This section is helpful for anyone who is not sure about proper configuration of antispam filters. The example describes optimal settings of scores for individual types of antispam tests. Notice that almost never the message blocking is not preferred to increasing of spam score:
The essential setting is configuration of the Spam Rating tab (for details, see section 13.1 Spam Rating tab). It is recommended to leave most of the settings as predefined by default:
Make sure that the Enable Spam Filter Rating option is enabled. If the option is inactive, enable it.
This option makes the filter consider and apply results of individual evaluations (spam scores).
Make sure that the Enable rating of messages sent from trustworthy relay agents defined in SMTP relay options option is inactive (unless you wish to check even messages sent from trustworthy addresses).
Follow these instructions to set resolution of the spam filter scale:
Tag score — set the value to 5 points.
Block score — set this value to 9.9 points. This will ensure that only “hundred-percent” spam messages are discarded by the server since users are not even notified that such messages would have been blocked (unless at least one of the Send bounce message to the sender or Forward the message to quarantine address options are enabled).
Note: If you do not wish to block any messages no matter what the score is, set the value to 10.0 points. This disables blocking of messages and keeps active only the feature of marking as spam.
Make sure that the Send bounce message to the sender option is disabled.
Since spammers generally use invalid sender addresses in their headers, we will keep this option disabled. It would be impossible to deliver responses to such messages and they would be kept in the queue of outgoing email.
Finally, enable the Forward the message to quarantine address option and enter an email address where all messages with the score higher than 10 points will be forwarded.
The option is helpful especially when setting and fine-tuning the antispam system. If there are legitimate messages with their score too high, it will be discovered during an opportune check of the mailbox where spam copies are delivered and stored. Later, this option can be disabled and the mailbox removed.
Once the general configuration is completed, it is necessary to set individual testing methods. The first test can be set on the Blacklist tab (for details, see section 13.2 Blacklists tab). The following parameters are to be set here:
Custom whitelist of IP addresses — this option enables definition of servers to be excluded from the antispam control. For this example, we will make out a business partner whose SMTP server has been included in online spammer databases by mistake. Since we need to communicate with this partner by email, it is necessary to include the address of their SMTP server in the whitelist — at least for the time until the address is left out of the databases:
In Custom whitelist of IP addresses, create a new IP group called Whitelist
. To find out how IP groups are created, see section 19.1 IP Address Groups.
Add the IP address of the corresponding SMTP server included in a spammer database to the new IP group and save these settings. Messages sent from this SMTP server will not be checked by any antispam control.
Make sure that is no spammer SMTP server is included in the whitelist.
Custom blacklist of spammer IP addresses — the settings are similar as for whitelists, with reversed reasons and results. Create an IP group where you involve all spammer SMTP servers you know. This option is helpful especially for cases where antispam tests are not able to recognize these servers.
At this moment, define actions that will apply to messages sent from SMTP servers included in the custom blacklist:
Two options are available on the Blacklists tab. Such messages may be blocked or their spam score may be increased. In this example, the second option was selected and 3 points will be added to the spam score. Three points are enough to learn whether the message really is a spam since the message is evaluated by multiple tests and other points would be added to the score.
Internet blacklists — check all databases available. Use the button to open individual databases and set spam score to 2 points (see figure 13.4 Database parameters).
Recommendation: Do not set message blocking for Internet blacklists, especially for the free ones. These databases may be updated quite rarely or slowly and the information involved might be unreliable. The lists might include non-spammer servers. Therefore, use these databases better to add spam score to suspicious messages.
Another test for incoming email is a set of custom rules (for details, see section 13.3 Custom Rules). Custom rules can be created as needed:
Define corresponding rules for SMTP servers. If possible, set addition of only two or three points for all spam rules. Since there are multiple rules defined, each test adds a score if the message is considered a spam.
If there is a rule which blocks spam messages, set an address where copies of blocked messages will be sent (see figure 13.10 Forward the message to quarantine address). The best way to do it is to create a special user mailbox (for detailed information on creating of user accounts, refer to chapter 8 Users).
It is not necessary to apply any special settings to the SpamAssassin filter. Any definitions of the filter may be done on the SpamAssassin tab (for details, see section 13.4 SpamAssassin).
The only setting that needs to be changed on the tab is enabling of the Check every incoming message in Spam URI Realtime Blocklist (SURBL) database option.
To read more on the Caller ID technology, see chapter 13.5 Email policy records check. If you decide to use this technology, it is strongly recommended to set the tab as follows:
Open the Caller ID tab under ).
Enable the Check Caller ID of every incoming message option.
In the If the message has invalid Caller ID, then section, set spam rating to 3 points (as explained above, spam messages are tested and scored by multiple tests so it is not recommended to block it or to set individual scores too high).
It is also recommended to enable the Apply this policy also to the testing Caller ID records option since most servers which employ the Caller ID technology use its testing mode so far.
If you use an alternative (backup) SMTP server, specify its address in the Don't check Caller ID from IP address group entry.
For closer description of the SPF technology, refer chapter 13.5 Email policy records check. Recommended settings of the SPF test is almost identical with the Caller ID settings. It is as follows:
Open the SPF tab under ).
Enable the SPF check of every incoming message option.
In the If the message has invalid Caller ID, then section, set spam rating to 3 points (as explained above, spam messages are tested and scored by multiple tests so it is not recommended to block it or to set individual scores too high).
If you use a backup SMTP server, enter its address in Don't check SPF from IP address group.
It is also recommended to support SPF by adding a record regarding SMTP servers which are allowed to send email from your domains to your DNS records.
Detailed information on Kerio MailServer's Spam repellent technology, refer to chapter 13.6 Spam repellent. This technology is not involved in spam rating and it is therefore only mentioned in this section. The technology usually sorts out large volume of spam even before it is accepted in Kerio MailServer and thus decrease the load on the antispam tests and on the mailserver in particular.
The optimal settings of Spam repellent are as follows:
Open the Spam Repellent tab under ).
Enable the Delay SMTP greeting by ... seconds option and set the value to 25 seconds.
Enable the Do not apply delay for connection from option and select the local private network as the IP group. This setting helps avoid delays of email sent from local user accounts and delivery of internal messages.
Leave the Report the spam attack to the Security log option disabled (unless there is a special reason to enable it). Records pointing at interruptions of SMTP connections would otherwise make a large part of the log.