What are MailMarshal SMTP anti-spam best practices?


This article applies to:

  • Trustwave MailMarshal (SEG)

Question:

  • What are MailMarshal anti-spam best practices?
  • Does Trustwave Technical Support suggest key ways of filtering unwanted e-mail?
  • How do I block more spam?
  • How do I block spam that uses images?

Suggestions:

Trustwave MailMarshal (SEG) is capable of maintaining a 99.5% Spam catch rate against all spam, including image-bearing spam.

Some simple configuration can help to maximize the catch rate. Below are some suggestions.

For more detailed information, review the technical reference Trustwave Anti-Spam and Anti-Malware Basics. You can obtain this document from the MailMarshal SMTP documentation page.

Use the latest version:

Each major release of Trustwave SEG provides more advanced anti-spam capabilities. For instance, version 7.3 includes a significant update to the SpamProfiler service.

  • Note: Upgrading does not alter any rules or implement new technologies automatically. After upgrading you should review the rules and if necessary update the anti-spam rule conditions and actions as recommended below.

Use automatic updates:

SpamCensor and SpamProfiler are updated automatically. Ensure that the updates are working.

  • SpamCensor requires HTTP and HTTPS access from the Array Manager.
  • SpamProfiler requires HTTP (and in some versions HTTPS) access from processing nodes.
  • For information on how to verify that updates are working, see Trustwave Knowledgebase article Q12992.

Use recommended basic rules:

Trustwave recommends that every MailMarshal installation should have the following six rules enabled. If these rules are enabled, and MailMarshal is able to automatically update SpamCensor and SpamProfiler, you can expect excellent anti-spam performance from MailMarshal.

  • The listing below is updated with rules in current supported versions.
  • These rules are already present, and most are enabled by default, in new installations of Trustwave SEG, but it is always worth confirming that they have not been changed or disabled. If you have upgraded from an earlier version, you should consider using these rules instead of the older default rules. To see the detailed definitions of these rules, see the white paper MailMarshal Anti-Spam and Anti-Malware Basics or the "default rules" documents, available from the MailMarshal SMTP documentation page.
  • The rules use two quarantine folders: Spam – Confirmed and Spam – Suspected. Where a message is detected as spam by multiple methods, there is a higher degree of confidence that it is spam. You may want to provide end-user review of messages in the Spam – Suspected folder.

Content Analysis Rule: Block Spam - SpamBotCensor AND SpamProfiler

When a message arrives
Where message is incoming
Where message is detected as spam by SpamProfiler (Spam, Spam Bulk Mail, Virus, Virus High) and SpamBotCensor
Move the message to 'Spam - Confirmed' with release action "skip to next policy group"

Content Analysis Rule: Block Spam - SpamCensor AND SpamProfiler

When a message arrives
Where message is incoming
Where message is detected as spam by SpamProfiler (Spam, Spam Bulk Mail, Virus, Virus High) and SpamCensor
Move the message to 'Spam - Confirmed' with release action "skip to next policy group"

Content Analysis Rule: Block Spam - SpamProfiler

When a message arrives
Where message is incoming
Where message is detected as spam by SpamProfiler (Spam, Spam Bulk Mail, Virus, Virus High)
Move the message to 'Spam - Suspected' with release action "skip to next policy group"

Standard Rule: Block Spam - SpamBotCensor

When a message arrives
Where message is incoming
Where message is detected as spam by SpamBotCensor
Move the message to 'Spam - Suspected' with release action "skip to next policy group"

Content Analysis Rule: Block Spam - SpamCensor

When a message arrives
Where message is incoming
Where message is detected as spam by SpamCensor
Move the message to 'Spam - Suspected' with release action "skip to next policy group"

Content Analysis Rule: Block Spam - Marshal RBL Blacklisted

When a message arrives
Where message is incoming
Where message is categorized as 'Marshal Blacklisted'
Move the message to 'Spam - Suspected' with release action “skip to next policy group”

Maximize the performance of anti-spam rules:

  • Allow Internet servers to connect directly to MailMarshal.
    MailMarshal will block more Spam if you use MailMarshal as the first hop for SMTP connection coming from the Internet. Some key anti-spam features depend on the external spamming source to connect directly to MailMarshal. In addition to the obvious features affected, like DHA, DoS, and Receiver-based RBL checks, there is a much less obvious detrimental effect of placing MailMarshal behind another SMTP relay host. Some very accurate, high-scoring SpamCensor rules depend on MailMarshal being connected directly to the Internet.
  • Beware of excessive exclusions.
    A common cause of problems is that too many addresses, even whole domains, are excluded from the anti-spam process.
    • Check and prune global allow lists. Global allow lists should be used sparingly.
    • Do not exclude your own domain from anti-spam incoming rules.
    • Trustwave recommends that you allow users to maintain personal safe sender lists through the SQM website. Rules to use these lists are enabled by default in the default rules.

Maximize your DNS blocklist hit rates

  • Use a good IP Blocklist.
    The main qualities required from a blocklist, or RBL, are a good hit rate, low false positive rate, and high availability.
    • Trustwave maintains the Marshal IP Reputation Service, a RBL based on automated and manual data input and available exclusively to MailMarshal customers.
    • In addition to the Marshal IP Reputation Service, Trustwave recommends Spamhaus RBL, specifically zen.spamhaus.org. Spamhaus has consistently high quality, and it is free to organizations with low email volume (but please read the Terms and Conditions before using any Spamhaus lists).
       
  • Use your RBLs correctly.
    Most installations should use RBLs as Connection Policy (Receiver) rules.
    • This is a change from earlier recommendations. Previously we recommended using RBLs in Content Analysis rules for most installations. However, experience shows that customers encounter more false positives with Content Analysis rules due to checking too many IP addresses. Also the Spamhaus PBL (included in Zen) is designed to be used ONLY for the connecting IP.
      • If you cannot allow external mail servers to connect directly to MailMarshal, you may need to use RBLs in a Content Analysis rule, because you can control which IP addresses are checked.
      • If you want to experiment with RBLs in Content Analysis rules, review the anti-spam technical documents mentioned below and in particular the "skip" keywords.
    • For more information on troubleshooting RBLs, see the Trustwave Knowledge Base article Q10737: "SpamCop or Spamhaus is not blocking any Spam." For additional details, review the documents Anti-Spam Configuration and Anti-Spam Advanced.

Use other spam blocking techniques

Some administrators have good results using the following techniques.

  • Use URLCensor
    MailMarshal URLCensor can parse a message in order to extract URLs and Web links. MailMarshal then takes the top-level domains found in those links and performs a query against a URL Blocklist - by default using the SURBL blocklist (see www.surbl.org). The default rules include URLCensor rules. These rules are not enabled by default as they require some customization.
  • Use Administrator Maintained keyword lists.
    Consider blocking e-mail based on specific words. This is typically not an option for the universal SpamCensor rules. For example, Trustwave cannot publish a rule which blocks the word "viagra" in the subject line, given that many of our customers are drug and health companies. Your company may be able to block based on specific words.

Deprecated techniques

  • URLCensor by IP functionality is no longer recommended due to excessive false positives.
  • CountryCensor is no longer recommended as the database of country IP addresses is not currently being updated.

Notes:

  • Many advanced options are available.
    Administrators with some technical ability can take advantage of the many custom configuration settings available in MailMarshal. For more information, see the white paper MailMarshal Anti-Spam Configuration. You can obtain this white paper from the MailMarshal SMTP documentation page.
  • Image Spam is included.
    MailMarshal's spam identification techniques work equally well against image spam. No special configuration is required.
This article was previously published as:
NETIQKB50568

Last Modified 3/1/2020.
https://support.trustwave.com/kb/KnowledgebaseArticle10810.aspx