Kerio Mail Server Spam Filtering


Updated 5/19/2012

Kerio Mail Server has several configuration options to protect against spam email. For maximum protection, you should investigate and set all appropriate items.

Important update 04/22/2016: Kerio Connect now has a new (optional) anti-spam filtering service. See the bottom of this page for links to information about that and their current recommendation for blacklists etc.

Under the Security Options tab for the SMTP server are several limits and controls you can set. These are:

  • Maximum number of messages per hour from one IP address.

    While this certainly can cut down on spam, be careful here. A on-going conversation about a support issue or any other complex subject might bounce back and forth quite quickly and could easily exceed 60 messages per hour. Setting this is not going to prevent legitimate email; it just temporarily delays it. A legitimate server will try again later; a spammer probably won't.

  • Maximum number of concurrent SMTP connections from one IP address.

    Again, this can block some spam, but keep in mind that legitimate email can and will make multiple connections for efficiency. Don't set this too low if, for example, your users have a lot of correspondence with AOL users or similar big servers. See Limits tuning for Kerio Connect Mail server for more on this and other limits.

  • Block if sender's mail domain was not found in DNS.

    That's checked by default and ordinarily would be left that way. Why would you want to accept mail from someone without a DNS name? The only possible justification would be if you had other mailservers within your network, but even then you'd be smarter to put them in DNS and block anyone else without a DNS lookup.

  • Maximum number of recipients in a message.

    This can be an effective block against spam, but it can also be a problem if you belong to mailing lists that (stupidly) list all recipients in the "To:" line. If that's not an issue, leave it checked and set the limit to the number of users in your mail domain.

  • Maximum number of failed commands in SMTP session.

    By default, this is checked and set to three. The most likely source of failed commands is someone exploring your server for weaknesses - an ordinary SMTP conversation shouldn't have many failed commands. It might check for ability to do encrypted sessions, but it shouldn't do much more. Leave this checked.

  • Limit incoming SMTP message size.

    This is a good one to set, but you do have to think about your legitimate needs for larger messages.


Blacklists

Real time blacklist filtering is not enabled by default, but you should turn this on. The reason people hesitate to do this is because of false positives, but you can easily white-list those addresses; see Kerio Mailserver Blacklists. A number of free blacklists are pre-configured for you, but you can add others, including of course paid lists. Using these blacklists can immediately cut out a lot of unwanted mail.

Be sure to set blacklists to "Add Spam Score", not block. If you block, you cannot whitelist with "Custom Rules".

Whitelisting can be done by IP in the "Custom whitelist of IP addresses" section, but that only affects the Internet blacklists. You can override Spam score in "Custom Rules", but if you block at the black lists, it will never get that far.

Use multiple blacklists

There's another advantage to adding spam score rather than blocking. There are many available blacklisting services. Some are free, some are paid, some are good and some are sloppy, but consider this:

If you found an IP address on four different blacklists, the chances of that NOT being a spammer are very, very low. One blackist might be a "false positive". Two starts to get suspicious, but four is almost certain. So if you increased the spam score by just one point for a match from any of them, you hit four instantly for the spammer who has attracted everyone's attention. Of course you could increase it even more for super-conservative lists like GBUdb, but intelligent use of blacklists can really help block spam. These are two that I use:

You'll see the results in the X-Spam-Status header:

X-Spam-Status: Yes, hits=5.0 required=3.0
        tests=DNSBL_TRUNCATE.GBUDB.NET: 4.00,BAYES_00: -1.665,CUSTOM__LINK_: 1,
        HTML_MESSAGE: 0.001,T_REMOTE_IMAGE: 0.01,URIBL_DBL_SPAM: 1.7,
        TOTAL_SCORE: 5.046,autolearn=no
..
X-Spam-Status: Yes, hits=4.1 required=3.0
        tests=SPF: 2.00,DNSBL_HOSTKARMA.JUNKEMAILFILTER.COM: 2.00,AWL: 0.833,
        BAYES_00: -1.665,CUSTOM__LINK_: 1,HTML_FONT_SIZE_HUGE: 0.001,
        HTML_MESSAGE: 0.001,T_REMOTE_IMAGE: 0.01,TOTAL_SCORE: 4.180,autolearn=no
 

Another I added recently is barracudacentral.org . You need to create an account with them, but it's free. They'll ask for your DNS servers, but what they mean is the IP of the machine(s) that will be using their service - that would be the IP of your mailserver. Once you have the account, add them like this:

BarracudaCentral config

Note that you must "Ask directly" for this one.

I also use abuseat.org.

Finally, consider UCEProtect. They have three levels of lists - I use Level 2 and add 2 points.

RBL's

Consider netblocks

Some countries generate more spam than others. If you have no reason to expect any legitimate mail from IP addresses that originate in those countries, why not block those outright or add spam score? You can do that with Custom Blacklists. For example, I have an IP address group called "Out of Country". I put in networks like 60.0.0.0 (mask 255.0.0.0) which matches an Asian block. I add two spam points if the sender matches. By itself, that isn't enough to be classified as spam, but it gives the message a good head start if it has other spammy characteristics.

This is my list of IP blocks.

network APNIC 
description Asia-Pacific 
61.0.0.0 255.0.0.0 
165.133.0.0 255.255.0.0 
202.0.0.0 255.0.0.0 
203.0.0.0 255.0.0.0 
210.0.0.0 255.0.0.0 
211.0.0.0 255.0.0.0 
218.0.0.0 255.0.0.0 
219.0.0.0 255.0.0.0 
220.0.0.0 255.0.0.0 
221.0.0.0 255.0.0.0 
222.0.0.0 255.0.0.0 
223.0.0.0 255.0.0.0 
58.0.0.0 255.0.0.0 
59.0.0.0 255.0.0.0 
60.0.0.0 255.0.0.0 

network RIPE 
description Europe
212.0.0.0 255.0.0.0 
213.0.0.0 255.0.0.0 
217.0.0.0 255.0.0.0 
62.0.0.0 255.0.0.0 
81.0.0.0 255.0.0.0 

network LACNIC 
description Latin America and Carribean
200.0.0.0 255.0.0.0 


network SANSBLOCK 
description SANS Recommended block list
69.50.160.0 255.255.224.0 
85.255.112.0 255.255.240.0 

Attachment Filters

Attachment filtering is also disabled by default because every company has different needs. If you are a programming house, you may need to accept .exe files, but other businesses usually wouldn't. If enabled, messages are still delivered (assuming the message gets by other content rules), but inappropriate attachments are stripped. You can optionally warn the sender that the attachment was stripped, and you can also forward the original, with attachment, to an administrative address.

Spam filter

"SpamEliminator" is what Kerio calls their combination of Spamassassin and Bayesian filtering. As explained at How does Bayesian Self Learning Work in Kerio MailServer?, Kerio "self trains". Mail users can also help Kerio learn about spam by either using the "Spam/Not Spam" buttons in their mail client or simply by dragging spam messages to the Junkmail folder in Imap clients that don't support those buttons.

Custom Rules

You can also define your administrator custom rules at the server, and some clients (Webmail, for example) can define their own server side rules. Remember that rules defined in Webmail are processed regardless of whether you are using Webmail to read your mail. There is, for example, a default rule that moves messages marked "** SPAM **" to Junkmail. No wildcards in custom rules, unfortunately.

Kerio Connect 7.4 adds the ability to search inside the message body for administrator created rules. This lets you add spam points for "*redacted*" or "mortgage" even if it isn't in the subject line.

Note that you need to look at how such messages are scored (use "View source" or "Show original" in your client). Many of these get a negative starting score, so you'd need to be more aggressive to block them. As an example, I often get email similar to this:

Dear webmaster

Are you the person responsible for aplawrence.com?
I'd like to discuss a possibility of my placing a text
link on your page.  This would be beneficial to both of us.
 

I added some body rules to catch things like this, but the message above isn't enough to be treated as spam - it would need more indicators as we can see in the headers after receiving it.:

X-Spam-Status: No, hits=0.8 required=3.0
	tests=AWL: -2.467,BAYES_00: -1.665,CUSTOM_PERSON_RESPONSIBLE: 2,
	CUSTOM_TEXT_LINK: 1.5,CUSTOM_WEBMASTER: 1.5,HTML_MESSAGE: 0.001,
	TOTAL_SCORE: 0.869,autolearn=no
 

As of 7.4, Kerio uses Spamassassin 3.3.2, so you can look up what each of these means at Spamassassin: Tests Performed: v3.3.x.

Caller ID and SPF

Kerio supports both of these, though at this time they aren't used enough by other servers to be of much value. There's no reason not to turn them on; they could catch something. Don't block though - increase the spam store.

See also Kerio Spam Control: Caller-ID and SPF

Note: You might want to add SPF and Caller ID records for your domain - this can help your email get through to other places. See How do I create an SPF or Caller ID record?.

Spam Repellent

This is a simple method to really annoy spammers. When a server connects to your server, it is supposed to politely wait for the SMTP greeting - your server saying it is ready to talk. This setting deliberately delays that greeting for up to 30 seconds. If the other server attempts to start talking before then, it is just disconnected. Spammer's software usually doesn't want to waste that much time waiting around, but even if it does, you at least have cut down on how much work they can get done in a day. If every server did this, spammers would be significantly hampered (assuming they were willing to wait).

Grey-listing

Kerio 7.5 supports grey-listing. See How does greylisting work?.

The basic idea is that the first attempt to send email is rejected. Any legitimate email server will try again after a short delay and will be accepted; a spammer may not bother.

If greylisting is turned on and Kerio Connect cannot contact the greylisting service, all incoming mail is delivered immediately, so there is no danger here.

Rather than rejecting mail, you can redirect to another user. I send this junk to a made-up nonsense name and then share that inbox wih my normal account. I can then check there to be sure I'm not rejecting something I need. If it is junk, I just mark it as spam, which probably helps train Bayes also.

Processing Flow

The first check is Spam Repellent (if turned on). If the sender is rejected here due to their haste, no other processing is done.

Next, during the receipt of mail headers, the Internet blacklists, custom blacklists, custom whitelists, and SPF records are checked. If rejected here, again that's the end of it.

If not, the mail body is taken in and CallerID, SURBL, Custom spam rules, and SpamAssassin checks are applied.

Effect of Whitelists

There are three places where Spam rejection can be overridden. The first is the "Custom Whitelist of IP Adresses" in the Content Filter->Spam Filter->Blacklists tab. This only affects things found in the Internet Blacklists section of that page.

The second is in Content Filter->Spam Filter->Custom Rules. These can be used to decrease or eliminate spam scores as well as increase. Note that if you see a header that contains CUSTOM_RULE_, it happened because of these rules.

X-Spam-Status: No, hits=0.4 required=3.0
        tests=AWL: 0.090,BAYES_00: -1.665,HTML_MESSAGE: 0.001,
        MIME_HTML_ONLY: 0.001,CUSTOM_RULE_TO: 2.00,TOTAL_SCORE: 0.427,autolearn=ham
 

Finally, users can create whitelists. These are stored as part of the "filter.siv" file that moves messages to Junk Mail. When a message is whitelisted because of this, the X-Spam-Status line will show the rules that were applied, but the X-Spam-Flag will be unset and X-Spam-Level will be removed.

Unfortunately, there's another case where you will see that same header:

X-Spam-Status: No, hits=0.0 required=4.2
	tests=TOTAL_SCORE: 0.000
X-Spam-Level:
 

That came from a message that exceeded Spamassasin's maximum message size. As that's obviously easy for spammers to do (simply add a large attachment), this makes the use of Blacklists critical.

If you turned on "SpamAssassin Processing" and "Spam Filter" in the debug log, you'd see a line like this if the message was too large:

[15/Aug/2012 15:08:58][2976] {spam} Spam Filter: Message is too
big. SpamAssassin message size limit is 131072 bytes.
 

Spam is an on-going problem. Spammers can and do buy servers like Kerio and use them to test their messages against. Kerio does constantly improve their spam filtering methods to help counter that.

Spamassasin has some other suggestions for fighting spam.

One question that constantly comes up is "How did they get my email address?"

If it's simple ("bill@"), they might have just guessed it. More likely, it came from some compromised machine that had your email address, or from a list compiled from harvests of compromised machines.

People used to give a lot of bad advice about "munging" your email when putting it on forum posts, etc. Spammers aren't idiots (well, OK, they really are, but they aren't as stupid as people would like to think they are). From Address Munging FAQ: "Spam-Blocking" Your Email Address:

 
   NOTE: DO NOT put a directly usable address in your sig, because
   many harvesters collect everything with an @ sign in it.
       DO: "Send email to myrealname; ISP is example DOT com"
    DON'T: "Real address is [email protected]"
 

But that's outdated: harversters are definitely smart enough to recognize that "DOT" and "AT" dodge.

Also, by now most harvesters are routinely stripping out "REMOVE-THIS", "spammers-die" and other regularly seen attempts. More importantly, the more the bots see of certain patterns, the more they learn to strip out- so the "popular" mung methods quickly become useless.

Update: see these links

Kerio Anti-spam filter

Recommended anti-spam settings



Got something to add? Send me email.





(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Kerio Mail Server Spam Filtering


17 comments



Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Anthony Lawrence







Tue May 20 05:21:46 2008: 4219   anonymous


Great article - thank you.



Tue Sep 23 19:51:35 2008: 4600   anonymous



In version 6.5.2 there is a sectioned "max number of unknown recipients (directory harvest attack protection)".....what would you recommend for this checkbox?

Thanks....great article.



Tue Sep 23 20:12:44 2008: 4601   TonyLawrence

gravatar
I can't make a recommendation because it depends on your correspondents. Are you likely to get important email addressed to 100 recipients? If so, you need it set higher than that.

If you aren't on open mailing lists, it certainly shouldn't be higher than the total number of possible recipients in your domain and for most companies, considerably lower.



Tue Sep 30 17:18:36 2008: 4620   anonymous


thanks for this.. very useful to have it broken down simply.



Fri Sep 24 10:25:13 2010: 8999   andrew

gravatar


Hi when attachments are stripped where are they placed?

TIA

Andrew



Fri Sep 24 11:42:45 2010: 9000   TonyLawrence

gravatar


If they are stripped, they are thrown away.



Thu May 24 10:38:43 2012: 11008   NickBarron

gravatar


Very good article, good to see it updated as Kerio progresses.



Thu May 24 10:41:06 2012: 11009   NickBarron

gravatar


FYI I can't get this link to the support page to work even when logged into Kerio:

(link)

Thanks

Nick



Thu May 24 11:09:41 2012: 11010   TonyLawrence

gravatar


Ooops..

Use (link)



Thu Nov 29 15:26:43 2012: 11446   TonyLawrence

gravatar


Another customer suggests blocking certain sets of countries with iptables. I'm happy to send you the "block_by_country" script if you want it.



Mon Dec 17 19:16:58 2012: 11556   WarrenK

gravatar


Receiving multiple emails from same person even after flagging it using Spam button in Kerio Webmail client. It is my understanding when I use the Spam button it adds to the filter.siv file so this eMail is known as Spam. This is not working as the only entries in my filter.siv file are the filters I have manually setup using Settings > Mail Filters, and the learned "white list" of users I have sent eMail to. Any ideas why is the Spam button not working?



Mon Dec 17 19:22:33 2012: 11557   TonyLawrence

gravatar


Your understanding is not correct. Clicking "Spam" will never add to filter.siv.

See (link) and (link)

If you want a rule in filter.siv, YOU have to create it.







Mon Dec 17 19:26:40 2012: 11558   WarrenK

gravatar


Lawrence, thanks for the quick reply. So, just what does the Webmail Spam button do, and why do eMails from the same person continue to show up in my Inbox?



Mon Dec 17 19:29:45 2012: 11559   TonyLawrence

gravatar


Please read the articles I linked above. That's why I put them there.. to explain to you why you think clicking Spam doesn't work.



Wed Mar 6 19:25:13 2013: 11936   anonymous

gravatar


Hi

Good article as always and I found it useful but I do have a couple of questions (not criticisms!)

1. SPF - You suggest scoring rather than blocking. I would suggest that if someone has gone to the trouble of setting up SPF then block it. That is why they set it up. They WANT you to use it!
2. Why are you using cbl.abuseat.org AND zen.spamhaus.org? Isn't the cbl included in zen meaning it it an extra and unnecessary check (= load)



Sun Sep 22 17:21:01 2013: 12317   Valter

gravatar


How exactly to use netblocks in Kerio mail server configuration?????



Sun Sep 22 18:05:33 2013: 12318   TonyLawrence

gravatar


Create the list and give it a name. Point Custom Blacklist of Spammer IP addresses at it.

------------------------
Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





Getting information off the Internet is like taking a drink from a fire hydrant. (Mitchell Kapor)

Science is what we understand well enough to explain to a computer. Art is everything else we do. (Donald Knuth)








This post tagged: