Anti-Spam


EmailArchitect Anti-Spam Service

Anti-Spam service provides two built-in modules to block junk emails. Content Filter rejects the obvious junk emails in SMTP service, and the junk emails will never be delivered to user mailbox. Differ to Content Filter, Junk Email Rules only filter the possible junk emails to "Junk folder" or add "*SPAM*" keyword in emails subject.

General Settings

Using local user as sender must be authenticated at first
Many spammers use faked email address to send the email. For example, your email address is "test@adminsystem.com", then the spammer use "test@adminsystem.com" as sender to send email to "test@adminsystem.com". If you have this option checked, "test@adminsystem.com" in MAIL FROM command will be rejected except the user do SMTP authentication at first.
Do not check the message which size is greater than
Junk email usually has a small message size, so Anti-Spam service does not check large email to save the system resource. The suggested value is 1024(KB).
Trusted SPF records

Using this option can prevent Content filter blocks the normal message from well-known email servers.

First of all, please learn more detail about Sender Policy Framework (SPF) by the following url:
http://www.openspf.org/

Therefore SPF is very good solutions to prevent faked email sender.

For exmaple: The email sender is: xxx@adminsystem.com and this email is from IP address: 210.17.235.64. By querying the dns server of adminsystem.com, mail.adminsystem.com is the MX record of adminsystem.com and the IP address of "mail.adminsystem.com" is "210.17.235.64", so there is enough reason to believe this email is not faked. And rbls will never block this IP address even this IP address is list on the rbls servers.

Because many spammers also set the SPF record, so do not put unknown domain to Trusted SPF records.

Trusted E-mail Address
Anti-spam service does not check the email content if the message is from the following IP addresses. Please separate multiple IP addresses by line-break.
Trusted IP Addresses
Anti-spam service does not check the email content if the MAIL FROM contains the following address. Please separate multiple email addresses by line-break.
No Spam Link
Anti-Spam service detects junk email by verify the http link in email body. If the email body contains http link to malicious domains, then the email will be detected as junk email. Anti-Spam does not check the http link to the following domains list.

Content Filter

Content Filter
It rejects the obvious junk emails in SMTP conversation, and the junk emails will never be delivered to user mailbox.
Email Header Validation
This feature checks if the email has "From", "Subject", "To" or "Cc" header. If there is no such header, the email will be rejected. If From, To or Cc header contain invalid email address, the email will be rejected too.
URL Black List
URL Blacklist is similar with RBLs. The different is: URL Blacklist checks the internet domains linked in email body, if the domain is malicious in URL Blacklist server, the email will be rejected.
Require DKIM/DomainKeys signature if the email is coming from the following domains
Many well-known email providers or companies always add DKIM or DomainKeys signature in email header to identify the sender domain. If the email does not have DKIM or DomainKeys signature from those domain, the email will be rejected. Important Notice: Before you add new domain in this list, please make sure the email from this domain always has DKIM or DomainKeys signature.
Reject the email if body text contains the following phone/number
Many spammers add ICQ, Telephone number in the junk email. They always change the email sender, IP address. But they do not often change the Telephone number, ICQ, Fax, or other instant messenger number. So you can input those telephone numbers or other contact number in this list. Anti-Spam service will reject the email that contains those numbers in email body. Please separate multiple numbers by link-break.
Reject the email if sender or subject header contains the following keywords
If the junk email always has the same email sender or subject, you can put those keywords to this list. Please separate multiple keywords by link-break.
Reject the email if body text contains the following keywords
If the junk email body always contains some keywords, you can put those keywords to this list. Please separate multiple keywords by link-break. What keywords we should pick up : 99.9% junk email body contains the contactinformation that is we should block. It can be an http link, an email address or a telephone or fax number, an instant messenger contact number. For example: the junk email body has a link to http://www.abcsssfxxx.com, then you should input http://www.abcsssfxxx.com here. Please separate multiple keywords by link-break. Do not guess other keywords, the spammers always change the body description, the only thing they cannot change is "contact information".
[ Word Match {$w:keyword} ] and [ String Match keyword ]
For example:
If the source string is:
This is a testjunk email.
{$w:test} does not match this string
test matches this string

If the source string is:
This is a test junk email.
Both of {$w:test} and test does not match this string

Junk Email Rules

How Junk Email Rules works

Junk email rules only works when the user enables in Web Mail logon -> Option -> Anti-Spam, then Anti-Spam filter.  All single message sent to this user account will be checked by the anti-spam filter strictly. If a message is marked as junk email, it will be delivered to Junk* folder and an inquiring message will be sent to the sender. If the sender confirms the message was sent by him, the message will be moved back to Inbox. If no confirmation is received from the sender, the message will be deleted by system. (Notice: you have to choose " Send confirmation request email to sender " function in anti-spam service -> Junk E-mail Process to enable this feature, because since Emailarchitect server 9.0, the default "Junk E-mail Process" is "No more action".)

The following E-mail will never be marked as Junk

1. From the address which is in personal contacts or global contacts.
2. From the authenticated user.
3. From the trusted list.
4. From the auto-white list.

What is auto-white list?

EmailArchitect Anti-Spam module maintains a list of recent recipient address sent by authenticated user. All the addresses on the list are recognized as trusted address by Anti-Spam module, and email sent from the trusted address will never be marked as Junk email. Note that once you receive a spam, don't reply it, otherwise its sender address will be added to your auto-white list.

Using "Not Junk" action in User Customized Filter

If your company is selling a product named "XXX", and you receive emails querying about your product everyday, you may not want the Anti-Spam filter to scan/delete those emails. To bypass the scanning, you can add a rule in your customized filter like this:

If Body Text contains "XXX" Then Not Junk

Note: the following section is only for server administrator or domain administrator.

How does EmailArchitect detect an email as spam?

If user chooses low anti-spam level, then it depends on the rules in Web Access- > Anti-Spam Service -> Low Level Setting ; If user chooses high anti-spam level, then it depends on the rules in Web Access -> Anti-Spam Service -> High Level Setting.

The rule expession

Rule = [built-in function]|[keyword]:[points]
If a message matches a specified rule, corresponding points will be added to this message. Once the total point is greater than the point set in Anti-Spam service, this message will be marked as spam.

Built-in Functions

Name Description Remarks
{$fn_httplink} Detects how many http links in body text. {$fn_httplink}:3 means each link will be counted to 3 points
{$fn_badcrlf} Detects if there is bad CRLF in the message. {$fn_badcrlf}:5 means if there is bad line-break will be counted to 5 points
{$fn_nomime} Detects if this is a non-mime message Most email clients use MIME format.
{$fn_bcc} The message To/Cc header doesn't contain recipient's email. Most newsletter won't contain the recipient in To/CC header.
{$fn_badheader} Message header doesn't contain From, To, Subject or Date.  
{$fn_emaillink} Detects if body text contains the mailto:[email address]?subject=* Many spammer use this format instead of http link.
{$fn_body:[keyword]} Detects if body text contains the keyword. Wildcard(*,?) is supported. e.g. {$fn_body:adult}:2
{$fn_bodyw:[keyword]} Detects if body text contains the keyword. Wildcard(*,?) is supported. The matched content must be a word. e.g. {$fn_bodyw:adult}:2
{$fn_subject:[keyword]} Detects if subject contains the keyword. Wildcard(*,?) is supported. e.g. {$fn_subject:adult}:2
{$fn_subjectw:[keyword]} Detects if subject contains the keyword. Wildcard(*,?) is supported. The matched content must be a word. e.g. {$fn_subjectw:adul?}:2
{$fn_headers:[keyword]} Detects if headers contains the keyword. Wildcard(*,?) is supported. e.g. {$fn_headers:x-mailer: bulk tool}:2
{$fn_headersw:[keyword]} Detects if headers contains the keyword. Wildcard(*,?) is supported. The matched content must be a word. e.g. {$fn_headersw:x-mailer: bu?k}:2
{$fn_subjectbodyw:[keyword]} Detects if subject or body text contains the keyword. Wildcard(*,?) is supported. The matched content must be a word. e.g. {$fn_subjectbodyw:gir?}:2
{$fn_regbody:[keyword]} Detects if body text contains the keyword by regular expression. e.g. {$fn_regbody:girl[s]?}:2
{$fn_regsubject:[keyword]} Detects if subject contains the keyword by regular expression. e.g. {$fn_regsubject:girl[s]?}:2
{$fn_regsubjectbody:[keyword]} Detects if subject or body text contains the keyword by regular expression. e.g. {$fn_regsubjectbody:girl[s]?}:2
{$fn_regheaders:[keyword]} Detects if headers contains the keyword by regular expression.  
{$fn_fbody:[keyword file]} Detects if body text contains the keyword in a specified text file, each line in the text file represents a keyword. Wildcard(*,?) is supported. e.g. {$fn_fbody:c:\badwords.txt}:5
{$fn_fbodyw:[keyword file]} Detects if body text contains the keyword in a specified text file, each line in the text file represents a keyword. Wildcard(*,?) is supported. The matched content must be a word. e.g. {$fn_fbodyw:c:\badwords.txt}:5
{$fn_fsubject:[keyword file]} Detects if subject contains the keyword in a specified text file, each line in the text file represents a keyword. Wildcard(*,?) is supported. e.g. {$fn_fsubject:c:\badwords.txt}:5
{$fn_fsubjectw:[keyword file]} Detects if subject contains the keyword in a specified text file, each line in the text file represents a keyword. Wildcard(*,?) is supported. The matched content must be a word. e.g. {$fn_fsubjectw:c:\badwords.txt}:5
{$fn_fheaders:[keyword file]} Detects if headers contains the keyword in a specified text file, each line in the text file represents a keyword. Wildcard(*,?) is supported. e.g. {$fn_fheaders:c:\badheaders.txt}:5
{$fn_fheadersw:[keyword file]} Detects if headers contains the keyword in a specified text file, each line in the text file represents a keyword. Wildcard(*,?) is supported. The matched content must be a word. e.g. {$fn_fheadersw:c:\badheaders.txt}:5
{$fn_fsubjectbody:[keyword file]} Detects if subject or body text contains the keyword. Wildcard(*,?) is supported. e.g. {$fn_fsubjectbody:c:\badwords.txt}:5
{$fn_fsubjectbodyw:[keyword file]} Detects if subject or body text contains the keyword. Wildcard(*,?) is supported. The matched content must be a word. e.g. {$fn_fsubjectbodyw:c:\badwords.txt}:5
{$fn_fregbody:[keyword file]} Detects if body text contains the keyword in a specified text file by regular expression. Each line in the text file represents a keyword. e.g. {$fn_fregbody:c:\badwords.txt}:5
{$fn_fregsubject:[keyword file]} Detects if subject contains the keyword in a specified text file by regular expression. Each line in the text file represents a keyword. e.g. {$fn_fregsubject:c:\badwords.txt}:5
{$fn_fregsubjectbody:[keyword file]} Detects if subject or body text contains the keyword in a specified text file by regular expression. Each line in the text file represents a keyword. e.g. {$fn_fregsubjectbody:c:\badwords.txt}:5
{$fn_fregheaders:[keyword file]} Detects if headers contains the keyword in a specified text file by regular expression. Each line in the text file represents a keyword.  
{$fn_charset:[keyword]} If message charset matches the keyword, then this rule is true.  
{$fn_rcharset:[keyword]} If message charset doesn't match the keyword, then this rule is true.  
{$fn_attnullbody:[keyword]} Detect if message contains one specified attachment and body text is null. e.g. {$fn_att:*.pdf}
{$fn_hasatt:[keyword]} Detect if message contains the specified attachment.  

If you enter a word in the rule, it equals to {$fn_subjectbody:[keyword]}. e.g. advertisement:5.

Usage Example

1. If the low level points is 5, and you want to mark the message which has more than 2 http links as spam, then you can input: {$fn_httplink}:3 in the rules. The two link will be counted to 2*3=6.

Negative Rule

Negative rule can be used to split other rules.
Syntax: [built-in function]|[keyword]:-200

e.g.
There are two rules in Anti-Spam rules:
{fn_subject:no junk}-200
{fn_body: bad}5
Then every email whose subject contains "no junk" will not be detected as spam even the email body contains "bad".

If your company is selling a product named "XXX", and you receive emails querying about your product everyday, you may not want the Anti-Spam filter to scan/delete those emails. To bypass the scanning, you can add a rule: {fn_subject:XXX}-200

Manually Approve

By default, EmailArchitect Email Server will send a confirmation request to the sender if the message is marked as spam. However, you can choose "manually approve" instead of confirmation request. Once "Manually Approve" is chosen in the Anti-Spam Service, all the messages marked as spam will be forwarded to approver e-mail address. Note: approver MUST be a local user in current EmailArchitect Email Server, he/she must logon the Web Mail to "Approve" or delete this message. Once the message is approved, it will be delivered to the original recipient.

Advanced Junk E-mail Process

By default, Junk E-mail Process in Anti-Spam Service is for every domains. However, if some domains requires the different Junk E-mail Process, the administrator should use the following expression in Advanced Junk E-mail Process to change it.

[domain]/[action]/[approver]
action: 0/1/2. 0. send confirmation request; 1. mauanlly approval; 2. just move to junk folder.

e.g.
emailarchitect.com/0
emailarchitect.net/1/approver@emailarchitect.net
adminsystem.com/2

Delete Obvious Junk-Email in GFilters

To prevent obvious spam, using Block Sender may not be a good idea, as most spammer use faked and ever-changing email address as sender address.

The best way to stop obvious spam is to add filter in GFilters or Domain Incoming filters . Note: junk e-mail always contains contact information in email body text, such as their url, real e-mail address or telephone number, those keywords are what you need to filter.

Trusted Sender

If the sender address is in user contacts or trusted email address, RBLS or Greylisting will never block the IP address/Sender.

See Also

Quick Tutorial  User Permissions  Domain Administration  User Administration  Services Administration  SMTP Service  POP3 Service  IMAP4 Service  Remote Object Call Service  Webmail Service  SSL Configuration  Realtime Black List  Anti-Spam  Anti-Virus  List Administration  Traffic Control  DBConnector  Mail Archive  DomainKeys and DKIM signature  Storage and User Mailbox   Incoming/outgoing Filters  Advanced Functions in Filter  Templates  

EmailArchitect Server Website
EmailArchitect Server Community