Mail filters
- General
-
What is the difference between envelope and content filters
The principal difference is where the checks take place, but this has several follow ons.
Envelope filters are applied during the initial connection from the remote server, before the message is downloaded. They are efficient because they can prevent Spam from ever entering our network, saving on bandwidth and other resources. They are based on the identity and location of the connecting server and on the initial handshake.
Content filters are applied after the whole message has arrived and are based on the content of the message. Because they have the whole message to check, they can be more accurate than envelope filters in detecting spam. However, they are also very much more demanding, and have the disadvatage that the mail has to be accepted first in order to carry them out.
-
Do you provide white/black listing?
Yes, although they're called pass and block listing in the Account Manager. You can configure block and pass lists seperately for each recipient, or define a default set of lists for the domain. Block and pass lists can be defined for both senders (ie the senders email address) and remote servers (clients).
-
Can I ban or allow a whole domain?
You can use block / pass lists to ban all mail from a domain. Select the 'Sender' block / pass list and enter the senders email address as: "@domain.com". If you wish to ban subdomains too use "@.domain.com".
You can use the same technique to allow all mail from a particular domain.
-
Can I ban or allow all mail to a particular recipient?
Yes you can.
To allow all mail to a particular recipient, set the envelope policy to "Open" and the content policy to "No checks".
To ban all mail to a particular recipient you should use the "Mail routing" section of the account manager and select "Bounce, with message". Select the appropriate response code (if in doubt, 550 is generally a good choice) and enter a suitable message.
-
What is the difference between envelope and content filters
- Envelope filters
-
What is an envelope filter
"Envelope filters" are tests designed to prevent spam entering our network. They are carried out early in the delivery process, before the message is actually sent in to our servers. In fact, envelope blocks is a bit of a mis-nomer. Most of the tests we apply are more to do with who the postman is and how he introduces himself, rather than what the envelope looks like! But the main point is that these tests happen before the actual message is received. They are based on the initial exchange between the server delivering a message and our server. A more accurate name would be "protocol level tests".
Envelope blocks are implemented by Raggedstaff as a series of different tests. Each test is allocated a score. The scores for each test that is failed are summed, and if the sum exceeds a set limit the message is rejected. Sets of tests are known as 'policies'.
-
What is a policy?
A policy is a collection of tests. The policy defines the tests that are carried out, the scores assigned to those tests and the score level at which messages are rejected. You associate each address with a policy. You can select from our pre-defined policies or you can define one yourself to meet your particular needs.
-
What are the pre-set policies?
We provide several pre-set policies that you can use:
- Open
- No checks are carried out - all mail is passed. This is the default policy and is applied unless you specifically set a different policy for mail to your domain.
- Cautious
- This policy requires a relative high score before mail is rejected. It is unlikely to result in legitimate mail being rejected, but it will probably allow quite a lot of spam in.
- Normal
- A basic general purpose policy.
- Zealous
- This policy has a relatively low reject threshold. This policy will let little spam in, but it is likely to result in some legitimate mail being rejected
- Xenophobic
- This policy is essentially the same as the 'Normal' policy, but with the addition of scoring against mail servers that are located in countries that are known to be significant sources of spam. Treat this policy with caution - if you expect to receive legitimate mail from any of the countries it scores against you should not use it. Countries currently checked are China, Taiwan, Korea and Brazil.
- Raggedstaff
- This is the policy we use for own mail. It is based on the Xenophobic policy, with some additional countries and some tweaked scores. It is likely to change as we tweak things further, so if you want consistent behaviour it is best avoided!
-
What are country tests?
Country tests allow you to specify a score to be added to servers that appear to be situated in certain countries that are a common source of spam. Country tests are based on a database of which IP addresses are allocated to which country. This can not be guarenteed to be 100% accurate, but is generally a reliable indicator of the country in which a server is located.
-
How do I customise a policy?
You can not alter the pre-set policies, but you can create your own custom policies. A new policy is based on an existing one, so start by studying the existing policies and selecting the one that most closely meets your needs. You can see a list of existing policies and create a new one from the policy list page of the account manager.
Once you have created your policy, you can edit it. Before you start on this you should make sure you read our tips on scores.
For editing purposes policies are split into four sections: General settings, basic scores, country blocks and DSN block list settings. General settings and basic scores are edited together.
-
What are general settings and basic scores?
The 'general settings' for a policy are its name, a description and the score above which mail will be rejected.
The basic scores are scores assigned to built in tests. These include tests on the EHLO argument used, tests to ensure that the remote machine has valid forward and reverse DNS and SPF tests (see http://spf.pobox.com/).
Scores can be assigned for each of these tests.
-
What are DNS block lists?
DNS block lists (DNSBLs) are lists of mail servers that have some connection with spam. The lists can be queried using the Domain Name System (DNS). Simple DNSBLs usually return an IP address, often 127.0.0.2, if the server in question is listed. There are also 'combined lists' that allow you to send a single DNS query to query several different lists. These return different IP addresses depending on which list the server is found in.
Raggedstaff support both simple and combined DNSBLs. When editing DNSBL entries you must enter the expected result. You can enter the word 'default' as a catchall or for simple lists. For combined lists specify each result you are interested in and allocate it a score. Note that with combined lists if you don't explicitly specify a score for a particular result then the score for 'default' will be used. For this reason it is best to set 'default' to 0 if you do not wish to use all the lists in a combined list.
-
What is the difference between rejecting and tagging?
Envelope blocks really come into their own when mail is rejected. This saves on bandwidth, storage, processor cycles and hurts the spammers success figures. But rejecting is pretty final.
We also offer the ability to simply tag the header of mail. This facility is intended for testing only, to allow you to monitor how effective your policies are, to keep an eye out for false positives and to allow tweaking. It is not intended to be used as a long term solution.
We strongly recommend that you initially make use of the 'tag only' option until you are satisfied that your policies are working for you. With this option, mail which failed one or more tests will have an X-wPolicyd: header added, beginning with either ACCEPT or REJECT, and then listing the tests and scores. eg:
X-wPolicyd: ACCEPT: 1.000; L2.SPEWS.DNSBL.SORBS.NET[1]
X-wPolicyd: REJECT: 8.700; HELO_DNS_NOTCLIENT[4.2] L2.SPEWS.DNSBL.SORBS.NET[1] BL.SPAMCOP.NET[3.5]
-
What is an envelope filter
- Content filters
-
What is a content filter?
Content filters are applied after the mail has arrived and involve carefully inspecting the content of the mail headers and body. Because the whole message is available to our content filters it is possible to detect malware more accurately than with envelope filters. On the down side though, content filtering is slower and more demanding on our servers.
Two types of content filter are used by Raggedstaff Internet - virus detection and spam detection. We use ClamAV to check incoming mail for viruses and SpamAssassin technology to achieve considerable accuracy in detecting SPAM. We give you great flexibility in deciding how mail is tested and what happens to mail that fails the tests.
You can apply content filters to each email address individually, or to a whole domain. You can apply different policies to different addresses. Tests are carried out on the basis of the address the mail enters our servers addressed to. If you use mail redirection, tests are carried out on the basis of the address the mail arrived at our servers for, not the address to which it is redirected.
-
What are the pre-set policies
We provide several pre-set policies that you can use:
- No checks
- No checks are carried out - all mail is passed. This is the default policy and is applied unless you specifically set a different policy for mail to your domain.
- Defang viruses
- Messages are checked for viruses. Infected messages are 'defanged' - passed on to the recipient as an attachment to a message warning that the attached message is infected with a virus.
- Block viruses
- Messages are checked for viruses. Infected viruses are blocked and the recipient receives a message advising them that an infected message was found.
- Defang viruses, add spam headers
- Mail is checked for both viruses and spam content. Virus infected messages are 'defanged'. Additional headers (see below) are added indicating if the message is SPAM, allowing filtering of SPAM to be done by the recipients email software.
- Block viruses, add spam headers
- Mail is checked for both viruses and spam content. Virus infected messages are blocked. Additional headers are added indicating if the message is SPAM, allowing filtering of SPAM to be done by the recipients email software.
- Defang viruses, tag spam (6.9)
- Mail is checked for both viruses and spam content. Virus infected messages are 'defanged'. As well as additional headers, if the message scores above 6.9 in spam checks the message subject is pre-pended with "*** SPAM ***".
- Defang viruses, tag spam (10)
- As "Defang viruses, tag spam (6.9)", except the message subject is changed only if the Spam score exceeds 10.
- Block viruses, tag spam (6.9)
- As "Defang viruses, tag spam (6.9)", except that virus infected messages are blocked.
- Block viruses, tag spam (10)
- As "Defang viruses, tag spam (10)", except that virus infected messages are blocked.
-
What is a content filter?