CERATEC
About Us | Home | Shopping Cart | Services | Products | Support & FAQ | Contact Info |  
P R O D U C T S
Shopping Cart
Online Store
SMTP Mail Servers
Pop3 to Smtp
Workgroup Mail
Spam Mail Filters
Xwall Features
Xwall Flow Chart
Xwall Screen shots
Xwall Forum
ESATInformer
Dynsite Dynamic IP
Remote Access
Event Monitoring
Postmaster Tools
Trojan Detection
Email Archiving
List Server
S E R V I C E S
Local Services
Internet Services
Web Hosting
Features
Details
Q&A
F E A T U R E S
Bubba's Spam News
Realtime Virus Info
Help Forums
Our References
Contact Us
P R O G R A M S
XWALL
POPBeamer
SMTPBeamer
MAILBeamer
DYNSite
Tauscan
Adv. HostMonitor
Arrow List Server

Xwall configuration suggestions

Quick and simple

Covers Version 3.26 and 3.27

The Xwall SPAM filter offers a wide variety of filters and blocks. Understanding these options is important for success. This page will show you the initial setup we use at our local client sites around Central Texas. It can help you to get your Xwall up and running in a short time. Of course, Xwall has many more filters and options. These are described in detail in the Xwall online manual. We strongly recommend to read the manual in order to setup Xwall tailored to your situation. The Online manual always reflects the latest enhancements and changes.

SPAM RBL relay list implementation

Keeping SPAM out of your company's email system is an effort utilizing many different approaches. SPAM relays known as RBLs are one of the tools available to you. These RBL lists are updated in real time and can make a dent in the SPAM flood. RBL lists are compiled of open SMTP relays found all over the Internet. An open SMTP relay can be used by the spamers to send out their SPAM messages by the millions. Xwall takes the IP and/or domain name of the sender and compares it to the RBL lists you have implemented. Xwall is equipped with an exclude table (white list) to allow specified domains or IP addresses to pass even if they are caught by the RBL list. This Xwall feature makes the implementation of the RBL services much more useful.

To setup this filter start the Xwall Admin. Go to OPTIONS -> SPAM. Check the first flag and click on ADD COMMON. This will add 4 popular relay services. The 4 relays

SMTP level blocking: Xwall allows you to block messages on SMTP level. Here are a few things to consider.

SMTP block is conserving your bandwidth. Xwall blocks if the connecting server is on a RBL list. It never allows the message to be sent

Since Xwall does not receive the message it's more difficult to exclude senders. You need to exclude the host or ip address rather than an email address.

 

.Below the SPAM Lookup Service table you see the action list. For the first week or two I recommend to choose "forward to recipient with warning". Tell all your users to look at the warning messages and if they find senders they don't want to be blocked they need to forward these messages to you.

IMPORTANT: Xwall looks at domain and email addresses from right to left. That means if you type in COM all domains with .COM will be affected. Yahoo.com will affect all emails from yahoo.com. Do not use *.com it would only affect *.com , that equals nothing since * is not a legal domain character.

 

 

 

 

On the bottom of each warning message you find information regarding which service blocked the message and what caused the block (IP address or domain name.) That's the information you need to apply an exclusion. Simply go back to Option ->SPAM, click on Exclude, select the type and enter the information.

 

Blocking Words

I usually set a few text and header blocks to start with. The text block it located under Admin ->option ->blocking->text. You will find familiar options. You need to be aware of the fact that you are dealing with strings. Please consider the string SOME will apply to words like AWESOME, SOMEONE, SOMETIMES and so on. If you want to block just the word SOME you must enter (space)some(space). This will eliminate the inclusion of AWESOME and so on.

Be careful with wildcards. The ? works often better than a badly implemented *.

 

 

 

 

 

 

Wildcards have to be implemented with caution too. While there is no problem with them it's us who will get it wrong. I added v*i*a*g*r*a to my strings just to find out it blocked many messages with no sign of viagra. Instead it looked for any instance of these characters - as it should. I just did not think. The way to get rid of these spaces or filler characters some of these spamers use I needed to type in v?a?g?r?a.

Also note the exclude tab. You use it to exclude domains, IPs and email addresses from the block you implemented.

 

Allow your contacts to send you email.

Automatic whitelisting is a new feature available in Xwall version 3.27. This feature automatically adds the email addess of every outgoing message to the exclude list. The reasoning behind this ides is that if you send email to someone it's likely that you want them to be able to reply. You do not have to implement this feature to receive email from your contacts. But if you find many of them listed with RBLs you're using if will allow them to send you mail. While is maybe no issue if you're using spamcop, it maybe a very welcome feature on more aggressive RBLs like Osirusoft or even Wirehub.

If you use aggressive RBL lists the automatic whitelist can help.

 

 

 

 

 

 

 

 

Over Kill

Sometime a certain block works for some situations and sometimes it does not. Logically, Xwall still includes these block options. Take the PTR lookup as an example. It sounds like a great feature however, about 40% of the ISP in the US will not resolve some of their IP addresses. This may not be the case in other courntries. For US sites, I recommend not to use this option unless your email senders are known contacts and don't have that problem .

I estimate 40% of IPSs in the US do not resolve a PTR request.

 

 

 

 

 

 

 

In a few cases, the MX A record lookup can causes problems too. In general, I recommend to start out with just a few filters and blocks, concentrate on eliminating false positives and then go from there.

 

Next week

The Bayesian filter is a great help in the fight of SPAM. It's success depends totally on you understanding the filter and on the principle "garbage in garbage out!" if it gets fed with spam it filters out SPAM. If you feed it with false positives, it will filter out good mail. To avoid this problem, just follow the guide lines above. Do not start this filter when you first setup Xwall. Wait until you have a good handle on things. You don't need to catch all the SPAM but you do not want a lot of good mail identified as SPAM. Once you're at this point you can enable the Bayes filter learn mode.

The Bayesian filter learns from the SPAM the other filters catch.

You have to catch SPAM before it can learn.

 

 

 

 

 

 

 

The learn mode will read all the messages declared SPAM and automatically builds it's own database. The default settings are fine in almost all situations. I usually let it learn for 5-10 days before I start the full filter. The active Bayes filter now reads every message and grades the message in regard of probability to be SPAM. The scale is 1-100. You simply set the break point. Usually 70%-80% works well. Again there are 3 steps involved in a successful implementation of the Bayes filter:

  1. You need to learn about the Bayes Filter
  2. You need to have other filters working right.
  3. The Bayes filter needs to learn from the SPAM

 

Do not end up on a RBL list

Please realize Xwall takes the place of Exchange server or your SMTP mail server when talking to the outside world. Therefore, the SMTP relay is now handled by Xwall. By default this relay is disabled. If there is a need to open the relay, Xwall can accommodate several options. I use authentication (NTML) in most cases. You also can set range of IP addresses to allow to relay. Specially if the relay is only needed inside your LAN. To allow a range of addresses to relay the syntax for the range "192.168.1.1 -192.168.1.255" would be "192.168.1." (Without the quotes.) Several addresses or ranges can be entered. In addition, you can limit the relay to a domain (host).

Better safe than sorry. Only implement a relay if you need it.

 

Test your SMTP relay now

 

 

 

 

 

Keep an eye on things

The Xwall screen shows the latest few lines of the current log. The last line, however, shows statistical information. While installing and tweaking the Xwall operation you should keep an eye on the "bottom line". A buildup in the message queues can announce troubles to come. Of course if you serve 2000 users 200 messages, the queue would not be much of a concern. However, if you only serve 50 users you want to look into it. These are some of settings and situations which will cause problems

  • DNS server not resolving external addresses properly
  • DNS request gets stopped at your firewall
  • You did open the SMTP relay to everybody and spamer flood you
  • Xwall can't find the exchange server
  • You send back all the SPAM messages (not recommended) and have not adjusted the retry time-outs

The stats codes on the bottom of the Xwall screen show the following values:

Sent = Sent messages
Recv = Received messages
S-O = SMTP outbound queue
S-I = SMTP inbound queue
E-O = Exchnage outbound queue
E-I = Exchange inbound queue
Con = Connection count

 

 

3rd draft - June 15th 2003

 

Questions? E-mail info@ceratec.net or call (512) 285-2620

About Us | Home | SPAM News | Services | Products | Support & FAQ | Contact Info