Knowledgebase: E-mail
What are the spam e-mail filter settings?
Posted by Support, Last modified by Support on 05 October 2015 11:49 AM

AISO.Net's spam e-mail filter system is made up of a combination of open-source software and custom-built technologies that, in testing, has shown to dramatically decrease the amount of junk e-mail your Inbox will receive.

Note: This article is a high level article, if you have any questions about the spam features or how to manage your spam, please open up a support ticket for assistance.

Here are some of the features of our newly improved spam e-mail filter system:
- Mulitple level filtering -- this allows great flexability in spam processing as well as blocking spam before our email servers receive the actual message.
- SpamAssassin -- a powerful junk e-mail filter
- Greylisting -- a new approach to decreasing the amount of junk e-mails
- E-Mail Virus Scanning -- utilizing multiple sophisticated e-mail virus scanners, including Clam AntiVirus
- DNSBL's -- real-time "blacklist's" to block e-mail addresses that send junk e-mails and reject junk e-mail messages from these addresses
- And more

Level 0 Filters

All spam features at this level (L0 or Level 0) cannot be overridden by a whitelist entry at any level, although depending on the issue adjustments may be made. All network communication is blocked at this level, at the actual TCP/IP connection level, before the sending server sends any commands for the SMTP handshake. The following are Level 0 filters:
- Invalid authentications via SMTP, POP, or IMAP. Any IP that has 10 or more failed authentications are blocked from all services for 1 hour.
- Global server OS level blocks (block type 8) created by AISO technicians from IPs that may be causing mail service issues.
- Global network firewall blocks from "bad" IPs based on our ThreatStop IP Reputation system, all IP based connections to all systems are blocked.
- Spam Scan Internal IP Blacklist system. A block on this IP list usually has a return error message to the user of: ESMTP MailEnable Service, Version: X.XX--X.XX denied access at MM/YY/YY HH:MM:SS. IP addresses are automatically added to this block list after 10 or more emails of a spam level of 20 or higher come from the same IP address within 6 hours. After one week the IPs are automatically removed.

Level 1 Filters

All spam features at this level (L1 or Level 1) cannot be overridden by a whitelist entry at any level, although depending on the issue, adjustments may be made. All e-mails blocked at this level get blocked at the SMTP MAIL FROM command during the SMTP handshake. The following are Level 1 filters:
- Very Low False Positive RDNSBLs (DNSBLs)
- Invalid SMTP HELO/EHLO commands or host names per the RFC 2821
- SMTP FROM addresses/domains that are not allowed or normally are spam related
- Global blocks created by AISO technicians from spamming IPs, e-mail addresses, ASNs, or domains reported by users or noticed by AISO. These entries can be removed if causing an issue.

Level 2 Filters

All spam features at this level (L2 or Level 2) can be overriden by a whitelist entry at the user level or the domain level (via the control panel L2 whitelisting option, NOT webmail). All L2 whitelist entries can only override L2 filters, the options for L2 whitelisting are: complete domain name, single e-mail address, IP Address, /24 (254 IPs) IP CIDR, ASN or Country Code. All e-mails blocked at this level get blocked at the SMTP RCPT TO command during the SMTP handshake. The following are Level 2 filters:

- SPF checking. Any domain that has a SPF record with a "-all" (hard fail) and is not sending from an IP listed in the SPF record will be blocked.
- Greylisting
- SMTP Integrated RDNSBLs which include the three major DNSBLs: Barracuda, SpamCop and SpamhausZEN.
- Secondary DNSBLs that AISO thinks should block servers outright, but can be bypassed by users if needed.
- SMTP Intergrated URIBLs (URL Blacklists) which scan message content for spam URLs and block the email from being received by our servers.
- Domain-wide or user blacklist entry for either an IP, a /24 (254 IPs) IP CIDR, e-mail address, ASN, domain, country code or DNSBL
- User blacklist entry either for a whole domain or a single email address. Added via control panel via the manage user spam settings button or webmail. These blacklist entries in the control panel are labeled as a Level 2 Integrated entry, as they can be accessed in the users webmail as well.
- Sender Spoof Protection which prevents emails coming in that are from your domain name, which normally shouldnt happen
- MX Record lookup which checks the to verify the SMTP MAIL FROM domain during the SMTP Handshake has valid MX records. The from domain should normally have MX records to allow it to receive e-mail and bounce back messages.
- Forward Confirmed RDNS which checks to make sure the incoming IP matches the HELO/EHLO and the HELO/EHLO matches the IP. This check is very hard for spammers to fake, but may have some false positives for incorrectly configured mail servers.
- SMTP HELO Verify which verifies the domain listed in the HELO/EHLO has a reverse IP address record which is the IP that the connection is coming from.
- Block Blank From Address which will block any e-mails that connect to the server and during the SMTP handshake provide a blank or <> e-mail address known as an DSN (delivery status notification) address. Normally this is used for bounce back e-mails preventing an endless loop from the receiving e-mail server. When the MAIL FROM is used with an empty address (represented as <>), the receiving e-mail server (AISO's e-mail servers) knows not to generate a bounce message, if the message is being sent to a non-existent user. But just recently spammers have been trying to hide their e-mail addresses by using NDR FROMs (<>) instead. If you dont care about bounce e-mails (such as a e-mail quota full generated by the receiving e-mail server), then you can enable this feature, if its available.

Level 3 Filter

All spam features at this level (L3 or Level 3) can by overridden by only a whitelist entry at the user level (via webmail or control panel) or the domain level (via the control panel L3 whitelist). A Level 3 whitelist both globally and at the user level can override Level 2 and Level 3 filters. The filters at this level are executed against each e-mail after it has been accepted by our servers.

Each filter adds a weighed score to the e-mail depending on the filter results:
- A spam score of 5.9 or lower is not rated as spam and is marked as PASS
- A spam score of 6 through 11.9 is marked as Spam Low (Or just LOW in the control panel)
- A spam score of 12 through 19.9 is marked as Spam Medium (Or just MEDIUM in the control panel)
- A spam score of 20 or higher is marked as Spam High (Or just HIGH in the control panel)
Each spam level; Low, Medium and High can be filtered differently per user and is adjusted either via the webmail options tab or the control panel. By default when a e-mail address is created the Spam High level is set to automatically delete the e-mail.

The following are Level 3 filters:
- VIRUS_SCAN via ClamAV or Avast. All viruses are marked as Quarantined, kept for 14 days and are accessible via our control panel under the Incoming Quarantine section for viewing and resending.
- CLAM_SANE are phishing, malware, ecard, spam, 419, lottery, stock, job, and dopplestern attacks that are scanned using ClamAV and scored
- SPAMTRAP is a filter to determine if the email should be accepted via a spamtrap & the IP blocked. Under normal conditions this should be PASS
- KEYWORD is a rule filter that searches for know spam characteristics created by AISO
- COUNTRYFILTER is a filter of known spamming countries producing the most spam
- SNIFFER is a filter that uses advanced pattern recognition and machine learning to identify spam and other threats
- WEIGHTED_RDNSBL are DNS blacklists that identifies spam IPs, should not outright block email, but may be spam as to add a weighted score
- WEIGHTED_URLBL are URL blacklists that checks for URLs that may be spam in the email, should not outright block email, but add a weighted score
- SPAMASSASSIN is the well known SpamAssassin mail filter to identify spam and add a weighted score to the email
- DCC_CHECK is a filter for fuzzy message checksum checking to determine if the email contents is spam and add a weighted score
- BACKSCATTER checks if the email is a fake email bounce via a forged address as a return path
- SENDERBASE checks for IP reputation and email volume analysis to determine if the email has a low or high probability of being spam
- SHORTCIRCUIT is a filter that checks the email before each filter runs to see if its marked Spam High, if so then all other filters are bypassed to cut down on processing time and resources.

Spam Results/Status:

PASS = E-mails with a spam score of 5.9 or lower.
SPAM = E-mails with a spam score of 6 or higher, with sub statuses of SPAM LOW, SPAM MEDIUM, and SPAM HIGH
BYPASS = E-mails that are server based emails such as NDR or error emails created by the e-mail servers internally.
BLACKLISTED = E-mails that are blacklisted via L3 blacklists within our spam filtering systems
WHITELISTED = E-mails that are whitelisted via a L3 whitelist or via a L2 Intergrated IP Address whitelist created by AISO.
VIRUS = E-mails that where virus scanned and the result came back as a virus, these emails are quarantined for 14 days and can be viewed under the Manage Incoming Quarantine button/area.
HIGH = This is the same as SPAM HIGH
MEDIUM = This is the same as SPAM MEDIUM
LOW = This is the same as SPAM LOW

Level 3 whitelists:

- Domain-wide whitelist entry for a whole domain or e-mail address entered in via the control panel (this is the same as a user whitelist except this entry adds the whitelist entry into each user under the email domain automatically.
- User whitelist entry for a whole domain or single email address via the control panel or webmail.

A domain-wide level L3 whitelist entry when created enters the email or domain into every users' whitelist within the domain, or when deleted removes the entry from ever users' whitelist within the domain. Level 3 whitelists can only whitelist a complete domain name or a single e-mail address, both of which are checked within the SMTP FROM command during the SMTP handshake, not the body of the email message. You can get the domain name or e-mail address to whitelist by viewing the email message header X-Envelope-Sender or via the field SMTP From when viewing an incoming email in our control panel.


Other Important Notes

- Any e-mails that are not listed under the Manage Incoming E-mails section was not accepted by our servers, so the sending server never tried to send our servers the e-mail or the sending server tried and got refused casuing a bounce back e-mail to the sending user containing the error message.
- Any blacklist enteries that are blacklisting a domain name or e-mail address at any level only check the SMTP FROM address listed in the SMTP Handshake and NOT the From address within the body of the email that you see in your email client/webmail. To get the SMTP FROM address to use for a blacklist entry, view the email message header and look for the email address listed with the header X-Envelope-Sender or via the field SMTP From when viewing an incoming email in our control panel under the spam filter section, manage incoming emails.

(552 vote(s))
Helpful
Not helpful