UserGate Mail Antispam Modules

Antispam Modules

UserGate Mail Server supports several spam protection technologies that include DNSBL (DNS blacklist), SURBL (Spam URI blacklist), Greylisting and Tarpitting.

Fig. 1. Antispam

Greylisting

Greylisting is a tool to delay mail delivery. An incoming message is not delivered immediately, and the sender receives a message requesting to retry sending the message later. The data triplet (information about the sender, recipient and destination) remains unchanged. If the triplet of the incoming message matches one of the triplets in the list, the message is delivered immediately (this means the sender is trying to send the message again). This helps filter spammers, because they usually do not retry sending messages to the same addresses.

Blacklists (DNSBL)

Dynamic blacklist is a network service offered by blacklist providers. The providers track IP addresses (sometimes domain names) compromised by spammers. Mail filters with a dynamic blacklist support submit a request to a blacklist provider that contains the sender address and addresses of mail servers the message passed in route to the recipient. If the request shows that the address is on the black list, it means the message most likely contains spam. Along with maintaining spammer lists, some blacklist providers track outgoing addresses of viruses, trojans, worms, applications allowing unauthorized remote control and other malicious content. Dynamic blacklist services are requested via a DNS service to check if the spammer lists contain the IP addresses listed in the message heading (in the Sender field or mail relay server addresses in the Received fields: character domain names can be used along with IP addresses).

Tarpitting

This is a method of delaying delivery of mail from a remote server suspected of spam distribution. A server may become suspicious due to a large number of recipients of the same letter. If this number exceeds a set limit, tarpitting will apply to all further messages from that server.

SURBL filtering

SURBL filtering is used to detect spam by URL contained in the message text (verification against blacklists). The module extracts the domain component (level 2 or 3) for each URL found in the message, adds a SURBL name suffix and sends a DNS request to the SURBL server(s) address. For example:

URL (http://some.test.ru/index.html) -> test.ru + (insecure-bl.rambler.ru) -> resolve test.ru.insecure-bl.rambler.ru -> 127.0.0.1 -> add symbol

A separate list (2tld file) is used for domains in which three levels instead of two should be checked. This may be applicable to virtual hosting services or special areas for Level 3 domains, such as org.ru or pp.ru.

SpamAssassin module

SpamAssassin is an expandable spam mail filter. The module filters incoming mail by consecutively passing them through a series of tests. Each test has a certain "value." If a message passes a test successfully, the value is added to the total score. The value may be both positive and negative; all positive values are called "spam" and negative values - "ham." The message passes all tests, after which the module calculates the total score. Higher scores mean higher possibility that the message contains spam.

SpamAssassin has an adjustable limit. If the message exceeds the limit, it is classified as spam. As a rule, the limit should be set to let a spam message match more than one criteria. Matching just one test is not enough to exceed the limit.

Commtouch module

Commtouch Anti-Spam Gateway is a patented spam protection solution for mail servers and SMTP gates. Commtouch module is uses a unique filter based on proprietary RPD (Recurrent-Pattern Detection) algorithm that helps identify spam by its main feature - frequency of occurrence. Unlike other antispam filter vendors, Commtouch does not provide filter updates based on a typical content definitions database: its product scans mail traffic for spam patterns.

When the Anti-Spam Enterprise gate receives an e-mail, it looks for the relevant rule in the local policies that applies either to the company in general or to the particular users. If the message does not match any of the rules, Commtouch module starts looking through local cache with previous responses by the Anti-Spam Detection Center. If it still cannot find a rule for the message, the gate module sends a request to the Anti-Spam Detection Center located at Commtouch. If the Center is unavailable, the message is delivered to the user's inbox.

If a message is classified as spam, the gate module acts according to its configuration settings. A legitimate message is delivered to the user mailbox.