Overview
This article provides the recommended Best Practices for the Filter Priority configuration, which will prioritize the various spam filters in order to maximize the scanning efficiency and mitigate spam emails finding their way through to the user's mailboxes. Follow the given recommendations if still receiving spam emails despite having MailEssentials installed.
Information
The information is organized in the following subsections:
Introduction
MailEssentials is an industry-leading anti-spam and email security solution with multiple filters that can be configured independently to safeguard email users from SPAM and MALWARE.
While every organization is different and may require some additional custom configuration of the filters depending on the type of spam emails received, as a general rule, the prioritization presented in this article is recommended, making sure all the filters are enabled.
Switchable Filters
You can toggle the filtering mode for the SMTP-level filters from Full email to SMTP and back as such:
- Open the GFI MailEssentials Configuration UI
- Navigate to Anti-Spam > Filter Priority
- Open the SMTP Transmission Filtering tab.
-
Use the Switch button to toggle the required setting for the available filter:
To make the best of SMTP Transmission filtering, use it when GFI MailEssentials is installed on an Internet gateway or when it is the first server to receive emails from the Internet.
SMTP level filtering terminates the email’s connection and therefore stops the download of the full email, economizing on bandwidth, and processing resources. In this case, the connection is terminated immediately and emails are not required to go through any other anti-spam filters.
This however means that emails will not be quarantined, so you will not have the option of approving or releasing them. If you need to be able to approve emails, consider using Full email level filtering instead.
Recommended Filter Priority
- Directory Harvesting, IP DNS Blocklist, and IP Blocklist are each listed twice depending on if you are running in SMTP mode or in Full email mode.
- SMTP level filters can only be re-ordered with other SMTP filters and will remain at the top of the priority list.
The order can be changed as such:
- Open the GFI MailEssentials Configuration UI
- Navigate to Anti-Spam > Filter Priority
Customize the existing Filter Priority by clicking on to assign a higher priority or to assign a lower priority as described in Sorting Anti-Spam Filters by Priority progressively until the following prioritization is achieved:
- Directory Harvesting (SMTP mode) Recommended mode for Directory Harvesting; use Full email mode only if necessary.
- Greylist (SMTP mode)
- IP Blocklist (SMTP mode)
- IP DNS Blocklist (SMTP mode) If you experience false positives, please change this to full email mode to enable whitelisting; it does not utilize the whitelist when in SMTP mode.
- IP Blocklist (Full Email mode)
- IP Whitelist
- Directory Harvesting (Full Email mode) If unable to run in SMTP mode, only configure the Action for Delete, Send to an email address, or Move to a folder on disk.
- Anti Spoofing
- Sender Policy Framework
- Personal Email Blocklist
- Personal Email Whitelist
- Email Blocklist
- Whitelist
- Keyword Whitelist
- SpamRazer
- Anti Phishing
- URI DNS Blocklist
- Bayesian Analysis
- Header Checking
- Spam Keyword Checking
- Language Detection
This prioritization provides the best chance to remove known bad emails from processing first (the SMTP level filters), then allows any explicitly defined IP addresses into the network. These IPs would be defined by your MailEssentials administrator.
Next, a check is done to make sure the email has not been spoofed with your domain, and a check against the SPF record to cut down on emails spoofed for other domains. Once finished, any email that has been blocked by a user is blocked (for only that user) then allowed. This is ensured by the fact that the Personal Blocklist prevents a single user from getting the email, then the Personal Whitelist allows a single user to get an email, followed by the domain-wide Blocklist, then the Whitelist.
This ordering allows individual users to have some control over what they receive while still filtering the majority of spam as they are required to opt-in addresses to personally block or receive.
Additional Recommendations
- Greylisting is a very effective filter for stopping zero-day spam and is the only filter capable of blocking the zero-day spam messages until the other filters are able to start blocking them. We have found that several major webmail providers and federal agencies are not compliant with the checks Greylisting does or take an unusually long time to reply to the Greylist check so several exclusions need to be added:
- Open the MailEssentials Configuration UI
- Navigate to Anti Spam > Anti Spam Filters > Greylist
- Open the Email Exclusions tab, and add the following as From addresses:
- *@gmail.com,
- *@yahoo.com,
- *@hotmail.com,
- *@msn.com,
- *@outlook.com.
- You will also want to make sure that under Options: Exclude email addresses and domains specified in Whitelist and Personal Whitelist is enabled.
These changes will minimize the email delay when using the Greylist.
- Once you have the priority set, you will want to make sure the IP DNS Blocklist is set correctly:
- Open the MailEssentials Configuration UI
- Navigate to Anti Spam > Anti Spam Filters > IP DNS Blocklist.
- bl.spamcop.net and dul.dnsbl.sorbs.net should be enabled by default.
- add truncate.gbudb.net,
- add 0spam.fusionzero.com,
- add zen.spamhaus.org,
- add b.barracudacentral.org.
Note
You need to sign up for the barracuda blocklist at barracudacentral.org and click on the "Request access" link. The IP address it is requesting is the external IP used by your MailEssentials server.
- The Bayesian Analysis filter can also block a large number of these spam messages as they tend to be the same "type" of spam messages. Please check the "How to train, manually update and create a new database for the Bayesian Filter" article, for information on training the database.
Correctly configuring the above recommendations should significantly reduce the amount of spam and malware emails that get delivered to users' mailboxes. However, if you continue to receive spam messages that show in the MailEssentials Dashboard Logs with a scan result of "OK", you are advised to open a support ticket providing a set of sample messages as well as troubleshooter logs for analysis.