I've been running X-wall for about 6 months now. I can't seem to beat this problem. I am stopping about 75% of the spam mostly thru blocked words in the subject and in the body. And I use the two free spam list that are setup automatically in Xwall. But this is like a full time job with adding words everyday. I've read on prior post that alot of you are at 95-98% blocking. Can someone tell me what I can do to get better results. I have just started my whitelist. I know this is not an xwall forum but i have read that alot of you are using it so i thought someone may be able to help. Thanks.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Xwall setup question 1
- Thread starter jdulac
- Start date
-
1
- #2
cmeagan656
Technical User
One word of advice - for the first little while when you are blocking the following set the action to either "encapsulate and forward to postmaster" or "mark subject". I prefer the "encapsulate" options because then you're not relying on your users to report what is and isn't legit spam. From my experience they can't be bothered and just delete it if it isn't legit and don't let you know if it is legit. If at all possible avoid using "send non-delivery report...". In our case its important that any potential clients or casual contacts know that their email has been bounced so we allow NDRs under some of the options.
I also recommend implementing only a few changes at a time. It has taken us 9 months (plus 1 month in the test phase before we went "live") to configure XWall so that it stops over 99% of all spam. It is very time intensive the first couple of months but now its down to no more than an hour a week plus the time I spend checking the logs.
First thing: Import your GAL into XWall and under Options ->spam on the Verify tab check the last box "check that the recipient e-mail address is in the address list". Don't forget that when you add a new mailbox you need to add the address and when you delete mailbox you need to delete the address.
Here is what we have:
1. Under Options ->Blocking
-Block as many level 1 attachments as you can
-Block any attachments related to a virus once the virus reaches a level 3 threat on Symantec's web site
-Block all exploits
-When blocking text also block links to web sites contained within spam emails (i.e. -Under the header tab block the country extension (ie .br> is Brazil) for countries which shouldn't be sending you email. You'll find the full list here: -Under the envelope tab we have all except the BCC option checked.
-Look up and block IP ranges for countries from which you receive only spam. Check the box that says "also look up IP addresses in the message header".
-Under email addresses block as many countries as you can (ie .br for Brazil) using the link above as a reference. Also block known domains (ie @gotlaughs.com)
Under Options ->spam
-Have the two free spam lists that are setup automatically in Xwall block the message transfer at the SMTP level
-Activate your Bayes filter (this probably stops 10% - 20% of the spam by itself). We use Gary Robinson's message with a threshold of 70.
-Under Envelope we have all except the BCC checked
Under Options ->system
-Remove the flags from inbound messages
-Make sure you allow relay only from reserverd IP addresses otherwise you will be an open relay.
Under Options ->Global Exclude we have all checked EXCEPT Attachment, Exploit, and Internal from. These we have taking effect even for addresses on the whitelist.
Hope this helps.
Cheers.
I also recommend implementing only a few changes at a time. It has taken us 9 months (plus 1 month in the test phase before we went "live") to configure XWall so that it stops over 99% of all spam. It is very time intensive the first couple of months but now its down to no more than an hour a week plus the time I spend checking the logs.
First thing: Import your GAL into XWall and under Options ->spam on the Verify tab check the last box "check that the recipient e-mail address is in the address list". Don't forget that when you add a new mailbox you need to add the address and when you delete mailbox you need to delete the address.
Here is what we have:
1. Under Options ->Blocking
-Block as many level 1 attachments as you can
-Block any attachments related to a virus once the virus reaches a level 3 threat on Symantec's web site
-Block all exploits
-When blocking text also block links to web sites contained within spam emails (i.e. -Under the header tab block the country extension (ie .br> is Brazil) for countries which shouldn't be sending you email. You'll find the full list here: -Under the envelope tab we have all except the BCC option checked.
-Look up and block IP ranges for countries from which you receive only spam. Check the box that says "also look up IP addresses in the message header".
-Under email addresses block as many countries as you can (ie .br for Brazil) using the link above as a reference. Also block known domains (ie @gotlaughs.com)
Under Options ->spam
-Have the two free spam lists that are setup automatically in Xwall block the message transfer at the SMTP level
-Activate your Bayes filter (this probably stops 10% - 20% of the spam by itself). We use Gary Robinson's message with a threshold of 70.
-Under Envelope we have all except the BCC checked
Under Options ->system
-Remove the flags from inbound messages
-Make sure you allow relay only from reserverd IP addresses otherwise you will be an open relay.
Under Options ->Global Exclude we have all checked EXCEPT Attachment, Exploit, and Internal from. These we have taking effect even for addresses on the whitelist.
Hope this helps.
Cheers.
- Thread starter
- #3
cmeagan656
Technical User
Just type the link as you would a text block. I.E. to block text block nemedsolutiondirect.com.
Also, remember that XWall reads all blocks from right to left when looking for a match (sex will block MSexchange unless you put a space before and after sex). Ditto for email addresses - don@xxx.com will also block brandon@xxx.com unless you put a space in front of don@xxx.com.
Cheers.
Also, remember that XWall reads all blocks from right to left when looking for a match (sex will block MSexchange unless you put a space before and after sex). Ditto for email addresses - don@xxx.com will also block brandon@xxx.com unless you put a space in front of don@xxx.com.
Cheers.
cmeagan656
Technical User
Sorry, I think I misread your question. I find blocking text and subject the least effective. However, to block a link like removal instructions type removal instructions as the text block but include a space before removal AND after instructions.
Cheers.
Cheers.
- Thread starter
- #6
I have setup the options that you suggested. But there are alot of false positives getting blocked with both options under the envolope tab (The messages was not sent from the official MX of the domain) and even more false positives with (The messages has a faked from address (envelope From: address doesn't match message From: address))
Did you guys just keep adding exceptions? We get alot of mass mailers from brokers on realestate listings.
Also my first question was when i get a spam message with a paragraph that is a link. Is there anyway to get it to check the words in the link.
Thanks again for your help in this annoying issue.
Did you guys just keep adding exceptions? We get alot of mass mailers from brokers on realestate listings.
Also my first question was when i get a spam message with a paragraph that is a link. Is there anyway to get it to check the words in the link.
Thanks again for your help in this annoying issue.
cmeagan656
Technical User
I'll post here so that others can see the replies but for ease in communicating (I see my emails a lot faster than I see TT posts) I'll email you separately. Feel free to email me back but I will post both question and reply here for others who need the info. In case my email gets blocked by your spam filter my email address is acalvert at cpc dot com. I've excluded your email address from XWall so that your emails to me won't get bounced. 
Because we've had XWall running for a while our automatic whitelist has a lot of addresse in it and when combined with the addresses in Global ->Exclude (exclude e-mail addresses tab) we get very few false positives.
Re the MX records - we don't exclude anyone from the MX records. We don't have mass mailers sending us email. What I would do is add the bulk mailers' email addresses (or portion thereof if it changes frequently) to the Global ->Exclude (exclude e-mail addresses tab) and make sure that the Faked MX box is checked under the Global ->Exclude (exclude - options tab). Any that do accidently get forwarded to postmaster just forward them on to the intended recipient and add their email address to the white list.
Re the faked from: address - this isn't a major problem for us but I would do the same as with the MX records.
Re the blocking - you can't block a paragraph. Just take a key phrase from the link and block that instead.
Cheers.
Because we've had XWall running for a while our automatic whitelist has a lot of addresse in it and when combined with the addresses in Global ->Exclude (exclude e-mail addresses tab) we get very few false positives.
Re the MX records - we don't exclude anyone from the MX records. We don't have mass mailers sending us email. What I would do is add the bulk mailers' email addresses (or portion thereof if it changes frequently) to the Global ->Exclude (exclude e-mail addresses tab) and make sure that the Faked MX box is checked under the Global ->Exclude (exclude - options tab). Any that do accidently get forwarded to postmaster just forward them on to the intended recipient and add their email address to the white list.
Re the faked from: address - this isn't a major problem for us but I would do the same as with the MX records.
Re the blocking - you can't block a paragraph. Just take a key phrase from the link and block that instead.
Cheers.
cmeagan656
Technical User
One thing I don't think I mentioned. We had everyone export their contacts to csv files and then added them to Global ->Exclude (exclude e-mail addresses tab). It definitely cuts down on the false positives.
Cheers.
Cheers.
- Status
Similar threads