SMTP server antispam control is focused in the manual.
Antispam filters can be set and managed under :
If this option is on, spam rating applies and the scores set in individual antispam tests (set on other tabs of this section) are counted and summed. If you disable the spam filter rating, test results will not be counted in by the spam filter. However, only such tests where message blocking is set will be applied to tested messages.
Turns the scanning of messages sent by local (authenticated) users on/off. Groups of trustworthy IP addresses can be defined in .
This option does not apply to scanning of “email policy” logs (the Caller ID and SPF tabs) and to “black/white lists”.
Once a message is tested by all enabled tests and filters, it is rated by the result spam score. Kerio Connect then marks the message as spam or delivers it as a legitimate message:
Tag score
If the total rating score reaches or exceeds the value set, the message is marked as spam.
Use the entry to specify a number from 0.0 to 10.0 (the lower the number is, the more spam messages will be eliminated). The value recommended to be used for the threshold is 5.0.
Block score
If the rating reaches or exceeds the value set, the message is discarded.
If the value is too low, legitimate messages might be discarded along with spam. Therefore, it is recommended to use the Forward the message to quarantine address option when testing and optimizing the spam filter and specify an account where copies of all blocked messages will be delivered and stored.
Maximal block score allowed is 9.9. If the value is set to 10, the blocking is disabled, so that messages are marked as spam but never blocked.
The X-Spam-Flag header is appended to the message and the message is delivered to the recipient.
In addition to marking spam messages by the special header, it is possible to prepend message's subject with a text which will inform user or a sieve rule that the message is a spam (such a rule can be created within creation of user accounts in the Kerio Administration Console.
The server returns the sender a DNS message informing that the email message cannot be delivered. It is not recommended to use this option since most of spam message use false sender addresses.
Enter an address to which blocked messages will be forwarded (regardless of other settings of the antispam filter). If a legitimate message is blocked by the tests and moved to the quarantine, it is recommended to scrutinize the email header to find out which antispam test does not work correctly and modify it for the better.
So called blacklists, i.e. spammer databases, can occasionally include servers which send legitimate mail. For this reason, Kerio Connect includes a list of trusted IP addresses where IP addresses of servers can be added from which you want to receive email even though they are in blacklists.
To create a whitelist, it is necessary to create a new IP address group on the tab and add trusted servers in it.
All IP ranges reserved for private networks are added to the list of trusted addresses automatically. In spite of this, private addresses, unlike the public, are also checked against the Custom blacklist of spammer IP addresses.
Here you can choose a custom group of IP addresses from which spam email is sent. Have you not created an appropriate IP address group, you can define it on the tab.
Messages sent by SMTP servers included in the custom spammer IP addresses can be handled as follows:
Block message — the message will be blocked on the SMTP level and the sender will be informed that the message cannot be delivered.
Increase spam rate of the message by — the spam rate value set here will be added to the message spam score.
Kerio Connect can use various spammer databases (free or paid) available in the Internet. Spammer databases include list of SMTP servers which are known as spam senders. These databases work separately and they can be combined.
By default, Kerio Connect contains a few databases which can be downloaded from the Internet for free. It is also possible to connect to any other databases.
To add a new database to the antispam tests, use the button located below the database list:
Enter name of the DNS server used by Kerio Connect.
Optional entry, for reference only.
In this mode, connections from servers included in the blacklist will be blocked. Message(s) will be rejected by Kerio Connect. Senders will be informed that their messages cannot be delivered.
The value set here will be added to any message accepted from any server included in the blacklist.
The value of the score added depends on level of trustworthiness of the particular database. If you use multiple spammer databases at a time, set lower spam score value. The SMTP server can be included in multiple databases and the score is summed.
using of this option is recommended in cases where Kerio Connect uses a paid spammer database where the license is associated with a particular IP address. Queries are sent directly to the database, parent DNS servers will not be used for the delivery.
Every time when an email sender address matches any of the blacklist in employed, the information is recorded in the Security log.
The antispam filter also allows to create custom rules. To create a rule in a special dialog, click on :
Comment on the rule (for use of administrator).
Tested part of email message header. You can choose from the predefined items or define a custom one. Do not use colons while defining header names.
The From and To items differ from the other ones. These items are checked for the From and To headers in email and for headers included in SMTP envelopes. The From item is compared with MAIL FROM: and the To item is compared with RCPT TO:. Any other items are compared with headers included in the email itself only.
For details on header rules and settings, refer to the manual. That source also includes usage examples.
Type of condition under which the entry will be tested. Available types:
Is empty — the item is empty
Is missing — the message does not contain the specified message header
Contains address — the item contains a specific email address
Contains address with domain — the item contains all email addresses from this domain. Enter the mail domain, i.e. the second part of the email address right from the @ character, in this field.
Contains substring — the item contains specific string of characters (a word, a piece of text, a number, etc.).
Contains binary data — using this condition, the above-mentioned specific characters as well as binary data that may be contained in spam messages can be recognized. Binary data are characters that have a different meaning in each character set (e.g. specific national characters).
Required entry content (according to the selected type).
Messages treated as spam may be accepted as non-spam using this option.
Email message matching this rule will be marked as spam, regardless of the spam filter. It will use settings from the Custom Rules tab, from section If the message was rejected by a custom spam rule (described below).
Define score value for SpamAssassin (the higher the value, the lower is the possibility that a message passes through the filter). Value that you match with messages meeting this rule will be added to the corresponding SpamAssassin evaluation (negative values protect messages from being considered as spam). In case of this blacklist, the recommended score value is from 1 to 3 points.
The settings are applied only to custom rules where the Treat the message as spam and reject it option is set:
The server returns the sender a DNS message informing that the email message cannot be delivered. It is not recommended to use this option since most of spam message use false sender addresses.
The address to which messages will be forwarded and where administrator or another authorized person can check whether there are or there are not legitimate messages included in the spam.
Besides creating of new ones, rules can also be removed or edited. The order how rules are sorted also plays an important role because it is followed when rules are executed.
To face spam, Kerio Connect uses SpamAssassin, a famous antispam filter. SpamAssassin consists of several testing methods:
filter based on statistical evaluation of message content,
Bayesian filter,
SURBL (Spam URI Realtime Blocklist) — this method tests links to websites possibly included inside email against special online databases.
For easier solution of problems regarding SpamAssassin that might arise, enable the SpamAssassin Processing option in the Debug log settings.
Enabling of the Caller ID check allows to filter out messages with falsified sender addresses (for details, refer to the manual).
On the Relay Control tab in the SMTP server section, it is possible to define a group of trustworthy IP addresses. The test will not apply to messages sent from IP addresses included in the group of trusted addresses.
Caller ID can be applied only to email delivered by SMTP. If email is downloaded from the domain mailbox by POP3 protocol, email policy logs will not work.
Messages with invalid Caller ID will be logged to the Security log.
Message including invalid Caller ID will be blocked on SMTP level. Senders are informed that their message cannot be delivered.
The set value will be added to the total score of the message.
By now, the Caller ID technology has not been widely adopted. Therefore, it is often used by domains in testing mode only (the XML script's header in the corresponding DNS record includes the testing flag). For this reason, we recommend enabling this option. If the option is not enabled, the configuration will not be considered (as if the DNS record does not include the appropriate XML script).
With this option enabled, do not set the Block the message option for messages with an invalid Caller ID.
Use this option especially for specifying backup servers. If a message is sent through a backup server, the IP address of the server does not match the ones allowed for the domain. Therefore the messages from these addresses should not be checked.
To guarantee full functionality of Caller ID, do not set any other servers than the backup ones as those not to be checked.
Click the link to Kerio Technologies web server page where the “email policy” DNS record for a domain can be checked.
For detailed instructions on proper configuration of DNS entry settings for Caller ID, see the official Microsoft web pages.
Enabling of the SPF check allows to filter out messages with falsified sender addresses (for details, refer to the manual).
On the Relay Control tab in the SMTP server section, it is possible to define a group of trustworthy IP addresses. Email delivered from trusted IP addresses will not be tested by the SPF check.
SPF can be applied only to email delivered by SMTP. If email is downloaded from the domain mailbox by POP3 protocol, email policy logs will not work.
Messages with an invalid SPF record will be only added to the Security log.
Message including invalid SPF will be blocked on SMTP level. Senders are informed that their message cannot be delivered.
The set value will be added to the total score of the message.
Use this option especially for specifying backup servers. If a message is sent through a backup server, the IP address of the server does not match the ones allowed for the domain. Therefore the messages from these addresses should not be checked.
To guarantee full functionality of SPF, do not set any other servers than the backup ones as those not to be checked.
SPF check events are recorded in the debug log in case that the SPF Record Lookup option is enabled.
The optimal delay value is between 25 and 30 seconds. Shorter delay might not be enough (the spam sending applications use 10-20 sec), longer time would impede the communication.
Delay of SMTP greeting decreases spam occurrence in Kerio Connect by 60 — 70 per cent. This also decreases the load on the server since spam testing is very demanding. Additionally, the method has no so called false positives as there is no influence to the email which is delivered legitimately.
Spam repellent settings apply to all incoming SMTP communication events, i.e. also to messages from local network, backup servers, etc. It is therefore recommended to add all trustful IP addresses and networks to this IP address group, so that the communication is not blocked, if the messages are apparently non-spam.
If this option is enabled, all detected spam attack attempts will be recorded in the Security log.
If many emails go through Kerio Connect, there are usually also many spam attack attempts, which can cause security log overflow.