Xwall configuration suggestions

1. Actions

Most Xwall filters allow you to set different actions. Depending on the enviromant your enviromant you may choos the option best fit. Here are a few examples

if you have ESATInformer you want to set all filters to DISCARD. That keeps the spam out of your mail server but blocked messages are still retrievable with ESATInformer.

If you want to route the mail in the users outlook to should choose "Mark subject" and you may want to set all markings to the same mark ea [SPAM] You can do that under XWallAdmin->View->Advanced Configuration

If you have also purchased the XWall addon Xwallfilter you can set the action to Move to the Junkmail folder. However you will need Exchange 2003 for that and you will carry all the spam into your exchange.

Blocking on SMTP level will cause Xwall to refuse the message. This action will save bandwidth but the messages are not retrievable since the message was never received.

Encapsucated message are typicall forwarded as an attachment. This methode maybe used if the admin wants ro review all spam and may choose to forward some with the original FROM line.

2. Automatic Filters

XWallAdmin->Options->Spam

Spam RBL relay list implementation: Keeping Spam out of your company's email system is an effort utilizing many different approaches. Spam relays known as RBLs are one of the tools available to you. These RBL lists are updated in real time and can make a dent in the Spam flood. RBL lists are compiled of open SMTP relays found all over the Internet. An open SMTP relay can be used by the Spamers to send out their Spam messages by the millions. Xwall takes the IP and/or domain name of the sender and compares it to the RBL lists you have implemented. Xwall is equipped with an exclude table (white list) to allow specified domains or IP addresses to pass even if they are caught by the RBL list. This Xwall feature makes the implementation of the RBL services much more useful.

To setup this filter start the Xwall Admin. Go to OPTIONS -> Spam. Check the first flag and click on ADD COMMON. This will add 3popular relay services. If you have a proxy in front of Xwall you may need to check position #3 since your proxy is the sender rather then the other SMTP server. Xwall operates more effective if is communicates directly with the sending SMTP server.

SMTP level blocking: Xwall allows you to block messages on SMTP level. Here are a few things to consider. SMTP block is conserving your bandwidth. Xwall blocks if the connecting server is on a RBL list. It never allows the message to be sent Since Xwall does not receive the message it's more difficult to exclude senders. You need to exclude the host or ip address rather than an email address.

Position #4 allows you to choose the action for this filter if is finds a spam message. If you use ESATInformer you should set the action to discard.

XWAllAdmin->Options->Spam-Greylisting

This is a very effective filter. It's easy to activate but you need to know your email enviromant. The idea is simple. The greylisting filter loos at each triplet received. A triplet is the From, To address and the host. The first time Xwall sees the triplet it temporarely refuses it. The secon time is lets it pass. However most spamers will not resend email. In order to implement greylisting you need to make sure that all mail will go through XWall and there is no unprotected backup mail server. If ther is a backup server the mail will simply go around Xwall to the backyp server.Read more abouit greylising...

XWallAdmin->Options->Spam->SURBL

This is a different type SLS service. Xwall is scanning your message for links. It get's the ip address of the desination and submits this address to the SUBL service. That hurts the spammers pocket book.

XWallAdmin->Options->Spam->Bayes filter

The Bayesian filter is another module in the fight of Spam. While not as effective as it once was the Bayes filter still catches spam. It's success depends totally on you understanding the filter and on the principle "garbage in garbage out!" if it gets fed with Spam it filters out Spam. If you feed it with false positives, it will filter out good mail. To avoid this problem, just follow the guide lines above. Do not start this filter when you first setup Xwall. Wait until you have a good handle on things. You don't need to catch all the Spam but you do not want a lot of good mail identified as Spam. Once you're at this point you can enable the Bayes filter learn mode = Enable gatering.

The learn mode will read all the messages declared Spam and automatically builds it's own database. The default settings are fine in almost all situations. I usually let it learn for 5-10 days before I start the full filter. The active Bayes filter now reads every message and grades the message in regard of probability to be Spam. The scale is 1-100. You simply set the break point. Usually 70-80 works well. If you don't like to guess ESATInformer will show you exactly where your braking point is.

XWallAdmin->Options-> Global Exclude->Automatic Whitelist

Exclude known senders: Automatic whitelisting automatically adds the email addess of every outgoing message to the exclude list. The reasoning behind this ides is that if you send email to someone it's likely that you want them to be able to reply. You do not have to implement this feature to receive email from your contacts. But if you find many of them listed with RBLs you're using it will allow them to send you mail.

You can use a company wide whitelist or keep a seperate list for each user. The seperate whitelist will prevent an out of control user to negatively effect the filtering for the entire company.

In order for the automatic Whitelist to work the outgoing mail MUST be processed by XWall.

3. Manual Blocking and Excludes

XWallAdmin->Options->Blocking->Email addresses

Block From Email: All manual blocks are found under XWallAdmin->Options->Blocking. Xwall looks at domain and email addresses from right to left. That means if you type in COM all domains with .COM will be affected. Yahoo.com will affect all emails from yahoo.com. Do not use *.com it would only affect *.com , that equals nothing since * is not a legal domain character. To effect an entire domain use @thisdomain.com. The block or exclude will be specific to that domain only.

XWALLAdmin->Options->Blocking->Text

BLocking Text and Words: I usually set a few text and header blocks to start with. The text block it located under Admin ->option ->blocking->text. You will find familiar options. You need to be aware of the fact that you are dealing with strings. Please consider the string SOME will apply to words like AWESOME, SOMEONE, SOMETIMES and so on. If you want to block just the word SOME you must enter (space)some(space). This will eliminate the inclusion of AWESOME and so on.

Be careful with wildcards. The ? works often better than a badly implemented *.

Wildcards have to be implemented with caution too. While there is no problem with them it's us who will get it wrong. I added v*i*a*g*r*a to my strings just to find out it blocked many messages with no sign of viagra. Instead it looked for any instance of these characters - as it should. I just did not think. The way to get rid of these spaces or filler characters some of these Spamers use I needed to type in v?a?g?r?a.

XWallAdmin->Options->Global Exclude->Text

TEXT EXCLUDE: Xwall can exclude email addresses, ips, Hosts, Subjects amd text. I like the text option and typically add a "password". It can be anything unusual. So when a user comes to you claming Joe is sending him mail all morning and he does not get it advice him to have Joe add the "password" to the text. The text exlude is also useful to make sure you get that "purchase order"

XWallAdmin->Options->Blocking->Verify

Verify Email: Two things you need to consider when useing VERIFY blocks. These are SMTP blocks. No retrieval of messages is possible since they were never received. I personally stay away from PTR and verifing the senders IP. These blocks are powerful but will result in a few false positives.

The VERIFY the SENDER uses an ADRRESS is an acceptable risk these days. It will stop the everese NDR attacks and all other ndrs for that matter. Fewer and fewer mailserver will actively send out NDRs these days. Instead most of them refuse messages for unknown users on SMPT level therefor the sending server takes care of the NRD.

XWallAdmin->Options->Blocking-> Recipient

The VERIFY USER is a block you should consider. It refuses messages to unknown users on SMPT level. That means the sender server will notify the sender that the message was not delivered. In addition it will keep out all the spam ranomly generated by some spammers.

To implement the block you need to export your exchange userlist. You can use Exchimp.exe or LDAPimp.exe. You find both utilities in the Dataenter dowwnload section. If you do not have an exchange server you can try this script. The imported file needs to be in the XWall folder. I recommend placing the script in the Xwall folder. Once you ran it check in XWallAdmin

Instead of importing the user data base you can use the external program LDAPQuerry. It checks the active directory for the user. If you use special routing addresses make sure they are part of your active directory or us the manual option.

In a few cases, the MX A record lookup can causes problems too. In general, I recommend to start out with just a few filters and blocks, concentrate on eliminating false positives and then go from there.

4. Things to consider

Do not end up on a RBL list

Please realize Xwall takes the place of Exchange server or your SMTP mail server when talking to the outside world. Therefore, the SMTP relay is now handled by Xwall. By default this relay is disabled. If there is a need to open the relay, Xwall can accommodate several options. I use authentication (NTML) in most cases. You also can set range of IP addresses to allow to relay. Specially if the relay is only needed inside your LAN. To allow a range of addresses to relay the syntax for the range "192.168.1.1 -192.168.1.255" would be "192.168.1." (Without the quotes.) Several addresses or ranges can be entered. In addition, you can limit the relay to a domain (host).

Better safe than sorry. Only implement a relay if you need it.   Test your SMTP relay now

Keep an eye on things

The Xwall screen shows the latest few lines of the current log. The last line, however, shows statistical information. While installing and tweaking the Xwall operation you should keep an eye on the "bottom line". A buildup in the message queues can announce troubles to come. Of course if you serve 2000 users 200 messages, the queue would not be much of a concern. However, if you only serve 50 users you want to look into it. These are some of settings and situations which will cause problems DNS server not resolving external addresses properly DNS request gets stopped at your firewall You did open the SMTP relay to everybody and Spamer flood you Xwall can't find the exchange server You send back all the Spam messages (not recommended) and have not adjusted the retry time-outs

The stats codes on the bottom of the Xwall screen show the following values:

Sent = Sent messages
Recv = Received messages
S-O = SMTP outbound queue
S-I = SMTP inbound queue
E-O = Exchnage outbound queue
E-I = Exchange inbound queue
Con = Connection count

LOGview

If you run XWall as a service you will notice the apsents of the blue log window. Do not run the Admin program to view the activities. Instead download LOGview from the Dataenter site.

ESATStatus

If you run Logvies you will notice that the queue information is missing. Since that is important information for many users we developed a program Ccalled ESATSatus. It will display the queue status on the server or any remote system of your choice.

ESATInformer

ESATInformer designed for XWall virtually eliminates the "false positive" problem. Daily reports are sent to the email system administrator and all selected users. These reports summarize the spam problem and list each users blocked messages. Using these reports, users can request delivery of any false positives. The request is handled automatically with a summary report sent to the email administrator. With the "false positive" problem out of the way, the XWall spam filters can be tightened to all but completely eliminate spam.

ESATInformer ANALYSIS: You can get a daily report with bar graphs showing you how effective XWall is. Did you ever consider that the percentage of Spam on the weekend sometimes hits 100%. ESATInformer will show you every Monday how well your filters are doing.