Products Downloads Prices Support Company

Guide to spam prevention using SurgeMail Features.

How it works:

Spam prevention has gone through many changes over the last few years, initially people tried to filter spam based on the 'content' although this worked well initially it soon started to fail as spammers adjusted their spam. The focus of successful spam prevention is based on a multi pronged attack, where the 'source' of the message is verified in various ways, and the content of the message is checked, and then finally the 'friends' system catches and automatically deals with any messages that still get through while it also automatically white lists known associates.

What you need to do, in four easy steps.

  1. Upgrade to the latest stable release
  2. Press the 'suggestions' button and turn on the settings it suggests (within reason :-)
  3. Advise your users how to turn on their user configurable options, to turn on friends for messages which score more than 4 (or lower if they really want to stop all spam)
  4. Go through the check list below.

g_orbs_list name="bl.spamcop.net." action="stamp" stamp="Spamcop, http://spamcop.net/w3m?action=checkblock&ip=||remoteip||"

This setting tells surgemail to check the IP address with an RBL service (in this case spamcop) This setting improves the spam scoring features.

g_spam_allow "10.2.192.98-117"

This setting lets you list the ip addresses of known trusted hosts.

g_spam_subject "4"

This setting adds **** to the subject of messages that score more than '4'.

g_spam_userconfig "TRUE"

This setting lets the users change their own spam settings.

g_spam_internal "true"

This turns on the aspam scoring system.

g_spam_catcher "fred@your.domain"

This setting is used to train the aspam filter with spam that comes to special email addresses on your system, place these email addresses on your web pages so that spammers will accidentally train your system for you :-)

g_url_enable "true"

This adds some url scoring using a netwin provided database that is updated every few hours, you should also use SURBL as well.

g_vanish_bad_bounces "TRUE"

This gets rid of bounces that didn't originate from your server.

g_verify_smtp "TRUE"

This setting checks if the connecting smtp server is open on port 25. The spam scoring is adjusted if the test fails.

g_spf_mode "strict"
g_spf_block "true"
g_spam_grey_dflt "true"
g_spam_grey_dflt_bad "true"

These four settings turn on SPF see http://netwinsite.com/spf.htm. In addition the g_spf_block setting makes it actually block all the spam that fails spf tests. However to reduce impact the grey settings mean that failures are grey listed, and only fully blocked if grey listing fails, or if too many messages arrive within a short time period (1 message)

g_surbl name="multi.surbl.org" stamp="sc.surbl.org,ws.surbl.org,phishing,ob.surbl.org,ab.surbl.org,jp"

This setting is critical to spam detection, the surbl database is used to detect urls that spammers are trying to promote.


Frequently Asked Questions FAQ

What are the recommended best practise techniques to avoid spam on my server?

See the list of settings above, primarily you want SURBL, RBL's and SPF (in strict mode with the g_spam_grey turned on). Also avoid using front end filter systems as these will prevent the best spam features in surgemail working. And suggest users turn on 'friends' with a friends bounce level of about 4.

Is there something else I should be doing to prevent spam, why do I get so much when other people get none?

Although these mechanisms can stop almost all spam, there is another way to get rid of spam, and if you use it, then you can adjust the filters to be very 'forgiving' so that real messages are never caught by them. So here's the trick, the BEST way to avoid spam, is to change your email address! and keep your new email address private:

What are the likely side effects and implications of using these measures?

You will bounce some real mail messages and because some people don't read the bounce messages they will actually fail to respond correctly to get past the automated spam prevention. The above settings only require respones from about 1-2% of people so most mail gets through without any trouble, but a small percentage will be bounced and if the user sending doesn't respond then the message will fail to be delivered. This results in a loss of about 0.1% of messages, much lower than letting humans do the filtering, but still not perfect.


How do I measure how effective these techniques are? (my nanager needs a report to justify costs)

In the advanced status section in surgemail there is a 'spam' section, this has figures on the various filter hit rates, it's a little hard to interpret but it gives a fairly good idea of how much spam has been blocked.

How are false positives handled? Each email is important to me, and I must avoid false positives at all costs, how can I monitor email identified as spam until I am confident that the system has no / minimal false positives?

With SPF and friends false positives result in some form of bounce, the user sending the message must then respond to the bounce to get their original message delivered. (With SPF failures they must resend, with Friends they need not). You will only loose messages when the person sending to you does not read the bounces. From the user web interface you can search through all the bounces manually and release messages pending confirmation via friends, and fix SPF failures.

How can spam that was not caught be submitted (by users)? and how do users/admin get feedback that their submissions are actually doing something?

You or any user can send messages to isspam@your.domain or notspam@your.domain, this will improve the scoring in future. From the managers web admin pages for spam you can also paste in a message and get it analyzed, or trained. This process should not be over emphasized, it is good for fine tuning the filters slightly but it is not at all critical that you submit every failed message or every false positive. The messages can be sent as attachments or redirects, it doesn't matter much which is done as the system is forgiving. If a messages is sent to the wrong training address, just resend it to the other address to nullify the training.

How should I as a user configure my spam controls on my email. There seem to be several ways of configuring filters + friends + spam/spf etc to work together. Why should / whould I not use a particular combination. Are there particular things that I probably should not configure?

This is very important, if you get 'lots' of spam and want to get none.

If you get a small amount of spam but want to get rid of 'most' of it, without much risk of ever bouncing a real message:

Are there any significant performance effects? (on 100 / 5000 / 100000 user system) Both in increased load that these measures put on system resources (disk / cpu / open channels / resposiveness etc) and reduced load by not having to deal with spam. How can I measure these effects?

Not really, the spam system in SurgeMail is very efficient and the SPF features and vanish bad bounce settings do reduce real load on heavily spammed servers, so the spam prevention tends to result in a slight performance improvement, and reduced network bandwidth usage.

We do STRONGLY recommend the use of the AVAST virus scanner product as it is enormously more efficient than some of the free unix command line scanning utilities that you can use with SurgeMail (mainly because it does not get activated for each scan as it's part of the server)

Also using external spam checking systems (which you can do if you really want to) is also strongly discouraged, these generally won't increase your filtering accuracy but will badly affect performance.

I want to counter some rules in ASPAM - for example NakedCR.

ASPAM's filter rules are stored in aspam_mfilter.txt, you cannot edit this file as it is updated regulary so any changes you make will be overwritten. You need to edit the file local.rul where you can add your own rules.

if (isin("X-NakedCr","body")) then
call spamdetect(0.1,"NakedCR")
end if

In general, look through aspam_mfilter.txt find the rule and then write the same rule in local.rul but with a negative score to cancel the scoring in aspam_mfiler.rul. The string/reason in local.rul must be _exactly_ the same as the string in aspam_mfilter.rul for the rule to overide the first one.