation.

Our internet vendor is working closely with us as we vet the areas we are looking at.  I have friends within the company who are doing analysis of bandwidth and the reliability of their services at each of the locations we're looking at.  This is driving the real estate agents crazy as they've never had someone make certain that the utilities are reliable before deciding on a property location.  One of the key locations is at a junction of three of the vendors fiber nodes, and we're seriously considering that location - literally 20 feet from the Illinois Wisconsin border -- near a small town, but, literally out in the middle of the country.  Reliable internet, electricity resources from two different states, and three fiber nodes from our current vendor - all right there.

This is a fun ride - better than anything I've ever been on at any amusement park!  We'll continue to support SmarterTools products and services: we love them, and I'm dedicated to their products.  I'll also continue to support the forums and SmarterTools users -- and that includes the antispam document, but I'm beginning to understand why people turn to drugs.  Pot's not legal in Illinois, like it is in Colorado, so, in addition to the support and kind words of the people in the SmarterTools forums, I'll stick to my supply of Jack Daniels and an occasional dark lager to tide me over.

Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Antony Replied
I know the pain of moving and trying to make sure there is good Internet at the new location. Done it a few times. When its all done I can imagine a JD and lager will go down well. Just make sure wherever you end up you can get good supplies of these as well! :)
0
David Maggard Replied
Looks like you have focused on the most important location factor, reliability of power and bandwidth/connection, but what about the #2? Reliable pizza delivery? JK, hope your move goes well don't envy you your location for taxes, etc as well as weather.
0
Bruce Barnes Replied
Pizza's not a problem. Italian, French, and Irish. Oldest of 7 kids - we all learned how to cook. Make a mean sauce and can also make crust. Worst case scenario, I make my own pizza - but there are other really good foods, too! When I was a very young man of 3, my Grandmother bought me a record player and got me a subscription to a series of children's records. Some were sing along, others were stories, and some were lessons. One of my favorites was the story about the squirrel who was sent to the grocery store, by his mother, to get pecans and peanuts. She had send him many times previously, for various items, and he, invariably, ran into other animal friends, ,forgot what he was supposed to buy, and came home empty handed - after several hours of playing with friends - to an angry mother. She finally taught him to sing a song about what he was supposed to do so he would keep his mind on his work. So, the next time he was sent, for the pecans and peanuts, he sang, "Pecans . . . and peanuts . . . are what I must get. If I keep repeating them, I won't forget!" Catchy little tune, and taught a three year old self that it was all about concentrating on the task at hand, working toward the goal, and getting the job done - without getting too side tracked. That's difficult. Other half wants to go out. Lodge needs projects completed: camera system to be installed - sitting in my double parlor waiting to be IP addresses and programmed before they are turned over the "volunteers" (IE: I really don't want to have to redo the work!) to "install;" new exterior door and electronic / fob + pin code locks, keyed to day or week and time of day - again, waiting to be programmed and tested before being "installed" - but only on three doors (Reminder to self: also needs server to install software and archive door opening data - which will be one of our old servers, so the server upgrades need to be completed first). So, I keep plodding along on the details as I also try to keep customers happy and hope other half doesn't trash house budget while I'm not paying attention . . . Was it always this much fun?
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Ben Griffiths Replied
HI Bruce, Thank you for your continued work.
 
However, I highly recommend people (in the UK at least) DO NOT use Barracuda for Outgoing SMTP Blocking.
 
Turning this on has resulted in many many legitimate emails being blocked.
 
The UK ISPs BT and Virgin have a lot of dynamic addresses which are in the "Poor" listings on Barracuda, so are all being blocked - this of course is causing lots of hassle with my UK clients ;)
0
David Maggard Replied
Your mail server is on a dynamic IP?
0
John Marx Replied
Bruce, we had the same problems with costs and eventually found one here in Indiana that is roughly $1,000/year per 1 unit height. This includes all utilities, triple connections, etc. It may not be a bad option to look into.
1
Bruce Barnes Replied
All of ChicagoNetTech's servers are on sstatic IP addresses. All are now, and always will be, located in the United States. None are in the cloud. Several of our HIPAA / HITECH contracts have very restrive location and personnel clauses in them
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Ben Griffiths Replied
Of course not! But that Outgoing SMTP Block uses the clients IP (obviously) - so anyone connecting in via SMTP from a BT connection is getting their mail blocked.
0
Steve Reid Replied
There is a setting to remove the Client IP from the email which avoids this problem. It's called "Exclude IP from received line"
2
Bruce Barnes Replied
The ChicagoNetTech portal is back up and I will be working on the antispam settings document again next week.
 
The most recent version is here:
 
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Mike Saunders Replied
Hi Bruce

Im just trying out the smartermail spam settings (we currently use external appliance) but in the RBL AVG Time/Statistics they are really high, i have added about 20 RBL's and they are all between 3000ms - 5000ms

is this normal and OK?
1
Bruce Barnes Replied
Mike: The response times are dependent on many different factors, so it's a bit hard to say what's "normal."
 
Having said that, 3,000 to 5,000 ms does sound a bit high, but we see times ranging between 24 and 870 ms on a daily basis.
 
Some of the factors include:  your circuit capacity; load on your hosting provider; the DNS servers you are using; the hardware that SmarterMail is running on; whether SmarterMail is running on a dedicated server or there are other services running on the SmarterMail server, etc.
 
So, without actually looking at your server, seeing the processes running, what resources they are consuming, and, most importantly, seeing the response times on your connection, including DNS lookup times, ping times, etc, it's a difficult call.
 
I would start with a good tracert to several known good locations, looking to see what happens to the timing on the individual hops between you and them.
 
Whether or not you are on Comcast, you can also go to http://speedtest.comcast.net and then test to various locations, beginning with the location closest to you, and see what the ping times are.    I suggest using the Comcast speed test because they upgraded their fiber backbone to an enterprise backbone about two years ago and you should see similar ping and speed test results to almost any of their testing locations - the caveat being that you will see some slowdown when testing to the side of the Rockies furthest from where you are located.
 
Then look at the upload and download times, and compare them to what your provider is supposed to be giving you at the server location.
 
As an FYI, I will have a new generation of the antispam settings out by the end of this month and will post a notification at that time.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Mike Saunders Replied
Hi Bruce, thanks for the reply,

I changed the dns server the mail server uses and its now averaging 20ms - 80ms so it seems to have resolved it.

looking forward to your latest settings, if all goes well ill get rid of my external appliance
0
Bruce Barnes Replied
Mike:  Glad to hear that the changing of your DNS servers helped to resolve the average query response time problem.  Based on both your posting, and feedback from several other users of my antispam settings, I will make my references to the fact that the use of a LOCAL DNS SERVER is very important when querying RBL and URIBL databases in my next antispam document update.
 
Remember that the RBL and URIBL databases are free to low volume users, EG: anyone who makes fewer than 100K queries per day via a particular DNS server.  A few allow as many as 200K queries per day.
 
That is why it is so important to use PRIVATE DNS SERVICES.  If you are using Google or Comcast DNS, then your RBL and URIBL queries are being added to the RBL and URIBL queries of everyone else who is using Google or Comcast DNS servers and, because of the volume limitations imposed by the RBL and URIBL providers, will begin to see slow (high response time) or even completely INVALID query results.
 
In our case, we have our primary DNS server located in our own network.  We use a secondary from a paid service called FreeDNS [https://freedns.afraid.org].  FreeDNS provides only secondary DNS services, at a cost of about $60.00 per year, no matter how many zones are configured, or how many queries are brought, and they are extremely reliable.  From the FreeDNS website:
If you already have a domain's DNS hosted somewhere, and you are only looking for backup-DNS hosting, then this service is for you.

 "If you already have a domain in afraid.org in the 'domains' area, then your domain is already using this feature.

 To use this, you must enter your domain, and your primary nameserver's hostname. In order for this to work, your domain must allow AXFR transfers from ns2.afraid.org, and be delegated to ns2.afraid.org at your parent DNS servers.

 AXFR transfers will originate from: 174.37.196.55 to your defined master

 Also note, you will NOT be able to edit hosts for your domain if you put it in here, this is ONLY for offsite backup-dns for your domain, and the changes you make on your primary nameserver will automatically be transferred to ns2.afraid.org.

 DNS NOTIFYs are accepted. If you are responsible for maintaining your primary DNS server, make sure when you update your DNS records to also update your zone's serial number. Upon doing so, any change should send ns2.afraid.org a notify (be sure to list ns2.afraid.org it in the primary nameserver's SOA records) alerting ns2.afraid.org to immediately download your latest changes."
 
 
 
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
5
Bruce Barnes Replied
The SmarterMail Antispam Settings Document has been updated once again.
 
Revision 6.250415, dated 23-May-2015 is now available at:
 
 
- Bruce
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
CCWH Replied
You sir, are a legend! Many thanks for the work on this, I'll be busy making the changes on our test MX this weekend.
0
Jane Noel Replied
Impressive that you run a successful business and are so generous with your time and knowledge. Thank you!
1
Bassem Rawas Replied
Hi All those responses are a couple of years old and the links to the PDF are not working. Has this been retired?
0
Julian Dormon Replied
The link to the PDF no longer works :(
0
Bruce Barnes Replied
Link has been deactivated until I vet 16.0, hopefully, this week Watch this space.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Tina Cline Replied
Thanks Bruce! Love your work!
0
Micky Witztum Replied
Bruce, is there any chance I could get a copy of the SM v15 spam settings document from your history. That is the version I am running, and it would help me out now. I will of course look for the new version to be published, but I just need to improve my existing setup for now. Thanks so much for your help to all.

Micky
0
John C. Reid Replied
I has been three months that the link has been dead. Does the document really have so little value that those of us still using version 15 don't need access to it?
John C. Reid / Technology Director John@prime42.net / (530) 691-0042 1300 West Street, Suite 206, Redding, CA 96001
0
Manuel Replied
Hello ... any news for new document ?
GRAFFITI — It's Communication Riva del Garda (TN), I-38066 – Località Pasina 46 Milano, I-20129 - via Lamberto De Bernardi 1 Verona, I-37134 - via Legnago 126 San Francisco, US-94111 California – 275 Battery St, Suite 2600 website: www.graffiti.it
0
echoDreamz Replied
Seems a bit silly to disable a document that supports the currently stable version of SmarterMail....
0
David Fisher Replied
Hi Folks,

I am not sure Bruce is around anymore, his website is currently unavailable and has been for some time, portal site too.

Anyways, I posted the latest version I have :

http://www.fidalgo.net/SmarterMail

Enjoy!
0
Ron Raley Replied
Does anyone know what happened to Bruce?
0
Derek Curtis Replied
Employee Post
He is having some health issues and focusing on his recovery is about all we've heard. No details beyond that at this point.
Derek Curtis COO SmarterTools Inc. (877) 357-6278 www.smartertools.com
2
Information Technology Replied
After reading this thread I too wondered what happened to Bruce. He has been incredibly helpful to so many in the SmarterTools community for so many years I found it odd that he hadn't posted in a while. A little research and found that he had become seriously ill according to this gofundme page. Be sure to look at the updates where he left, as far as I can tell, his last post anywhere.
 
And an image of him at an aids banquet in 2010.
 
There hadn't been any updates in several months so I looked a bit further but couldn't confirm an obituary.
 
You've helped so many, your absence is surely felt.
 
4
Linda Pagillo Replied
Bruce is very much missed here in the forums, I agree. I just wanted to let you guys know that he is indeed alive. In order to respect his privacy, that is all I can say at this time. I know a lot of you guys have been wondering so I wanted to put your minds at ease. If you have any messages for him that you would like me to pass along, I'm happy to do that. Thanks.
Linda Pagillo Mail's Best Friend Email: linda.pagillo@mailsbestfriend.com Web: www.mailsbestfriend.com Authorized SmarterTools Reseller Authorized Message Sniffer Reseller
0
Heimir Eidskrem Replied
Bruce will be missed for sure. Great guy who offered so much help and information.

Reply to Thread