PowerElf II Antispam Documentation

The PowerElf II Antispam module has received another major upgrade.  This accompanying documentation is designed to assist administrators on how to correctly configure the spam module. The information found in your manual (pages 105 & 106) are out-of-date and should not be used.

This document includes the latest information about antispam features.

• New features include: Improved antispam engine (SA 3.02).

• Support added for Auto-White listing (AWL).

• New self-learning Bayesian database option added.

• Includes updated DNS RBL lists.

• Upgraded DCC and Razor plug-ins to check for bulk spam.

• Supports SPF verification.

• Better control over subject modification for tagged spam.

• Support for keywords/phrases for better spam control.

The new antispam configuration is still found in the manager under “Anti-Spam Configuration”.

Here is a quick diagram of how the mail system functions:

Anti-Spam Engine Control

This panel allows the administrator to configure the Anti-Spam controls.  To use the antispam services, you will need to enable the engine by setting the option to “Yes”.  Enabling the filter will allow all incoming mail to sort through the filter.

Global WBL

The Global White List/Black List section allows the administrator the ability to add e-mail addresses, domains and IP’s to a White or Black List.  The White list accepts e-mail and the Black list rejects e-mail.  Wildcards are allowed in WBL entries (Eg. *@spam.com).  Known spammers can be added by the administrator.  By default, any email sent from your domain (or virtual domain) would automatically be white listed, so you do not have to add it here.  Suppliers and customers who deal with you on a regular basis can be added here.

Detection Configuration

Tagging Threshold

You need to set the Tagging Threshold (Sensitivity).  The PowerElf II uses heuristic testing, Bayesian filtering, RBL and bulk mail testing to determine the level of spam that each e-mail possesses.  You will have to adjust the sensitivity of the filter to determine what is right for you.  6 is a good choice and should allow your spam filter to catch the spam while minimizing false positives.  If you set it to 3 or lower, there is a good chance that legitimate e-mail may improperly get tagged as spam (false positive).  Setting it to 8 or higher will catch spam but may allow some spam through.

Encapsulate Spam

By default, the spam filter will not alter the message content of reported spam and only the headers are modified with the spam report. You can enable this option to encapsulate spam in an attachment and will not modify the original message.

Change Subject for Tagged Spam

Messages that are tagged as spam will have a *** Possible Spam ***  subject line appended to the e-mail message.  This is very useful for your users because it allows them to identify and sort spam.  Outlook, OE, Netscape and Mac OS/X mail can all sort spam on the “X-Spam-Flag: YES” header.  See below for more information about configuring mail clients to sort spam.

Auto-Intelligence Management

Bayesian-style Classifier

Bayesian-style learning allows the PowerElf to use auto-adaptive techniques to update its spam rules automatically. This feature also is very useful in cutting down the number of false positives that can occur. The server will automatically feed high-scoring spam and low-scoring email into the database. It is recommended to enable this feature.

Enable Auto-Whitelist (AWL)

The auto-whitelist (or AWL) can automatically track scores for regular correspondents using a small database stored on your PowerElf server. More specifically, the AWL is a score averaging system. It will keep track of the spam scores of a sender, and pushes any subsequent incoming mail toward the average score. It is recommended to enable this feature.

Network Tests

The PowerElf II antispam filter can use a real-time blackhole list to determine if e-mail has been sent from an ISP or hostname that is known to harbor spammers.  If the RBL reports back as true, then this will influence the score.  The administrator can determine how aggressively the DNSRBL affects the overall spam score.  The tests can help detect spam, but they do require a little more time, more network bandwidth and an available DNS server.  For example, one of the many RBL lists that the server checks against is Spamcop (http://www.spamcop.net/).

You can use the DCC (Distributed Checksum Clearinghouse) to compare the checksums to known spam. It's primarily used to stop bulk mail.  See (http://www.rhyolite.com/anti-spam/dcc/) for more information.

Vipul’s Razor is a distributed, collaborative spam detection and filtering tool. Detection is done with statically and randomized signatures that efficiently spot spam content. It is recommended to enable this feature.  See (http://razor.sourceforge.net/) for more information. 

Spam Management

Auto-Delete

The PowerElf spam filter has the ability to automatically delete suspected spam before they are sent to the end users’ mailboxes. The Auto-delete feature can dramatically reduce the amount of unwanted mail; however, there is no way to recover lost mail, so please exercise caution before enabling it. If you enable this option, remember to set the Auto-delete threshold as well.

If you have enabled the Auto-delete option above, you will need to set the threshold for deleting detected spam. The filter will not allow the administrator to set the Auto-delete threshold lower than the tagging threshold. It is recommended to set the threshold several points higher than the tagging setting to avoid deleting false positives.

Basically, Auto-delete works like this:

Once you have set the threshold (sensitivity) for tagging spam, you can set the Auto-delete threshold.  The Auto-delete number must be higher than the Tagging threshold, obviously.  If an email arrives and is tagged as spam, the Auto-delete filter will then determine whether to pass it through or delete it.  This way, very obvious spam gets deleted while everything else goes through to be sorted at the mailbox level and by the user.  If a false positive does occur, the user still receives the e-mail.  Corporate policies, user and administrator comfort levels will dictate how high the threshold is set.

Email Attachment Extensions

The PowerElf II now has the capability to delete email messages that contain potentially dangerous attachments such as pif, vbs, exe, and com files.  The administrator can easily enable this feature.  If you have the antivirus option installed, it will catch infected files, but it will still allow other types of attachments through, such as movie files (mpg) or music files (mp3).  This filter can easily stop these types of files.

Configuring Mail clients to Sort Spam

The antispam tagging feature includes headers imbedded in the email to indicate whether a piece of e-mail is considered spam.  It uses the “X-Spam-Flag: Yes” header.  To sort mail to another folder, most mail clients have the ability to create rules to route mail to the appropriate location once it has been received in the mailbox.

OUTLOOK

1. Go to Tools->Rules Wizard...
2. Click 'New...' (On the top right)
3. Choose 'Check messages when they arrive'
4. Click 'Next'.
5. Check 'With specific words in the message header'.
6. Click on 'specific words'.
7. Type in: X-Spam-Flag: Yes (one space between the : and the Yes)
8. Click 'Ok'.
9. Click 'Next'.
10. Check 'Move it to the specified folder'.
11. Click on 'specified'.
12. Highlight an existing folder, or create a new one.
13. Click 'Ok'.
14. Click 'Next'.
15. Click 'Next'. (Again, unless you want to add exceptions.)
16. Give the rule a name. (The default is what you typed for "specific words", above.)
17. Check 'Turn on this rule'. (You may or may not want to check 'Run this rule on my Inbox now'.)
18. Click 'Finish'.

OUTLOOK EXPRESS

1. Go to Tools->Message Rules->Mail...
2. Check 'Where the Message Body contains specific words'
3. Select 'Where the Message Body contains specific words '.
4. Click on 'contains specific words'.
5. Type in: X-Spam-Flag: Yes (one space between the : and the Yes)
6. Click 'Add'.
7. Click 'Ok'.
8. Select 'Move it to the specified folder'.
9. Click on 'specified'.
10. Highlight an existing folder, or create a new one.
11. Click 'Ok'.
12. Give the rule a name. (The default is New Mail Rule #1.)
13. Click 'Apply Now'. (You may or may not want to Apply Rule Now)
14. Click 'OK'.

OUTLOOK EXPRESS 5.x on MACINTOSH

1. From the menu bar, choose Tools, then Rules.
2. Select POP, and then hit "new" for a new rule.
3. Under the section marked "If", choose "specific header" and then type or paste in the name of the header, which is "X-Spam-Flag".
4. Under "Contains:" type in Yes.
5. In the section marked "Then", specify an action -- move to a new folder, change its status or color, as you see fit. Note that we do not recommend simply deleting messages found by this rule.
6. The Enabled box needs to be checked in order for this rule to be active - it will be checked by default.

OUTLOOK EXPRESS 4.5 on MACINTOSH

The instructions are the same as for Outlook Express 5.x for Mac, but the menu item under Tools is called Mail Rules, and there's no choice between POP/IMAP. The rest is the same, except that if you are sending messages found by this rule to a special mail folder, you must already have created the destination folder before you create the rule.

NETSCAPE

Netscape 6.2.1 does not allow you to create custom filters, so users of this version are unable to take advantage of the special headers used in their mail client software at this time.

Netscape 4.7.8 allows you to create a custom filter. You can supply the special x-header information to Netscape 4.7.8 by doing the following:

1. In the pull-down bar at the top of your Netscape 4.78 window, go to "Edit: Message Filters". A new window will open.
2. Click "New". Click "Advanced". A new window will open.
3. Enter "X-Spam-Flag", click "Add", and click "OK". The latest new window will close.
4. In the pull-down list, select "X-Spam-Flag".
5. In the "contains" box, enter "X-Spam-Flag: Yes".
6. In the "Perform this action" pull-down list, select "move to folder".
7. Click "new folder" and create a Spam folder. It should then be selected in the pull down list of your folders.
8. Click OK.
9. The next time you check your mail, check to see if any messages were automatically filtered into your Spam folder!

MAC OS X MAIL

Mac OS X's built-in Mail program can create filters based on custom headers.
1. In the menu bar, click 'Mailbox' then 'New Mailbox' and create the mailbox you want the Spam to end up in.
2. In the menu bar, click 'Mail' then 'Preferences...'
3. Click 'Rules' then 'Create Rule'.
4. Add a description of the rule, then click the 'From' Criteria, then click 'Expert...'
5. In the Header: field enter 'X-Spam-Flag', click 'Add Header' and 'OK'
6. Now click 'From' and select 'X-Spam-Flag'. Select 'Contains' in the next box and enter 'Yes' in the third Criteria box.
7. In the Action section, check 'Transfer to mailbox' and select the desired mailbox. Click 'OK'.
8. Adjust the rule priorities if you want, and dismiss the Mail Preferences dialog box.
9. The next time you check your mail, check to see if any messages were automatically filtered into your Spam mailbox!