Optimizing spam protection in Kerio Connect
Kerio Connect provides multiple features to prevent spam. For a general overview of each feature, refer to configuring spam control in Kerio Connect. This article describes in more detail the anti-spam features and outlines the implications of each feature.
SpamAssassin
Introduction
SpamAssassin provides three layers of spam protection:
- Rules
- Bayes
- SURBLs
SpamAssassin Rules
SpamAssassin includes a preconfigured set of static rules that update with specific releases of Kerio Connect. The rules are located in the SpamAssassin folder of the mailserver directory. Modification to the rules is not recommended.
Kerio Connect passes the content of messages to SpamAssassin. SpamAssassin evaluates the message against its rules and assigns a numeric value to the message. Kerio Connect inserts this value as a score into the headers of the message. There are 3 possible X-Spam headers:
- X-Spam-Status: - The cumulative score (hits), the threshold value 'required', and all positively evaluated rules with their associated values 'tests'
- X-Spam-Flag: - YES, or NO to indicate if the message is spam
- X-Spam-Level: - The cumulative score represented by a count of asterisks. For example, a score of 4.2 would be represented as '****'.
SpamAssassin Bayes
The Bayes, or Bayesian filter is a dynamic component of SpamAssassin that works similarly to rules, however its intelligence is not statically pre-defined. This intelligence includes a database of message characteristics that updates continuously. Kerio Connect processes two types of messages into the Bayes database:
- Self-Learned: Messages that exceed a score of 12, and both the header score and body score are above 3, or messages with a score that is below 0.1.
- User-Trained: Messages that have been marked by end users of the mail system as either spam or not spam.
The Bayes score is combined with the score assigned by the static rules. The numerical value assigned by the Bayes filter is included in the X-Spam-Status header as 'Bayes'.
SpamAssassin SURBLS (Spam URI Realtime Blocklists)
All messages are scanned for links to Internet locations or URIs (Uniform Resource Identifier). These links are compared to a number of online blocklists. If a URI is located in a blacklist the cumulative spam score is adjusted according to the score that the blacklist assigns for the given URI.
Configuration and management of SpamAssassin
Configuration of SpamAssassin for Kerio Connect is located in the Administration console under Configuration > Content Filter > Spam Filter. By default, SpamAssassin is enabled with the following settings:
- Messages sent from local users are not scanned.
- Messages which receive a score of 5 or above will be flagged as spam.
- Messages which receive a score of 9.5 or above will be discarded.
Messages flagged as spam will be automatically sorted to the 'Junk email' folder, which is a default folder belonging to each user of Kerio Connect. Note that users who access mail using POP3Post Office Protocol 3 - A protocol used by local email clients to retrieve emails from mailboxes over a TCP/IP connection. protocol will not have access to their 'Junk email' folder. These users should log into webmail and disable the automatic 'Junk email' filter from the settings menu.
Adjusting the threshold
The default threshold value of 5 is aggressive enough to block the majority of spam, while maintaining almost no false positives. This value may be decreased to improve the number of detected spam, however it is also possible to encounter more false positives. Before adjusting the threshold, it is recommended to examine the spam score of a sample of spam messages that have managed to pass the spam filter rating, and compare these scores to a sample of legitimate messages.
Managing SpamAssassin Bayes
By default, the Bayes filter is inactive. This is because it needs to establish a sufficient level of intelligence before evaluating email. It is highly recommended for users to train the server using one of the following techniques:
- Using the 'Spam' or 'Not spam' buttons in webmail to mark messages that have been mistakenly marked by the server.
- Moving messages between the 'Inbox' and the 'Junk email' folders which have been mistakenly marked by the server.
These actions will be logged in the Spam log, located in the Kerio Connect Administration console. The total number of trained messages will be displayed in the Administration console under Configuration > Content Filter > Spam Filter > SpamAssassin. Once the number of trained messages has reached 200, the Bayes filter will become active. This can be verified by checking the X-Spam-Status header for the 'BAYES' score.
Although the Bayes filter can be very effective, it can also be detrimental. It is important for the Administrator to regularly monitor the Bayes score, especially when there is an increase in unrecognized spam. Many spammers will try to poison the Bayes database by sending the server specially crafted emails. Check the Bayes score for a sample of spam email (both recognized and unrecognized) as well as legitimate email. The Bayes score should generally have a negative value for legitimate email, and a positive value for spam email. If the Bayes score seems universally low, it may have become poisoned, and should be reset.
Resetting the Bayes
All components of the Bayes filter are located in the Kerio Connect store directory under /spamassassin/bayes/. To reset the Bayes, simply rename, or delete the bayes folder, then restart Kerio Connect.
Custom Filters
Although custom filter rules are processed independently of SpamAssassin, they are primarily used to either modify or bypass the SpamAssassin score. Because the majority of spam is highly variable and inconsistent, custom rules are more commonly used to whitelist particular senders or entire domains by using the option 'treat the message as non-spam'. With a sufficient whitelist, it suffices to set a slightly more aggressive spam threshold value.
There are some types of custom rules that can be created to reduce spam. For example, where certain standard headers such as 'From' or 'To' are missing.
Blacklists
On a default installation, Kerio Connect includes a small list of well known Internet blacklists, however none of them are enabled. Enabling these blacklists can greatly reduce spam, however some legitimate email may be rejected. It is important to occasionally review the security log to confirm the volume of rejected email from blacklists, and to make sure it is not rejecting legitimate senders. In case you do encounter legitimate senders which are rejected by the blacklist, the IP addressAn identifier assigned to devices connected to a TCP/IP network. can be extracted from the log and added to a whitelisted IP address group.
Note that this feature is only effective when Kerio Connect receives mail directly from the sender's outgoing mail server. In case Kerio Connect receives all mail from a single host, such as an SMTPSimple Mail Transport Protocol - An internet standard used for email transmission across IP networks. gateway, it will not be able to appropriately identify the IP address of the originating mail server.
SPF (Sender Policy Framework)
Unfortunately email communication is designed so that spammers are able to use anyone's email address as the sender. The receiving mail server does not have any effective mechanisms for verifying the identity of the sender. Although SPFSender Policy Framework is an open source equivalent to Caller ID. cannot protect against spoofing of a specific email address, it does allow the receiving mail server to identify a spoofed domain name.
The Domain name architecture allows for configuration of various types of hostname to IP mappings. One of these record types is referred to as TXT. SPF information is defined within a TXT record. During an SMTP conversation, Kerio Connect takes the sender's email domain and queries its authoritative name server for a valid TXT record containing SPF data. If no such record exists, Kerio Connect will allow reception of the email, unless it is rejected by another antispam component. A valid SPF record will contain all IP addresses which are allowed to send email using the sender's domain name. The IP address of the sending mail server is compared to this record. The message will be immediately rejected if the sending mail server's IP address does not exist in the corresponding SPF record.
Because spammers are capable of checking domains for these types of records, they are able to use spoofed addresses from domains which do not have any SPF record. This feature is therefore primarily useful in preventing spoofed email from domains configured locally on the Kerio Connect Spammers will often attempt to use the same email address for both the sender and the recipient. The receiving mail server therefore may be less inclined to consider the message as spam, since the sender address belongs to a local recipient. SPF is most effective at preventing this type of spam attack.
SPF is highly efficient as it does not result in false positives. The drawback to this technology is that it is not trivial to properly format the TXT record, and many DNSDomain Name System - Enables the translation of hostnames to IP addresses and provides other domain related information. hosting providers do not allow configuration of TXT records. There are however companies such as http://www.zoneedit.com/ who provide DNS hosting services and allow configuration of TXT records. You can find more information regarding SPF at http://www.openspf.org/, including a simple form to automatically generate the proper TXT format used in your DNS configuration.
Spam Repellent
The majority of Spam is generated by specialized mass mailing applications. The objective of such software is to distribute as much spam as possible in a small amount of time. Successful mail delivery for spammers is therefore a luxury, rather than a necessity. Legitimate mail servers on the other hand are obligated to ensure that every message properly reaches its destination.
The Spam Repellent feature works by introducing an artificial delay to the SMTP greeting. Legitimate mail servers will typically wait at least 2 minutes before closing the connection, while spam engines may wait only a few seconds. A good value is 25 seconds. This simple adjustment will eliminate a significant amount of spam, without causing any loss of legitimate email. The only minor drawback to this setting is that Internet email will take an additional 25 seconds to receive. It is recommended to enable the IP address exclusion so that internal users will not be affected by this setting.
SMTP Security and IP based restrictions
These features are primarily intended to prevent abuse, or misuse of the SMTP server. Because spammers typically try to abuse the SMTP server, these security settings can be effective in preventing inbound spam. By default, none of these features are enabled. Although it is recommended to enable these options, it should be done with caution and a bit of initial attention.
Max. number of messages per hour from one IP address: This feature is most effective in preventing open relay, rather than blocking inbound spam to local recipients. Before enabling this option, it is recommended to examine the mail log. In some network configurations, the Kerio Connect may be receiving the majority of its mail from a single host, such as an SMTP gateway. In this case the IP address of the gateway should be added to an address group which is referred to by the option 'Do not apply these limits to IP address group'. An appropriate value for this option may range anywhere from 20 to 100, depending on the nature of the users of the mail system.
Max. number of concurrent SMTP connections from one IP address: Most legitimate mail senders will only open one or two SMTP connections, depending on how many messages someone is trying to send at once. A appropriate value for this option is 5.
Max. number of unknown recipients (directory harvest attack protection): Spammers will sometimes try to attack a mail server by guessing common types of addresses. The spammer is able to use this technique to create a list of known recipients on a server. By enabling this option, Kerio Connect will refuse any SMTP connections from the offending SMTP client for one hour. A appropriate value for this option is 3.
Block if sender's mail domain was not found in DNS. This option should be enabled. It confirms that the sender's mail address exists as a valid domain. Any legitimate message should contain a valid sender address.
Max. number of recipients in a message: The value of this option is based on the behavior of the users of the mail system. In some circumstances, a user may have a distribution list containing hundreds, or even thousands of recipients. It is the Administrators decision to determine an appropriate maximum value of recipients in a single message. This feature is more effective at preventing unauthorized mail relay, than rejecting inbound spam.
After enabling these options, it is very important to review the security log to ensure that legitimate mail senders are not affected by these features.
Kerio Connect Client AntiSpam Features
End users of the web client have personalized control over the spam filter. By default, all spam is sorted into a folder named 'Junk E-mail'. As mentioned previously, users can adjust the global spam server, or Bayes filter by using the 'Spam' or 'Not Spam' buttons that appear in the toolbar when a message is selected. Non Kerio Connect client users can train the Bayes filter by moving messages between the Inbox and the Junk E-mail folders.
Recommended Settings
The following summary shows the recommended settings in the different tabs of the Spam Filter section in the Kerio Connect Web administration.
Spam rating
- Rating of messages sent from trustworthy relay agents - disabled. This includes devices in your internal network such as scanners or fax machines. Backup MX server should not be in this IP address group.
- Tag score 4.5, block score 9.8.
Kerio Anti-spam
- Enable Kerio Anti-Spam advanced filter. Set its contribution to Normal.
- We recommend allowing use of signatures and metadata for improving the online scanning service.
Blacklists
Internet blacklist should add between 1 and 3 points depending on their reliability:
- bl.spamcop.net - add 3 points
- zen.spamhaus.org - add 2.5 points
- dnsbl.sorbs.net - add 3.0 points
- rhsbl.sorbs.net - add 3.0 points
- db.wpbl.info - add 2.0 points
- b.barracudacentral.org - add 2.5 points, Ask Directly=Yes
- bl.spamcannibal.org - add 1.5 points
Please note that using certain DNS blacklists requires registration at the blacklist website and configuring Kerio Connect to ask the blacklist DNS server directly (eg. Barracudacentral).
Custom rules
Use custom rules as you wish. The rules can increase the spam score based on message subject or sender, or instantly block a message. You can also create a whitelist based on various criteria.
- We do not recommend using too generic words which may produce false positive results. Eg. rule "If Subject contains substring ¨div¨" is too generic and could block legitimate emails.
- Enable "Reject message as soon as possible" option so From and To custom spam rules are applied during SMTP session and contribute to lower load in spam filter.
Caller-ID
- Enabled.
- Block the message.
- Use exclude list for your backup MX, antispam gateways or relay SMTP servers.
SPF
- Enabled.
- Block the message.
- Use exclude list for your backup MX, antispam gateways or relay SMTP servers.
Greylisting
- Enabled
- Use exclude list for your backup MX, antispam gateways or relay SMTP servers.
Spam repellent
- Enabled, delaying SMTP greeting by 15-25 seconds.
- Use exclude list for your LAN clients, backup MX, antispam gateways or relay SMTP servers.