Optimizing spam protection in Kerio MailServer
Kerio MailServer ships with many built-in features to fight spam. On a default installation, many of these features are disabled. Because Spam is not an exact science, there are consequences when enabling certain features. This article is designed to describe all of the Antispam features available in Kerio MailServer, to outline the implications of enabling each feature, and to offer recommendations to maximize the efficiency of the spam filter.
Kerio MailServer includes a prepackaged version of SpamAssassin http://www.spamassassin.org/
For the current version of SpamAssassin shipping in Kerio MailServer, refer to the KMS release history http://www.kerio.com/kms_history.html
SpamAssassin for Kerio MailServer consists of 3 parts: Rules, Bayes, and SURBLs
Each install of SpamAssassin in Kerio MailServer includes a preconfigured set of static rules. These rules are updated in specific releases of Kerio MailServer. They are located in the SpamAssassin folder of the mailserver directory. Modification to these files is not officially supported as it may break certain functionality or cause unexpected behavior.
Each message processed by Kerio MailServer is passed to SpamAssassin, which evaluates the content to identify matches against its static rules. Each rule has an associated value, which can be positive or negative. Once the entire message has been evaluated, SpamAssassin will return a cumulative score. This score, as well as all of the matching rules will be inserted into the header of each message.
There are 3 possible X-Spam headers:
- X-Spam-Status: - This header shows the cumulative score 'hits', the threshold value 'required', and all positively evaluated rules with their associated values 'tests'
- X-Spam-Flag: - YES, or NO to indicate if the message is spam
- X-Spam-Level: - The cumulative score represented by a count of asterisks. For example, a score of 4.2 would be represented as '****'.
The Bayes, or Bayesian filter is a dynamic component of SpamAssassin that works similarly to rules, however its intelligence is not statically pre-defined. This intelligence includes a database of message characteristics that is continuously updated. There are 2 methods for determining messages which will be processed into the Bayes database.
Self-Learned: Messages that exceed a score of 12, and both the header score and body score are above 3, or messages with a score that is below 0.1.
User-Trained: Messages that have been marked by end users of the mail system as either spam or not spam.
The Bayes score is calculated into the cumulative score assigned by the static rules. The numerical value assigned by the Bayes filter is included in the X-Spam-Status header as 'Bayes'. Additional information regarding SpamAssassin Bayesian filtering can be found on Wikipedia http://en.wikipedia.org/wiki/Bayesian_spam_filtering
SpamAssassin SURBLS (Spam URI Realtime Blocklists)
All messages are scanned for links to Internet locations or URIs (Uniform Resource Identifier). These links are compared to a number of online blocklists. If a URI is located in a blocklist, the cumulative spam score will be augmented according to the score that is assigned by the blocklist for that URI.
Configuration and management of SpamAssassin
Configuration of SpamAssassin for Kerio MailServer is located in the Administration console under Configuration -> Content Filter -> Spam Filter.
By default, SpamAssassin is enabled with the following settings:
- Messages sent from local users are not scanned.
- Messages which receive a score of 5 or above will be flagged as spam.
- Messages which receive a score of 9.5 or above will be discarded.
Messages flagged as spam will be automatically sorted to the 'Junk email' folder, which is a default folder belonging to each user of Kerio MailServer.
Note that users who access mail using POP3 protocol will not have access to their 'Junk email' folder. These users should log into webmail and disable the automatic 'Junk email' filter from the settings menu.
Adjusting the threshold
The default threshold value of 5 is aggressive enough to block the majority of spam, while maintaining almost no false positives.
This value may be decreased to improve the number of detected spam, however it is also possible to encounter more false positives. Before adjusting the threshold, it is recommended to examine the spam score of a sample of spam messages that have managed to pass the spam filter rating, and compare these scores to a sample of legitimate messages.
Managing SpamAssassin Bayes
By default, the Bayes filter is inactive. This is because it needs to establish a sufficient level of intelligence before evaluating email. It is highly recommended for users to train the server using one of the following techniques:
- Using the 'Spam' or 'Not spam' buttons in webmail to mark messages that have been mistakenly marked by the server.
- Moving messages between the 'Inbox' and the 'Junk email' folders which have been mistakenly marked by the server.
These actions will be logged in the Spam log, located in the Kerio MailServer Administration console. The total number of trained messages will be displayed in the Administration console under Configuration -> Content Filter -> Spam Filter -> SpamAssassin. Once the number of trained messages has reached 200, the Bayes filter will become active. This can be verified by checking the X-Spam-Status header for the 'BAYES' score.
Although the Bayes filter can be very effective, it can also be detrimental. It is important for the Administrator to regularly monitor the Bayes score, especially when there is an increase in unrecognized spam.
Many spammers will try to poison the Bayes database by sending the server specially crafted emails. Check the Bayes score for a sample of spam email (both recognized and unrecognized) as well as legitimate email. The Bayes score should generally have a negative value for legitimate email, and a positive value for spam email. If the Bayes score seems universally low, it may have become poisoned, and should be reset.
Resetting the Bayes
All components of the Bayes filter are located in the Kerio MailServer store directory under /spamassassin/bayes/. To reset the Bayes, simply rename, or delete the bayes folder, then restart Kerio MailServer.
Although custom filter rules are processed independently of SpamAssassin, they are primarily used to either modify or bypass the SpamAssassin score. Because the majority of spam is highly variable and inconsistent, custom rules are more commonly used to whitelist particular senders or entire domains by using the option 'treat the message as non-spam'. With a sufficient whitelist, it suffices to set a slightly more aggressive spam threshold value.
There are some types of custom rules that can be created to reduce spam. For example, where certain standard headers such as 'From' or 'To' are missing.
On a default installation, Kerio MailServer includes a small list of well known Internet blacklists, however none of them are enabled. Enabling these blacklists can greatly reduce spam, however some legitimate email may be rejected. It is important to occasionally review the security log to confirm the volume of rejected email from blacklists, and to make sure it is not rejecting legitimate senders. In case you do encounter legitimate senders which are rejected by the blacklist, the IP address can be extracted from the log and added to a whitelisted IP address group.
Note that this feature is only effective when Kerio MailServer receives mail directly from the sender's outgoing mail server. In case Kerio MailServer receives all mail from a single host, such as an SMTP gateway, it will not be able to appropriately identify the IP address of the originating mail server.
SPF (Sender Policy Framework)
Unfortunately email communication is designed so that spammers are able to use anyone's email address as the sender. The receiving mailserver does not have any effective mechanisms for verifying the identity of the sender. Although SPF cannot protect against spoofing of a specific email address, it does allow the receiving mailserver to identify a spoofed domain name.
The Domain name architecture allows for configuration of various types of hostname to IP mappings. One of these record types is referred to as TXT. SPF information is defined within a TXT record. During an SMTP conversation, Kerio MailServer takes the sender's email domain and queries its authoritative name server for a valid TXT record containing SPF data. If no such record exists, Kerio MailServer will allow reception of the email, unless it is rejected by another antispam component. A valid SPF record will contain all IP addresses which are allowed to send email using the sender's domain name. The IP address of the sending mail server is compared to this record. The message will be immediately rejected if the sending mail server's IP address does not exist in the corresponding SPF record.
Because spammers are capable of checking domains for these types of records, they are able to use spoofed addresses from domains which do not have any SPF record. This feature is therefore primarily useful in preventing spoofed email from domains configured locally on the Kerio MailServer. Spammers will often attempt to use the same email address for both the sender and the recipient. The receiving mailserver therefore may be less inclined to consider the message as spam, since the sender address belongs to a local recipient. SPF is most effective at preventing this type of spam attack.
SPF is highly efficient as it does not result in false positives. The drawback to this technology is that it is not trivial to properly format the TXT record, and many DNS hosting providers do not allow configuration of TXT records. There are however companies such as http://www.zoneedit.com/ who provide DNS hosting services and allow configuration of TXT records. You can find more information regarding SPF at http://www.openspf.org/, including a simple form to automatically generate the proper TXT format used in your DNS configuration.
The majority of Spam is generated by specialized mass mailing applications. The objective of such software is to distribute as much spam as possible in a small amount of time. Successful mail delivery for spammers is therefore a luxury, rather than a necessity. Legitimate mail servers on the other hand are obligated to ensure that every message properly reaches its destination.
The Spam Repellent feature works by introducing an artificial delay to the SMTP greeting. Legitimate mail servers will typically wait at least 2 minutes before closing the connection, while spam engines may wait only a few seconds. A good value is 25 seconds. This simple adjustment will eliminate a significant amount of spam, without causing any loss of legitimate email. The only minor drawback to this setting is that Internet email will take an additional 25 seconds to receive. It is recommended to enable the IP address exclusion so that internal users will not be affected by this setting.
SMTP Security and IP based restrictions
These features are primarily intended to prevent abuse, or misuse of the SMTP server. Because spammers typically try to abuse the SMTP server, these security settings can be effective in preventing inbound spam. By default, none of these features are enabled. Although it is recommended to enable these options, it should be done with caution and a bit of initial attention.
Max. number of messages per hour from one IP address: This feature is most effective in preventing open relay, rather than blocking inbound spam to local recipients. Before enabling this option, it is recommended to examine the mail log. In some network configurations, the Kerio MailServer may be receiving the majority of its mail from a single host, such as an SMTP gateway. In this case the IP address of the gateway should be added to an address group which is referred to by the option 'Do not apply these limits to IP address group'. An appropriate value for this option may range anywhere from 20 to 100, depending on the nature of the users of the mail system.
Max. number of concurrent SMTP connections from one IP address: Most legitimate mail senders will only open one or two SMTP connections, depending on how many messages someone is trying to send at once. A appropriate value for this option is 5.
Max. number of unknown recipients (directory harvest attack protection): Spammers will sometimes try to attack a mail server by guessing common types of addresses. The spammer is able to use this technique to create a list of known recipients on a server. By enabling this option, Kerio MailServer will refuse any SMTP connections from the offending SMTP client for one hour. A appropriate value for this option is 3.
Block if sender's mail domain was not found in DNS. This option should be enabled. It confirms that the sender's mail address exists as a valid domain. Any legitimate message should contain a valid sender address.
Max. number of recipients in a message: The value of this option is based on the behavior of the users of the mail system. In some circumstances, a user may have a distribution list containing hundreds, or even thousands of recipients. It is the Administrators decision to determine an appropriate maximum value of recipients in a single message. This feature is more effective at preventing unauthorized mail relay, than rejecting inbound spam.
After enabling these options, it is very important to review the security log to ensure that legitimate mail senders are not affected by these features.
Webmail AntiSpam Features
End users of the Webmail client have personalized control over the spam filter. By default, all spam is sorted into a folder named 'Junk E-mail'. In the Webmail settings, users can disable this feature from the Spam tab -> 'Move spam to the Junk E-mail folder'. In this same dialog, users can choose to exclude contacts stored in their address book. There is an additional list of whitelisted addresses. Users can enable the option 'Add e-mail address of original sender while sending reply' to automatically add the address of replied emails. Otherwise, users can manually add addresses, or right click on an email and choose 'Add sender to spam whitelist'.
As mentioned previously, users can adjust the global spam server, or Bayes filter by using the 'Spam' or 'Not Spam' buttons that appear in the toolbar when a message is selected. Non Webmail users can train the Bayes filter by moving messages between the Inbox and the Junk E-mail folders.