Email Filtering

The email filtering service uses multiple layers of protection to provide superior spam and viral blocking services while maintaining a low rate of false positives. Each email filtering layer operates independently and in some cases on independent servers for the ultimate in uptime reliability.

A brief overview of each layer is as follows.

  • Postfix email filtering checks
  • Greylisting
  • Spamassassin rule filtering
  • Image checks
  • Sender policy framework
  • Razor network
  • SuRBL checks
  • Viral filtering
  • Spam black lists
  • NJABL block list
  • Spamcop block list
  • Sorbs block list
  • Domain email filtering preferences
  • Customer email filtering preferences
     

Postfix email scrubbing checks

Starting from the top, we have the postfix checks. These checks ensure that the sender's mail system is compliant with basic internet email standards. The first step is to check the host name of the sending mail server and ensure that it is a fully qualified host name. Failing this check will cause the connection to drop.

  • Qualified host name format  (reject_non_fqdn_hostname)

Then we verify that the mail from command is formatted in a fully qualified domain form. Failing this check will cause the connection to drop.

  • Qualified sender format  (reject_non_fqdn_sender)

Next, we ensure that the recipient address is in fully qualified form. IE: user@domain.ext instead of just 'user'.

  • Qualified recipient format  (reject_non_fqdn_recipient)

This is simple check to ensure that we are indeed the delivery or designated authority for the domain. All other connections are dropped to prevent being a open relay.

  • Authorized destination (reject_unauth_destination)

Bulk email programs tend to pipeline sending email without checking that the server supports it first. As this is typically a strong identification of a spam program we block this by default.

  • Pipelining checks (reject_unauth_pipelining )

This stops mail servers or spam programs that have syntax errors in their host names. As no legitimate mail server should have this issue, connections are dropped.

  • Valid host names (reject_invalid_hostname)

Here, we reject email from mail servers which do not have A or Mx dns records that match. This bounces the messages back in case of temporary dns problems. Legitimate mail servers wil retry at a later time.

  • Valid sender domain  (reject_unknown_sender_domain)

Finally, we automatically reject email being sent to domains which have no A or Mx records. This also bounces back in case of temporary dns issues.

  • Qualified recipient domain (reject_unknown_recipient_domain)

Greylisting

Greylisting is a feature that rejects email from locations we have not seen before. When incoming email arrives from a new, unknown server, it is rejected with a 4x error code. Properly configured mail servers will try and send the email again. Once we see the the second email coming from the same location, that server is white listed. This is a useful technique to stop spam bots from delivering mail, as they do not follow the the mail standards and retry.  While there are several types of greylisting measures available, we use a reverse domain lookup to eliminate the delay from legitimate mail servers as much as possible. You can learn more about greylisting at http://www.greylisting.org/. Greylisting is enabled by default. Due to the minimal delay that can occur with it, we allow customers to opt out of the greylisting on a per domain basis if desired.
 

Spamassassin rule filtering

The bread and butter of any effective spam system. If an email passes the postfix checks, then we can assume it probably came from a correctly configured mail source. Spamassassin works on the concept of rules. Currently we have 5230 rules that are checked for each email. While on average about only 850 of the rules are triggered on a regular basis, we keep the old rules just in case. Every once in a while, an old virus or spam-scam will come back for one more round and we like to be prepared.

Every rule has a score assigned to it. The score can be either positive or negative. The final score is added up, attached to email, and compared to the customer email filtering preference. If the score is higher then the numerical score set by the domain or individual email account then the mail is considered spam. Spam emails can blocked and held for later review or simply tagged as spam and passed on to their final destination. 

A couple of the more noteworthy rules to mention in greater detail are:

  1. Fuzzy Ocr image scanning
  2. Sender policy framework
  3. Razor network
  4. suRBL checking


Image checking

Using the power of Fuzzy Ocr, we scan images embedded into email for common spam text. Email tagged as spam through image scanning are almost certainly going to be blocked due to the high score assigned. For a real world example, think of all the Canadian pharmacy emails floating around with the embedded pictures. This check stops those dead in their tracks.
 

Sender policy framework

The sender policy framework is a rule that expects any email from a certain domain should only originate from certain servers. Using spf assists us to stop forgeries and assigns a positive score to spamassassin if email fails the check.
 

Razor network

The razor network is a distributed, collaborative, spam detection and filtering network. Every time a message is confirmed as spam, a randomized signature is created and submitted to the global network. Each incoming email is checked against the network to see if other's have reported it as spam. The more spam reports the higher the score. Truly, a great way to harness the power of the community to fight the global war on spam.
 

SuRBL checks

We also use suRBL list checks to assign scores. While blacklists tag email based on sending server, the suRBL lists tag email based on which website links the email contains. Since websites tend to stay up longer than the various spam networks, this is a effective way to filter spam email that has changed sending networks.
 

Viral checking

We use the Unix standard clamav, to check for viruses and malware. Each email is held and scanned before being passed on for final delivery. Email with detected malware is automatically blocked by default. Users may opt to open a viral infected email safely in their control panel to view its content with out fear of infection.
 

Spam black lists

Spam blacklists are a great way to to stop mail at the mail server level. Unfortunately, blacklists can also block legitimate email servers because of a single bad user or just a bad judgement call on the part of the list provider. We are cautious in choosing our blacklists. We do not block solely based on a spam blacklist by default. When a internet service provider or a hosting company uses blacklists as their primary means of blocking email, it takes choices away from the customer. Not every spam email is spam to everybody. We use the following lists as part of spamassassin scoring.

  • NJABL block list.

This blacklist covers open relays, dynamic ip addresses, and confirmed spam sources. It is considered trustworthy and a good source of information concerning the spam traits of a mail server. Points are assigned to the totalspamassassin score if mail originates from a address in this list.

  • Spamcop block list

This is another good list which blacklists based on reports and includes rapid de-listing services when the spam reports stop. This list is used to assign points to spamassassin.

  • Sorbs block list

The sorbs block list is used to check for dynamic ips and abusable web servers. Mail sent from servers in this list will have a additional score assigned in spamassassin. Note there are many other sorbs blacklists that are not in use.

There are many many additional lists that can be implemented on a per domain basis if required on request.
 

Domain email scrubbing preferences

In a perfect world, spam would not exist and there would be no such thing as false positives. Sadly, this is not that world. Each domain can have its own settings which can be changed or adjusted at any time.
Here is a example showing the options for the domain administrator.

Virus Scanning  Enabled    Disabled  
Detected viruses should be...  Labeled    Quarantined    Discarded  
 
Spam Filtering  Enabled    Disabled  
Detected spam should be...  Labeled    Quarantined    Discarded  
Add a prefix to the subjects of spam?  Yes    No  
Add X-Spam: Headers when Score is >=
Consider mail 'Spam' when Score is >=
Quarantine Spam when Score is >=
 
Attachment Type Filtering  Enabled    Disabled  
Mail with dangerous attachments should be...  Labeled    Quarantined    Discarded  
 
Bad Header Filtering  Enabled    Disabled  
Mail with bad headers should be...  Labeled    Quarantined    Discarded  
 
Should non-spam items be cached?  Yes    No  

As you can see there are plenty of options for the domain administrators.
 

Customer email filtering preferences

In addition to domain wide control, we provide control at a individual level as well.

Users are able to set  and maintain the following settings by default.

  1. Personal white lists
  2. Personal blacklists
  3. Degree of spam scrubbing by preconfigured filtering settings.
  4. Viewing virus infected email safely through the scrubbing control panel.
  5. Reporting spam messages and helping fight the global war on spam. 
  6. Releasing good messages that have been blocked.
  7. Tagging of spam that got past filters which automatically blacklists it.
  8. Automatic training of spam filtering based on personal selections.

 

Article Types: 

Article Category