Overview
The Header Checking filter is one of the plugins that are part of the Anti-Spam Engine (ASE) scanning chain. This filter allows an administrator to specify which checks should be perform on email headers.
This article describes how this filter analyzes email headers to identify spam emails.
Introduction
The Header Checking filter analyses the email header to identify spam emails.
This filter is part of the Anti-Spam Engine (ASE) chain as shown in the illustration. The order in which the various modules scan an email is configurable and can be altered from the MailEssentials Configuration > Anti-Spam > Filter Priority.
Description
The Header Checking Anti-Spam filter can be configured to make several different checks on an email, mostly related to the email’s headers. It can also be configured to detect particular groups of inconsistencies in MIME/SMTP header values.
The below table outlines the different checks that can be configured and enabled in this filter to identify spam:
Option |
Description |
Check if the email header contains an empty MIME FROM: field. |
Checks if the sender has identified himself in the From: field. If this field is empty, the message is marked as spam. |
Check if the email header contains a malformed MIME FROM: field. |
Checks if the MIME from field is a correct notation as defined in the RFCs. |
Maximum number of recipients allowed in email |
Identifies emails with large amounts of recipients and flags them as SPAM. |
Check if the email headers contain different SMTP TO: and MIME TO: fields. |
Checks whether the SMTP to: and MIME to: fields are the same. The spammers email server always has to include an SMTP to: address. However, the MIME to: email address is often not included or is different. NOTE: This feature identifies a lot of spam, however some list servers do not include the MIME to: either. It is therefore recommended to whitelist newsletter sender address to use this feature. |
Check if the email headers contain different SMTP FROM: and MIME FROM: fields. |
The same as above, but related to FROM fields. |
Verify if sender domain is valid (performs DNSlookup on MIME FROM:) |
Performs a DNS lookup on the domain in the MIME from field and verifies the domain validity. NOTE: Ensure that the DNS server is properly configured to avoid timeouts and slow email flow. |
Maximum numbers allowed in the first part of the MIME FROM: field: |
Identifies the presence of numbers in the MIME from field (eg. joe31516u9@domain.com). Spammers often use tools that automatically create unique reply-to: addresses by using numbers in the address. |
Check if email contains encoded IP addresses. |
Checks the message header and body for URLs that have a hex/octal encoded IP (http://0072389472/hello.com) or which have a username/password combination (for example www.citibank.com@scammer.com). The following examples are flagged as spam: ● http://12312 ● www.microsoft.com:hello%01@123123 |
Check if email contains remote images only. Minimum HTML body size |
Flag emails that only have remote images and a minimal amount of text as spam. Assists in identifying ‘image only email’ spam. |
Check if email contains GIF images. |
Checks if the email contains one or more embedded GIF images. Embedded GIF images are often used to circumvent spam filters. IMPORTANT: Since some legitimate emails contain embedded GIF images, this option is prone to false positives. |
Check if email contains attachment spam. |
Checks email attachments for properties that are common to attachments sent in spam email. This helps in keeping up with the latest techniques used by spammers in using attachments to send spam. |
Check if the email subject contains the first part of the recipient email address. |
Identifies the personalized spam email, where spammers frequently include the first part of the recipient email address in the subject. |
This filter also provides some Language Detection capability which can be configured to block emails formatted in specific character sets. MailEssentials can block or allow certain groups of character encodings. This means if, for example, a customer chooses to block Cyrillic it will block all emails encoded in the following character sets: ISO-8859-5, Windows-1251, Cy, Cy-az-AZ, Cy-sr-SP and Cy-uz-UZ.
Note: The Header Checking - Language filter is different than the Language Detection filter since it analyzes the encoding (character set) of the email header. Language Detection analyzes the language of the email body text. Results of the Language Detection filtering engine are generally more reliable.
Language Detection Character Sets
Language |
Language Sub-Groups |
Encodings |
Arabic |
|
ISO-8859-6 Windows-1256 ar ar-DZ r-BH ar-EG r-IQ ar-JO ar-KW ar-LB r-LY r-MA ar-OM ar-QA ar-SA ar-SY ar-TN ar-AE ar-YE |
Armenian |
|
Hy hy-AM |
Baltic |
|
ISO-8859-4 Windows-1257 |
Central Europe |
|
ISO-8859-2 Windows-1250 |
Cyrillic |
|
ISO-8859-5 Windows-1251 Cy y-az-AZ Cy-sr-SP Cy-uz-UZ |
Georgian |
|
Ka ka-GE |
Greek |
|
ISO-8859-7 Windows-1253 el el-GR |
Hebrew |
|
ISO-8859-8 Windows-1255 he hr-IL |
Indic |
Assamese/Axomiya |
ISO-639-1 ISO-639-2 ISO-639-3 as asm asm |
|
Bengali |
ISO-15924 bn ben ben |
|
Bodo |
ISO-639-3 brx |
|
Dogri |
ISO-639-2 ISO-639-3 quj quj |
|
Gujarati |
ISO-639-1 ISO-639-2 ISO-639-3 qu quj quj |
|
Hindi |
ISO-639-1 ISO-639-2 ISO-639-3 hi hin hin |
|
Kannada |
ISO-639-1 ISO-639-2 ISO-639-3 kn kan kan |
|
Kashmiri |
ISO-639-1 ISO-639-2 ISO-639-3 ks kas kas |
|
Konkani |
ISO-639-2 ISO-639-3 kok kok |
|
Maithili |
ISO-639-1 ISO-639-2 ISO-639-3 bh mai mai |
|
Malayalam |
ISO-639-1 ISO-639-2 ISO-639-3 l mal mal |
|
Manipuri |
ISO-639-2 ISO-639-3 mni mni |
|
Marathi |
ISO-639-1 ISO-639-2 ISO-639-3 mr mar mar |
|
Nepali |
ISO-639-1 ISO-639-2 ISO-639-3 ne nep nep |
|
Oriya |
ISO-639-1 ISO-639-2 ISO-639-3 or ori ori |
|
Punjabi |
ISO-639-1 ISO-639-2 ISO-639-3 pa pan pan |
|
Sanskrit |
ISO-639-1 ISO-639-2 ISO-639-3 sa san san |
|
Santhali |
ISO-639-2 ISO-639-3 sat |
|
Sindhi |
ISO-639-1 ISO-639-2 ISO-639-3 sd snd kfr lss sbn |
|
Tamil |
ISO-639-1 ISO-639-2 ISO-639-3 ta tam tam |
|
Telugu |
ISO-639-1 ISO-639-2 ISO-639-3 te tel tel |
|
Urdu |
ISO-639-1 ISO-639-2 ISO-639-3 ur urd urd |
Japanese |
|
SHIFT_JIS ja a-JP |
Korean |
|
Ko ko-KR |
Simplified Chinese |
|
zh-CHS |
Thai |
|
Th h-TH |
Traditional Chinese |
|
zh-CHT |
Turkic |
Pecheneg |
ISO-639-3 xpx |
|
Ottoman Turkish |
ISO-639-2 ISO-639-3 ota ota |
|
Turkish |
ISO-639-1 ISO-639-2 ISO-639-3 tr tur tur |
|
Gagauz |
ISO-639-3 gag |
|
Azerbaijani |
ISO-639-1 ISO-639-2 ISO-639-3 az aze aze |
|
Balkan Gagauz Turkish |
ISO-639-3 bgx |
|
Turkmen |
ISO-639-1 ISO-639-2 ISO-639-3 tk tuk tuk |
|
Khorasani Turkic |
ISO-639-3 kmz |
|
Afshar |
ISO-639-3 |
|
Qashqai |
ISO-639-3 qxq |
|
Sonqori |
ISO-639-3 azb |
|
Aynallu |
ISO-639-3 azb |
|
Khalaj |
ISO-639-3 klj |
|
Kipchak |
ISO-639-3 |
|
Kumyk |
ISO-639-2 ISO-639-3 kum kum |
|
Karachay-Balkar |
ISO-639-2 ISO-639-3 krc krc |
|
Crimean Tatar |
ISO-639-3 chr |
|
Urum |
ISO-639-3 uum |
|
Krymchak |
ISO-639-3 jct |
|
Cuman |
ISO-639-3 qwm |
|
Karaim |
ISO-639-3 kdr |
|
Kazan Tatar |
ISO-639-1 ISO-639-2 ISO-639-3 tt tat tat |
|
Mishar |
|
|
Bashkir |
ISO-639-1 ISO-639-2 ISO-639-3 ba bak bak |
|
West Siberian Tatar |
ISO-639-3 |
|
Kazakh |
ISO-639-1 ISO-639-2 ISO-639-3 kk kaz kaz |
|
Karakalpak |
ISO-639-2 ISO-639-3 kaa kaa |
|
Kyrgyz |
ISO-639-1 ISO-639-2 ISO-639-3 ky kir kir |
|
Kipchak Uzbek (Fergana Kipchak language) |
ISO-639-3 qwm |
|
Nogay |
ISO-639-2 ISO-639-3 nog nog |
|
Uzbek |
ISO-639-1 ISO-639-2 ISO-639-3 uz uzb uzn uzs |
|
Uyghur |
ISO-639-1 ISO-639-2 ISO-639-3 ug uig uig |
|
Taranchi |
|
|
Western Yugur (Yellow Uyghur) |
ISO-639-3 ybe |
|
Salar |
ISO-639-3 ybe slr |
|
Old Turkic |
ISO-639-3 otk |
|
Chagatay |
ISO-639-2 ISO-639-3 chg |
|
Aini |
ISO-639-3 aib |
|
Ili Turki |
ISO-639-3 ili |
|
Sakha (Yakut) |
ISO-639-2 ISO-639-3 sah sah |
|
Dolgan |
ISO-639-3 dlg |
|
Tuvan (Soyot, Uriankhai) |
ISO-639-2 ISO-639-3 tyv tyv |
|
Tofa |
ISO-639-3 kim |
|
Khakas |
ISO-639-3 kjh |
|
Fuyü Gïrgïs |
ISO-639-3 kjh |
|
Shor (Saghay Qaca, Qizil) |
ISO-639-3 cjs |
|
Chulym (Küerik) |
ISO-639-3 clw |
|
Altay Oirot and dialects such as Tuba, Qumanda, Qu, Teleut, Telengit |
ISO-639-3 atv alt |
|
Chuvash |
ISO-639-1 ISO-639-2 ISO-639-3 cv chv chv |
|
Khazar |
ISO-639-3 zkz |
|
Turkic Avar |
|
|
Bulgar |
ISO-639-3 xbo |
|
Hunnic |
ISO-639-3 xhc |
Vietnamese |
|
Windows-1258 vi vi-VN |
Western Europe and United States |
|
ISO-8859-1 Windows-1252 |