Post-DATA Checks
Post-DATA checks are those that are run against the actual headers and message body.
They are the most computationally expensive checks to run as they require the entire message to be received first
Watermarking
Watermarking makes a small modification to both inbound and outbound messages so that when an inbound message is received the system can determine that the message is a reply.
This allows for invalid bounce messages to be rejected and replies to bypass spam checks.
This reduces overall system load and prevents false-positives. It works best when all outbound mail for inbound domains contains these watermarks.
Note
Watermarking is required when DSPAM is used as the training signatures are stored in the watermark added to each message, so if this is disabled your users will not be able to train DSPAM at all.
Enabled
Enable or disable the watermarking feature globally.
Secret
Secret key to encrypt the watermark with.
This is to prevent the watermarks from being abused, only the systems that generate the watermark with a common secret key will be able to decrypt them and trust they have not been tampered with.
Expiry Time
Length in days that the watermark is valid for, to prevent them from being abused.
The default is 14 days.
Reject Bounces without watermark
Reject any bounce messages that do not contain a valid watermark.
Note
If you enable this option, you must ensure that all of your outbound mail is sent via TUXGUARD Mail Gateway, so that all outbound mail contains the watermarks otherwise valid bounce messages will be rejected.
Bounce Messages
Also see the pre-DATA Bounce Message options
Check each received hop with SPF
Parse each Received header and extract the IP address and check against the recipient domain SPF record.
If a None result is returned the test is skipped as the domain does not publish an SPF record otherwise unless one of the lookups returns a Pass result, the message will be rejected.
Rspamd
Rspamd is an advanced spam filtering system that allows evaluation of messages by a number of rules including regular expressions, statistical analysis and custom services such as URL black lists.
Each message is analysed by Rspamd and given a spam score.
This is the recommended spam filter to be used in TUXGUARD Mail Gateway.
Enabled
Enable or disable Rspamd globally
Host
The host/ip:port of the Rspamd instance that you want TUXGUARD Mail Gateway to query.
Leave it blank to use the TUXGUARD Mail Gateway supplied Rspamd instance.
Enable TUXGUARD RBL
Enable or disable internal usage of DNS Blocklists inside Rspamd.
This can only be activated if there are also TUXGUARD Lists enabled.
Note
This will currently only work in conjunction with usage of the TUXGUARD Mail Gateway supplied Rspamd instance, external instances will need to be configured manually to include this feature!
Tag Score
Positive integer value indicating score threschold at which a message should be subject-tagged and the X-Spam-Flag: Yes header added.
Quarantine Score
Positive integer value indicating score threschold at which a message should be quarantined.
Reject Score
Positive integer value indicating score threschold at which a message should be rejected.
Relay Reject Score
Positive integer value indicating score threschold at which a message from a relay should be rejected.
DSPAM
Important
DSPAM requires the Watermarking feature to be enabled for training to work correctly. This is because the message watermark is used to store the DSPAM signatures.
DSPAM is an open-source statistical spam filter.
It classifies messages into Innocent and Spam categories using statistics based on the tokens (words and headers) used in a message.
TUXGUARD Mail Gateway uses one DSPAM database per configured inbound domain, so all the users of a domain ‘share’ the same classification database. This provides a good trade-off between accuracy, training burden and the overall size of the DSPAM databases.
For DSPAM to be effective, it must learn what is Innocent and what is Spam by training.
TUXGUARD Mail Gateway uses a hybrid training mode called TONE (Train on near error), which means that if it doesn’t have a high confidence about a message’s classification, then it will tag the subject of a message with either [SPAM?] or [NOTSPAM?] which means it wants the recipient of the message to train it and tell it if the classification is correct or not. The user does this by forwarding the message to a special training e-mail address (called a training alias), the user would also do this if the message wasn’t tagged but was incorrectly classified.
In addition to the user training, if the Enable Auto Training option is enabled, then TUXGUARD Mail Gateway will automatically train DSPAM with Spam when a connected host is listed on one of the
configured DNS or URI blacklists, the message is to a valid user and the load average of the system is low.
When auto-training, the message is checked twice - once to see if DSPAM already thinks the message is Spam or not and then again to train DSPAM on the message if the classification is incorrect or if the confidence is lower than the ‘Auto Training Level’, this is to ensure that DSPAM is not over-trained on Spam messages.
DSPAM requires training on 2,500 messages before it considers its database is mature enough to be very confident with its classifications and until this threshold is reached, DSPAM will ‘water down’ its classifications to prevent false-positives and you will find that it gets some initial classifications wrong and will require an amount of ‘near-error’ training during this time.
If DSPAM and SpamAssassin are both enabled in TUXGUARD Mail Gateway, then DSPAM is run first and the results will be automatically scored in SpamAssassin via a supplied plug-in:
| Confidence | Innocent Score | Spam Score |
|---|---|---|
| 0% to 50% | -0.001 | 0.001 |
| 60% | -1.0 | 1.0 |
| 70% | -2.0 | 2.0 |
| 80% | -3.0 | 3.0 |
| 90% | -4.0 | 4.0 |
| 100% | -5.0 | 5.0 |
Training
For training to work correctly you must set-up a DNS hostname that resolves to the IP addresses of all of the machines that you installed the tuxmail-worker RPM.
This is so that when the user wants to train DSPAM, they forward the message to one of the training aliases that points to the configured DNS hostname.
To train DSPAM, the user forwards the message to either spam@<hostname> or notspam@<hostname>.
For example: if you have two systems called mx1.tuxguard.com and mx2.tuxguard.com, you would create a DNS CNAME called training.tuxguard.com that points to both mx1.tuxguard.com and mx2.tuxguard.com.
When a user wishes to train TUXGUARD Mail Gateway on a message that is spam, they would forward the message to spam@training.tuxguard.com which would cause their mail server to send the forwarded message directly to TUXGUARD Mail Gateway which can then train DSPAM accordingly.
Important
For a training message to be accepted, the host sending the training message MUST be allowed relay permission by TUXGUARD Mail Gateway. Relay permission is granted to any host that successfully uses SMTP AUTH or that is explicitly allowed to relay via a map entry.
This is a security measure to prevent unauthorized users from sending training messages.
If there is a problem with the training message, such as the signature not being found or being sent from an unauthenticated host then the message will be returned to the sender with the appropriate error message.
Successful training messages do not elicit any response from TUXGUARD Mail Gateway: once training is complete - the message is simply discarded.
Enabled
Enable or Disable DSPAM globally.
Host
A comma-separated list of host/ip:port of the DSPAM servers that you want TUXGUARD Mail Gateway to query. Leave it blank to use the TUXGUARD Mail Gateway supplied DSPAM instances.
Server Password
The server password that DSPAM expects. For the TUXGUARD Mail Gateway supplied DSPAM instance, this is automatically generated, so do not change it or TUXGUARD Mail Gateway will not be able to communicate with DSPAM.
If you are using your own DSPAM hosts, TUXGUARD Mail Gateway will authenticate itself as <server_password>@default, so your ServerPass directive in dspam.conf should be:
ServerPass.default "<password>"
Training Level
Minimum confidence level before TUXGUARD Mail Gateway will modify the subject to add [SPAM?] or [NOTSPAM?] to request that the user train DSPAM on the message to improve the accuracy of future messages.
Default is 75%
Reject Level
Confidence level at which to reject messages. Set this to 0 (zero) to prevent any messages from being rejected.
Default is 95%
Enable Auto Training
Enable or Disable Auto Training.
Auto Training is used to keep DSPAM accurate with fresh spam messages by training it on messages that are sent to valid mailboxes but where the host is listed on a DNSBL or URIBL and the system load isn’t high.
To prevent over training, a classification is run first and if the confidence is less than the Auto Training Level , then the message is run through DSPAM again in Inoculate mode which aggressively trains DSPAM on the tokens found inside the message.
Auto Training Level
Messages are only auto trained if the initial confidence level is less that this value. This prevents over training DSPAM, so be careful not to set this value too high.
Default is 85%.
SpamAssassin
Apache SpamAssassin is the #1 Open Source anti-spam platform giving system administrators a filter to classify email and block spam (unsolicited bulk email).
It uses a robust scoring framework and plug-ins to integrate a wide range of advanced heuristic and statistical analysis tests on email headers and body text including text analysis, Bayesian filtering, DNS blocklists, and collaborative filtering databases.
TUXGUARD Mail Gateway provides a preconfigured installation of SpamAssassin along with an automatically updated set of custom rules and plugins. The SpamAssassin Bayes plugin is disabled by default as DSPAM provides better accuracy and is easier to train. A plugin is supplied with TUXGUARD Mail Gateway so that SpamAssassin will add score based on the DSPAM results.
See the DSPAM section for details.
By default SpamAssassin considers a message to be Spam if it scores >= 5 at which point TUXGUARD Mail Gateway will tag the subject with [SPAM] and set an X-Spam-Flag: YES header which can be used to deliver messages to the users ‘Spam’ or ‘Junk’ folders.
See Mail Server Configuration
Enabled
Enables or Disables SpamAssassin globally
Host
A comma-separated list of host/ip:port combinations of systems running the SpamAssassin spamd daemon. Leave blank to use the local spamd instance that is configured automatically.
Reject Score
SpamAssassin score at which to start rejecting messages.
Default: 10
Relay Reject Score
SpamAssassin score at which to reject messages that are being sent from a host that is allowed to relay (via relay permissions or SMTP AUTH). This is to prevent outbound spam from being allowed to be sent through TUXGUARD Mail Gateway.
Default: 5
MessageSniffer
Note
MessageSniffer is an optional extra available at additional cost.
You can Sign up for a free 30 day trial, the licenses cost between $99 and $495 per server/year depending on your non-spam mail volume (this will be analyzed during your trial period).
MessageSniffer is an intelligent, anti-spam scanner that uses advanced pattern recognition and collaborative learning technologies to accurately identify spam, scams, viruses, and other email borne malware.
It consistently captures more than 99% of spam on average (calculated from spamtrap processing data, customer reports, telemetry, and lab tests on live messages) and has the lowest false positive rates in the industry. MessageSniffer scans more than half a billion messages per day while we receive fewer than 300 false positive reports per month!
TUXGUARD Mail Gateway automatically reports hosts to MessageSniffer’s local IP reputation database whenever a recipient or message is rejected that MessageSniffer has not scanned. This helps to build an effective local IP reputation database using data from other TUXGUARD Mail Gateway tests.
It requires no configuration and is highly recommended, especially for high volume sites.
Once Enabled and the License ID and Authentication code have been entered, you must login to the system as root and run:
tux_config.js
To manually download and install the initial MessageSniffer rulebase. After the rulebase has been installed TUXGUARD Mail Gateway will automatically start, begin using the service ans automatically update the rulebase every 45 minutes.
Enabled
Enables or Disables MessageSniffer globally.
License ID
The license ID provided by Arm Research.
Authentication
The authentication code provided by Arm Research.
Miscellaneous/Experimental
Reject unreplyable messages
Checks the Reply-To, From and Sender headers (in that order) to ensure that the domain resolves to a valid MX record and that the message can be replied to. The message will be rejected if it is not.
Mark From header
Note
Experimental feature
This modifies the From header and changes the Display Name (what is shown in the users email client). It is designed to give a visual cue to the recipient to make it more obvious where a message has come from and how trusted the source is to prevent them being a victim of Phishing, Malware, Viruses or Spam.
The following changes are made:
[*] is added to denote that the message was received over a secure channel (e.g. SSL/TLS).
[!] is added to denote that the envelope sender domain could not be linked to the host that sent the message (e.g. it failed Sender Authentication).
If the envelope-from and from address do not match it will change the Display Name to: “<envelope from> on behalf of <from>”
If the message is being received from a mailing-list, then the Display Name will be changed to: “<display name> via <list> <from>”
Note
None of these changes will affect the recipient’s ability to reply to the message. It is purely for display purposes.
Non-Latin character limit
Note
Experimental feature
Reject any message that contains more than this percentage of non-latin characters (e.g. Russian, Chinese, Japanese, Greek, Arabic etc.) in the subject line or message body.
Note
This is a global setting for all domains, do not enable it if you have users that might exchange email in non-latin languages.