SpamWall Operations Manual

How the SpamWall Works

The SpamWall Spam Firewall system provides an integrated Anti-Spam and Anti-Virus solution offering complete email protection at the network perimeter level, before unwanted or potentially dangerous and costly email reaches your network or mail server.

The design of the SpamWall Spam Firewall system leverages open source Anti-Spam and Anti-Virus solutions in conjunction with a number of additional filtering and defense layers to detect and filter out Spam and other unwanted email messages along with Viruses and other potentially dangerous attachments.

Filtering and defense layers and methods employed include Connection Control and Validation, IP/Domain RBL Blocking, Virus scanning with archive decompression, Spam Fingerprint Checking, and a comprehensive rule-based Spam Scoring System incorporating Content Analysis (Heuristics) and Bayesian Analysis.

This multi-layer Spam and Virus Filtering Technology results in a highly accurate Spam and Virus detection rate without filtering legitimate email.

This diagram provides a graphic representation of how email is processed by the SpamWall system.

SpamWall Email Filtering Process

When an email message is received by the SpamWall system it is subjected to multiple layers of email filtering and defense. First, the system runs several connection control and validation tests to determine whether connecting mail servers are valid sources of Internet email.

Connection Control/Validation

These tests include the verification of parameters such as the "MAIL FROM" address as well as the HELO/EHLO domain information. The system also performs reverse DNS lookups for each message to ensure that the domain associated with the sender address is valid and resolving.

RBL/Blacklist checks

RBL/Blacklist checks are then carried out to see if the IP address or domain of the connecting sender is associated with a known Spam sender, open mail relay or other recognized source of Spam and/or Virus laden email. The SpamWall system features local blacklisting capabilities that allow you to specify any IP address, domain or email address to reject connections or email messages from.

Connections from blacklisted IP addresses, domains or email addresses are rejected immediately. This results in reduced load on your SpamWall system and the on the receiving email server as well as increased capacity for the expedient processing of other email.

Anti-Virus Scanning

Email messages which make it past the Connection Control and Validation stage and which pass all RBL/Blacklist checks are then subjected to Anti-Virus scanning.

All email messages are checked against a database of over 200,000 virus definitions. The SpamWall Spam Firewall system automatically receives multiple updates of Virus definitions up to several times per hour providing up to the minute defense against the latest virus and worm threats ensuring effective and accurate virus protection.

If a virus or other dangerous attachment is detected the SpamWall system will disinfect or "defang" the contents of the email and send the message to the system quarantine. The SpamWall system administrator may then decide if suspect attachments should be stripped/cleaned and then forwarded with notification to the end user recipient or automatically deleted from the quarantine at a set interval.

Whitelisting/Delivery

Email messages that make it past the Connection Control and Validation, RBL/Blacklisting and Virus Scanning stages are then checked to see if they are contained in the system Whitelist. A "whitelisted" email address or domain is an address or domain from which email is always accepted regardless of how it scores with respect to Spam or other undesirable content. If a message is associated with an email address or domain contained in the system Whitelist it is “passed clean” and delivered immediately to the intended recipient.

Spam Scanning and Filtering

The Spam Scanning and Filtering engine on the SpamWall Spam Firewall incorporates an extensive rule-based scoring system which determines whether a particular e-mail message is Spam or not-Spam.

The SpamWall system examines the content of each message received and assigns it a "Spam level" score according to how much a "looks like" Spam based on a comprehensive set of rules and algorithms derived from analyzing millions of known Spam messages.

Thousands of rules are run against every email message in the space of a few milliseconds. A complex algorithm optimizes the rule-based scoring by using an archive of millions of Spam and non-Spam messages to determine the scores for the individual rules. When combined, these individual scores give each email an overall "Spam Scoring Level".

When a potential Spam message is detected by the system the message is either "tagged" with the "[SPAM?]" type tag and forwarded on to the recipient, or blocked from delivery. Appending the "[SPAM?]" tag to the subject line makes it easy for end users to identify email detected as Spam.

Depending on the “Tag” and “Action/Kill” level scores which have been configured in the Spamfilter Config screen of the SpamWall control panel either at the main system or individual email user level as applicable any messages scoring below the "Tag Level 1”, which is the level at which a message is determined unlikely to be Spam, will be “passed clean” and immediately forwarded on to the end user recipient.

Messages which score above the "Tag Level 2”, which is the level at which a message is considered to be probable Spam, will result the message being identified as probable Spam by appending the "[SPAM?]" type to the "Subject" line and changing the "X-Spam-Status" tag from "No" to "Yes".

Messages which score above the "Action/Kill Level", the level at which a message is considered to be almost definitely Spam, will be sent to the System Quarantine.

In it's default configuration the SpamWall system is designed to minimize false positives (legitimate email messages being identified and blocked as Spam). With no additional configuration or tuning the false positive rate is typically at less than 0.1%, or less than one in every 10,000 email messages processed by the system.

In addition to Spam Scoring Level control the Spam Scanning and Filtering Engine on the SpamWall system also incorporates a number of automatic "self-tuning" and "auto-learning" mechanisms including Bayesian Analysis and Learning which are able to automatically increase accuracy and sensitivity of the system over time.

Altogether these layers form a smart filtering technology which in it's default "out of the box" configuration is able to detect and block or tag up to 98% of all Spam and other unwanted email messages processed by the system. This detection rate can be further improved by the automatic self-tuning and learning mechanisms built into the SpamWall system as well as by adjustments made to the Spam Scanning and Filtering Engine.

More information on how the SpamWall works and what advanced features and configuration options are available can be found in the SpamWall Control Panel Overview section of this guide.

 

next topic SpamWall Control Panel Overview