this sets the maximum size to which the log file for this module will be allowed to grow, in kbytes
number
1 - 32000 kbytes
1024 kbytes
SPFLogMaxSize=1024
SPFLogHistory
this sets the number of archived log files you wish the module to maintain
number
1 - 32 files
3 files
SPFLogHistory=3
SPFLogFlushSize
this sets at what size the log file will be flushed to disk, in kbytes. If trouble-shooting set this to 0, set it higher for maximum performance
number
1 - 64 kbytes
2 kbytes
SPFLogFlushSize=2
SPFLogFlushPeriod
this sets when the log file will be flushed to disk, in seconds. If trouble-shooting set this to 0, set it higher for maximum performance
number
1 - 600 seconds
15 seconds
SPFLogFlushPeriod=15
Action
This setting allows an override to any individual settings for SPAM blocking rules. If you do not wish to block any SPAM you can turn off the Block checkbox, and any rules that attempt to block SPAM will then be downgraded to Marking SPAM. If neither Block nor Mark are set then SPAM email will mererly be stored, but also travel unhindered to your user email accounts: this can be useful when testing - you can see what would be blocked or marked as SPAM in the SPAM store but not actually block the email. Turning off Store means that SPAM will not be stored at all.
The settings perform the following actions:
List
The details of email that were identified as SPAM will be listed in the file SPAMList.log in the logs subdirectory of your installed product directory
List
The email that were identified as SPAM will be forwarded to the email address or mailbox specified in the Forward To setting below
Store
All email identified as SPAM and blocked or marked (not deleted!) will be stored in the SPAM store. The SPAM page shows you the list and allows manipulation of stored SPAM email
Mark
Email designated as SPAM (that match rules set to mark or exceed the marking threshold) will have their subject marked as configured: they will be stored in the SPAM store if store is checked. The SPAM page shows you the list and allows manipulation of stored SPAM email
Block
Email designated as SPAM (that match rules set to block or exceed the blocking threshold) will be blocked and not reach the original intended recipient: they will be stored in the SPAM store if store is checked. The SPAM page shows you the list and allows manipulation of stored SPAM email
Delete
Email designated as SPAM (that match rules set to delete or exceed the deleting threshold) will be deleted: they will not be stored in the SPAM store
flags
Store+Mark+Block+Delete
Action=Mark
ForwardTo
this sets the email address or mailbox to which to forward SPAM if the Forward action is checked
text
ForwardTo=detectedspam@example.com
ForwardTypes
You can optionally forward blocked and/or deleted spam to a designated address.
flags
Marked+Blocked+Deleted
ForwardTypes=Blocked
MarkStore
Storing marked email in the quarantine allows the administrator to better see where to set the Block thresholds,
email are sent to the original recipient(s) and a copy is also stored in the quarantine. This can also be used to allow users to whitelist marked email, and
there is an option under SPAM Blocker/Review to prevent marked email being resent.
bool
On/Off, True/False, Yes/No, 1/0
off
MarkStore=off
StoreExpiryLog
This can be useful for analysis of why a quarantine may be overflowing
bool
On/Off, True/False, Yes/No, 1/0
off
StoreExpiryLog=off
MarkPrefix
this sets the text used to prefix the subject line of the email if it is considered as SPAM. You can use the token <reason> to insert the reason the email was marked as SPAM into the subject at the location of the token
text
Potential spam:
MarkPrefix=Potential spam (<reason>):
Alert
Alert administrator via email if the store contains more than the configured number of SPAM email. It is recommended for performance reasons that the SPAM store is regularly reviewed and emptied in order that the number of email contained is less than 10,000. Use the Delete option of rules to immediately remove email that match rules that are totally reliable indicators of SPAM
bool
On/Off, True/False, Yes/No, 1/0
on
Alert=on
AlertAfter
Alert administrator via email if the store contains more than this number of SPAM email
number
1 - 5000 Email
10 Email
AlertAfter=50
ReapNum
This setting allows automatic deletion of spam when the maximum number to store is exceeded.
V4.0: DEPRECATED, see StoreMax
number
1 - 60000
50000
ReapNum=50000
Reap
This setting allows automatic deletion of SPAM when it has been in the quarantine for longer than the specified number of days
V4.0: DEPRECATED, see StoreReap
bool
On/Off, True/False, Yes/No, 1/0
off
Reap=off
ReapAgeDays
This setting allows automatic deletion of SPAM when it has been in the quarantine for longer than the specified number of days
V4.0: DEPRECATED, see StoreReapAgeDays
number
1 - 365 Days
10 Days
ReapAgeDays=4
CheckNumericalAddresses
this rule identifies email where the sender email address contains lots of numbers, typical of SPAM
This rule identifies email with an undisclosed sender address, sometimes the sender address is undisclosed in SPAM email, almost never with legitimate email
Some mailservers send out of office replies and NDRs from a blank sender address. SMTP therefore has to accept this. Email with blank senders that are not from your network OR Out Of Office replies or NDRs can be blocked as spam
This rule identifies email where the displayed From name tries to hide the actual email address using a displayed name of an email address that differs from the actual email address
such as "a@b.com" <x@y.com>
In some mail clients only display name part of the From address or reply to field is displayed. This can lead to confusion for users if they think the displayed name is correct but in fact hiding
a different email address. For example a spammer may sender an email from "Your CEO" . Use this setting to force the actual reply to and/or SMTP envelope sender address to be published in the displayed part of the from field of received email.
So for example the above becomes "Your CEO " making it clear that the "Your CEO" was spoofed.
bool
On/Off, True/False, Yes/No, 1/0
Off
FromReveal=Off
FromRevealTemplate
Use this template to decide how to reconstruct the displayed From field of the email. Possible tokens include:
- the original displayed name from the From MIME field
- the hidden From MIME field email address
- the SMTP envelope sender address
- the hidden Reply-To MIME field email address
- the hidden From email address if available, otheriwse the ReplyTo field otherwise the SMTP envelope sender
text
<disp> (<from>)
FromRevealTemplate=<disp> (<from>)
CheckSenderAddressInvalidChars
This rule identifies email where the sender address contains odd or invalid character sequences. Legitimate email addresses rarely contain such characters
This is the list of recipient email addresses that will be checked for SPAM. Leave this list blank to default to checking all incoming email. If you add any entries to this list, ONLY email to users that match an entry on the list will be checked for SPAM. Email to multiple recipients will not be checked for SPAM unless all recipients match an entry on this list.
This is the list of recipient email addresses that will NOT be checked for SPAM. Leave this list blank to default to checking all incoming email. If you add any entries to this list, email to users that match an entry on the list will NOT be checked for SPAM.
This is the list of IP addresses that are always allowed and NOT checked for SPAM. You can use CIDR notation, wildcards and ranges (e.g. 192.168.0.0/16, 192.168.0.0/16, 192.*.*.*, 192.10-50.*.*) or leave blank to disable this option. WARNING: it is NOT recommended that you enter *.*.*.* in this list as the SPAM blocking will be turned off FOR ALL EMAIL. Very wide wildcard ranges can also effectively disable the SPAM blocking for most email and are not recommended.
Typically the relay IP list specified in the SMTP Server is a list of trusted IPs so you can skip spam checking for those IPs using this switch.
There are some cases where you may want the IPs to relay, but still be scanned for spam, if so disable this option.
This is the list of email clients/mass-mailers that are SPAM blocked. You can use wildcards (e.g. *MIME::Lite*).
The defaults have been generated from statistics calculated over large volumes of SPAM. It is recommended that these are retained, but specific mailers that may cause incorrect blocking be removed over time.
You can optionally disable user white and blacklisting. This can be useful for diagnosing routing issues, debugging or if user whitelisting is not desireable
DEPRECATED: Automatically add any recipients of email from users within your company to the a list of users whose email will never be checked for SPAM. This helps prevent false-positives (email being marked/ blocked as SPAM when they are in fact not)
DEPRECATED: This is the list of email addresses that are never SPAM blocked. You can use wildcards (e.g. *@customername.com, myname@*.*). Remember that SPAM blocking is only performed on inbound or relayed mail, so there is no need to add your own domains to this list
You should not list your own domains in allowed senders as spammers spoof email from internal domains using MIME From field spoofing. Use this setting if you wish to allow whitelisting of your own domains for a specific reason.
bool
On/Off, True/False, Yes/No, 1/0
TRUE
RemoveDomainsFromAllowedSenders=TRUE
CheckWebBugs
This rule identifies email where a small image used to track receipt of the email is found. These webbugs are often found in SPAM and very rarely in other mail shots and email marketing, but never in 'normal' email
This rule identifies email where a pop-up windows are opened by the email on receipt. This is often a trick by SPAMmers to force users to view webpages (even the preview pane of an email client will pop open the window). Usually confined to SPAM email, but annoying in every case - so well worth blocking!
When a large image is detected forming the majority of the body of the email, the email will be designated as SPAM. This trick is often used by spam to avoid having any identifiable textual content in their email. Both single large images and multiple small images tiled to make up a large image are blocked. Almost certainly a good indication of spam!
When a large image is detected forming the majority of the body of the email, the email will be designated as spam. This trick is often used by spam to avoid having any identifiable textual content in their email. Both single large images and multiple small images tiled to make up a large image are blocked. Almost certainly a good indication of spam!
When an image is detected with the wrong type specified for its extenion or content type this rule is triggered. Almost certainly a good indication of spam!
When an image map is detected forming the majority of the body of the email, the email will be designated as spam. This trick is often used by spam to avoid having any identifiable textual content in their email. Image maps are very very rarely used by legitimate email.
Any email found to contain a hosted image url matching these expressions will be DELETED
text
ImgExpDelete=*.imagethrust.com*
GappyText
G-a-p-p-y text found in the email, this form of text is often used by spammers to foil spam blockers. As this practice is used to circumvent blocking: it is a highly reliable mechanism for detecting spam
G-a-p-p-y text found in the subject, this form of text is often used by spammers to foil spam blockers. As this practice is used to circumvent blocking: it is a highly reliable mechanism for detecting spam
Hash buster text found in the email subject, this form of text is often used by spammers to foil spam blockers. As this practice is used to circumvent blocking: it is a highly reliable mechanism for detecting spam
Numerical text (e.g Sc00l, 1esb1ans, y0ung, g1rls) found in the email, this form of text is often used by spammers to foil spam blockers. As this practice is used to circumvent blocking: it is a highly reliable mechanism for detecting spam
Suspicious comments found in the email, often used by spammers to foil spam blockers. As this practice is used to circumvent blocking: it is a highly reliable mechanism for detecting spam
Suspicious font coloring found in the email, often used by spammers to foil spam blockers. As this practice is used to circumvent blocking: it is a reliable mechanism for detecting spam
Suspicious font sizing found in the email, often used by spammers to foil spam blockers.
As this practice is used to circumvent blocking: it is a highly reliable mechanism for detecting spam
spam is often encoded into Base64 to hide readable content from filters. Content is always decoded before analysis but you can also use the fact it was encoded to block or weight the email
Suspicious URLs often indicate an email is spam. This may include very long numerical URLs, URLs containing an email address or URLs containing the word remove
This rule identifies email where a an embedded frameset is used to show HTML content in the email without the email containing the content itself. This is often used to allow spam to deliver is content undetected. It is almost never used today in legitimate email
Often spammers send email to lists in alphabetical order. Thus the list of recipients on the spam email will contain a large number of recipients all beginning with the same letter of the alphabet. Use this switch to instruct blocking of email of this type
The spam blocker will only spam check email less than this size. The size includes any attachments. Typically spam email are relatively small due to the volume spammers must send. It is more efficient to avoid processing the larger email as they are often not spam and take longest to check.
number
2 - 256000 Kbytes
2096 Kbytes
SPAMCheckMaxMessageSize=2096
SPAMCheckMessageUpTo
The spam blocker will only check up this amount of an email to work out if it is spam or not. Often only the first few parts of the email (the text and html parts) need be checked, so this setting can save processing the rest of the message. Typically you will not want to set this much higher than the default of 64kbytes
number
1 - 256000 Kbytes
64 Kbytes
SPAMCheckMessageUpTo=64
SPAMMarkThreshold
The spam Blocker pattern matching scores each email from 0% (almost certainly legitimate) to 100% (almost certainly spam). You can use this threshold to set the level above which email are Marked
number
5 - 100
35
SPAMMarkThreshold=40
SPAMBlockThreshold
The spam Blocker pattern matching scores each email from 0% (almost certainly legitimate) to 100% (almost certainly spam). You can use this threshold to set the level above which email are Blocked and optionally stored in the spam store
number
5 - 100
37
SPAMBlockThreshold=55
SPAMDeleteThreshold
The spam Blocker pattern matching scores each email from 0% (almost certainly legitimate) to 100% (almost certainly spam). You can use this threshold to set the level above which email are Deleted without being stored
number
5 - 100
95
SPAMDeleteThreshold=80
PatternMatchingEnable
Built-in sophisticated statistical pattern matching algorithms can be used to match and block spam. This is a highly accurate mechanism for filtering junk email offering high rates of spam identification, typically around 95% and very low false positive rates (the number of email incorrectly blocked): typically less than 1 in 2,000 email.
bool
On/Off, True/False, Yes/No, 1/0
on
PatternMatchingEnable=on
PatternMatchWords
This is a highly technical setting and should be left on the default. Varying this setting will alter the optimal thresholds required
number
15 - 256 words
55 words
PatternMatchWords=55
PatternMatchSexuallyExplicit
Sexually explicit or pornographic spam emails. These subcategories of spam can be optionally turned off - so that although the email was considered spam, those that match this specific category can be allowed to pass through. This is useful if your company is operating in a business domain similar to one of the categories. Turn off any categories that cause incorrect email to be blocked, or are very similar to your business.
select
Off, Mark, On
On
PatternMatchSexuallyExplicit=On
PatternMatchAsian
spam in Asian fonts or scripts. These subcategories of spam can be optionally turned off - so that although the email was considered spam, those that match this specific category can be allowed to pass through. This is useful if your company is operating in a business domain similar to one of the categories. Turn off any categories that cause incorrect email to be blocked, or are very similar to your business.
select
Off, Mark, On
On
PatternMatchAsian=On
PatternMatchBeauty
spam concerning self-improvement and beauty treatments. These subcategories of spam can be optionally turned off - so that although the email was considered spam, those that match this specific category can be allowed to pass through. This is useful if your company is operating in a business domain similar to one of the categories. Turn off any categories that cause incorrect email to be blocked, or are very similar to your business.
select
Off, Mark, On
On
PatternMatchBeauty=On
PatternMatchCompetitions
spam telling you you've won or can enter competitions. These subcategories of spam can be optionally turned off - so that although the email was considered spam, those that match this specific category can be allowed to pass through. This is useful if your company is operating in a business domain similar to one of the categories. Turn off any categories that cause incorrect email to be blocked, or are very similar to your business.
select
Off, Mark, On
On
PatternMatchCompetitions=On
PatternMatchCreditFinanceLoans
spam concerning refinancing, credit cards, loans, mortgages, and investments. These subcategories of spam can be optionally turned off - so that although the email was considered spam, those that match this specific category can be allowed to pass through. This is useful if your company is operating in a business domain similar to one of the categories. Turn off any categories that cause incorrect email to be blocked, or are very similar to your business.
select
Off, Mark, On
On
PatternMatchCreditFinanceLoans=On
PatternMatchFinancePhishing
select
Off, Mark, On
On
PatternMatchFinancePhishing=On
PatternMatchFinancePumpNDump
select
Off, Mark, On
On
PatternMatchFinancePumpNDump=On
PatternMatchFinanceScams
select
Off, Mark, On
On
PatternMatchFinanceScams=On
PatternMatchFinanceWorkFromHome
select
Off, Mark, On
On
PatternMatchFinanceWorkFromHome=On
PatternMatchFreeStuffOffers
spam offering free products or services, or special offers or gifts. These subcategories of spam can be optionally turned off - so that although the email was considered spam, those that match this specific category can be allowed to pass through. This is useful if your company is operating in a business domain similar to one of the categories. Turn off any categories that cause incorrect email to be blocked, or are very similar to your business.
select
Off, Mark, On
On
PatternMatchFreeStuffOffers=On
PatternMatchMoneyMaking
Get rich quick schemes, money making ideas and offers, and investment or stock price information. These subcategories of spam can be optionally turned off - so that although the email was considered spam, those that match this specific category can be allowed to pass through. This is useful if your company is operating in a business domain similar to one of the categories. Turn off any categories that cause incorrect email to be blocked, or are very similar to your business.
select
Off, Mark, On
On
PatternMatchMoneyMaking=On
PatternMatchHealth
Health and wellness spam email. These subcategories of spam can be optionally turned off - so that although the email was considered spam, those that match this specific category can be allowed to pass through. This is useful if your company is operating in a business domain similar to one of the categories. Turn off any categories that cause incorrect email to be blocked, or are very similar to your business.
select
Off, Mark, On
On
PatternMatchHealth=On
PatternMatchBusinessMarketing
spam offering business cards, company or email address lists. These subcategories of spam can be optionally turned off - so that although the email was considered spam, those that match this specific category can be allowed to pass through. This is useful if your company is operating in a business domain similar to one of the categories. Turn off any categories that cause incorrect email to be blocked, or are very similar to your business.
select
Off, Mark, On
On
PatternMatchBusinessMarketing=On
PatternMatchSinglesDating
spam promoting singles and dating websites. These subcategories of spam can be optionally turned off - so that although the email was considered spam, those that match this specific category can be allowed to pass through. This is useful if your company is operating in a business domain similar to one of the categories. Turn off any categories that cause incorrect email to be blocked, or are very similar to your business.
select
Off, Mark, On
On
PatternMatchSinglesDating=On
PatternMatchPharmacological
spam offering pharmaceutical products such as Viagra and HGH. These subcategories of spam can be optionally turned off - so that although the email was considered spam, those that match this specific category can be allowed to pass through. This is useful if your company is operating in a business domain similar to one of the categories. Turn off any categories that cause incorrect email to be blocked, or are very similar to your business.
select
Off, Mark, On
On
PatternMatchPharmacological=On
PatternMatchRecruitment
spam promoting job or recruitment websites, or recruitment agency services. These subcategories of spam can be optionally turned off - so that although the email was considered spam, those that match this specific category can be allowed to pass through. This is useful if your company is operating in a business domain similar to one of the categories. Turn off any categories that cause incorrect email to be blocked, or are very similar to your business.
select
Off, Mark, On
On
PatternMatchRecruitment=On
PatternMatchPrivacy
spam promoting privacy tools for PCs and Windows, such as hard-disk image removal products. These subcategories of spam can be optionally turned off - so that although the email was considered spam, those that match this specific category can be allowed to pass through. This is useful if your company is operating in a business domain similar to one of the categories. Turn off any categories that cause incorrect email to be blocked, or are very similar to your business.
select
Off, Mark, On
On
PatternMatchPrivacy=On
PatternMatchSalesSavings
spam offering price reductions, sales or savings on goods and products. These subcategories of spam can be optionally turned off - so that although the email was considered spam, those that match this specific category can be allowed to pass through. This is useful if your company is operating in a business domain similar to one of the categories. Turn off any categories that cause incorrect email to be blocked, or are very similar to your business.
select
Off, Mark, On
On
PatternMatchSalesSavings=On
AutoretrainNonSPAMPatternMatcher
The pattern matching engine can learn about your email traffic. Enable this control to allow the pattern matching engine to automatically
learn about your email traffic from outbound messages and/or any emails you elect to send from the spam store. The engine is retrained every 250 email messages for efficiency, and is retrained
up to a maximum of 50,000 emails, more than sufficient to learn about your email traffic.
bool
On/Off, True/False, Yes/No, 1/0
on
AutoretrainNonSPAMPatternMatcher=off
DisallowInternetExpressionsContentAction
The action to take if an Internet updated disallowed content phrase is found. The list of phrases is automatically maintained and downloaded from the Internet update site
as required. These phrases and expressions very rarely give any false positives so blocking or deletion is recommended.
Any email found to contain any of these phrases will be marked as Potential spam or blocked completely. This allows you to block repetitive spam not blocked by any other options, based on phrases or wildcard matches, such as "v?agra". They are case insensitive.
text
get out of debt,not to receive e-mails,opted in * one of our partner sites,To opt out from future mailings,wish to be excluded,talking library out for the holidays,gayz,First t1me,Enter site here,Click here to be
DisallowPhrasesContent=Guaranteed to work!!!!
WeightPhrasesContent
Any email found to contain any of these phrases will be weigthed more heavily as spam. This allows you to weight phrases in spam. They are case insensitive.
text
reg(http://[0-9]+.[0-9]+.[0-9]+.[0-9]+./),million verified email addresses,to be removed from future mailings,To be removed from this list,government grants,guaranteed return,If you prefer not to receive e-mails,not to receive e-mails,opted in * one of our partner sites,penis,viagra,Vicodin,You are receiving this email because,ejacula,Create DVD,URGENT ASSISTANCE,CLEAR THIS MONEY,SUM OF * MILLION,Your funds are deposited,home based business,fCAN Spam Act,singles in your area,funds totalling,Order Online Now,Work from your ho,Work At Home Now,copy DVD,unsolicited commercial e-mail,100% risk free,special promotion,investment opportunity,Bank of Nigeria,CONFIDENTIAL*TOP SECRET,Government of Nigeria,F R E E,Bank Deposit paperwork,Nigerian
Government,Multi-level marketing,TRANSFER OF *SUM OF,funds totalling US
WeightPhrasesContent=Guaranteed to work!!!!
NeuralContent
You can enable a neural content structure matching algorithm. The neural algorithm is highly effective at matching the content structrues typically used by spammers to send emails.
The algorithm is designed to give almost no false positives, and a detection rate of around 40%, so combined with other techniques provides a great line of defence against spam that is difficult to block with other means.
You can choose to mark, block, weight or delete emails matched by the Neural content matching.
Threshold to use for Neural content matching. 45% gives a good catch rate (>65%) but may throw up some false positives. 75% will eliminate most false positives but catch closer to 37%
number
25 - 99 %
75 %
NeuralContentThreshold=75
DisallowInternetExpressionsURLAction
The action to take if an Internet updated disallowed url expression is found.
Any email found to contain a url that matches any of these expressions will be marked, blocked, or deleted according to your chosen block level for this rule.
This allows you to block repetitive spam not blocked by any other options, based on wildcard matches, such as *optinmarketing*. The matches are case insensitive.
You can use the * character to mean any characters and the ? character to mean a single character.
text
*xxx*.co.uk/*,*xxx*.com/*
DisallowPhrasesURL=*.example.com*
AllowPhrasesContent
Any email found to contain any of these phrases will pass straight through the spam blocking module unhindered. The phrases are case INSENSITIVE and apply to both the subject and the content of the email.
text
AllowPhrasesContent=A Partner Newsletter Title
DisallowInternetExpressionsSubjcetAction
The action to take if an Internet updated disallowed subject phrase is found.
This is the list of sender email addresses that will be blocked.
You can use wildcards (e.g. *@spammer.com, *@mailinglist.*) or leave blank for no specific blocked senders.
This is the list of sender email addresses that will be weighted.
You can use wildcards (e.g. *@spammer.com, *@mailinglist.*) or leave blank for no specific weighted senders.
This is the list of sender email addresses that will be marked.
You can use wildcards (e.g. *@spammer.com, *@mailinglist.*) or leave blank for no specific marked senders.
This is the list of sender email addresses that will be deleted.
You can use wildcards (e.g. *@spammer.com, *@mailinglist.*) or leave blank for no specific deleted senders.
This is the list of allowed email addresses that can email without spam blocking if their sender and IP address has been verified by SPF.
Remember that if you whitelist major ISPs and hacked accounts are used
to send spam or scam email then those email will get through unchecked. Only enable this for ISP domains where they take adequate precautions against scam and spam being sent
from their accounts. You can use wildcards (e.g. *@microsoft.com, *@gmail.*) or leave blank for no specific allowed verified senders.
You can also use <tld> to specify all top level domains,e.g *@amazon. = amazon.com amazon.net amazon.jp ...
You can also use <tldco> to specify all commercial top and second level domains,e.g *@amazon.<tld> = amazon.com amazon.net amazon.co.uk amazon.co.jp ...
You can also use <tldccco> to specify all commercial top and second level domains and country top level domains,e.g *@amazon. = amazon.com amazon.net amazon.jp amazon.co.uk amazon.co.jp ...
You can also use <tldcc> to specify all top level country code domains,e.g *@amazon.<tldcc> = amazon.jp amazon.de ...
You can also use <tldg> to specify all top level global base domains,e.g *@amazon.<tldg> = amazon.com amazon.org amazon.net ...
You can also use <tldext> to specify all top level global extended domains,e.g *@amazon.<tldext> = amazon.mobi amazon.info ...
You can also use <sldco> to specify all commercial second level domains,e.g *@amazon.<sldco> = amazon.co.uk amazon.co.jp ...
You can also use <sldgov> to specify all government and military second level domains,e.g *@tax.<sldgov> = tax.gov.uk tax.gov.hk ...
You can also use <sldorg> to specify all organizational second level domains,e.g *@antispam.<sldorg> = antispam.org.uk antispam.org.es ...
You can also use <sldedu> to specify all educational second level domains,e.g *@school.<sldedu> = school.ac.uk school.edu.za ...
DEPRECATED: Any email found to contain any of these phrases will be marked as Potential spam or blocked completely. This allows you to block repetitive spam not blocked by any other options, based on phrases or wildcard matches, such as "v?agra". They are case insensitive.
text
adv ,adv_,advadlt,big5,"Friend,",Lose up to,MILLION EMAIL ADDRESSES,Mortgage Approved,PENIS,VIAGRA
DisallowPhrasesSubject=Get rich today!!!!
DisallowPhrasesSender
Any email found to contain any of these phrases in the sender/ from address displayed will be marked as Potential spam or blocked completely.This allows you to block repetitive spam not blocked by any other options, based on phrases or wildcard matches, such as "specialoffers". They are case insensitive.
text
$,@adult,@bulkmail,@crosskirk,@e-mailpromo,@xxx,4free.,bizsupport,bounce,bwerbung@,ConsumerDirect,Great Deals,great*offers.com,himailer.com,internetads@,optin@,optout@,porn,remove@,sexcams,someonelikesyou,Tremendous Buys,unsub@,unsubscribe@,werbung@,SUB(C1alis),SUB(Levitra),SUB(R0lex),SUB(Genuine Pfizer),SUB(Casino King),SUB(Casino Golden Mummy),SUB(Royale-Casino),SUB(Royale Casino),SUB(RubyRoyal),SUB(Ruby Royal),SUB(shopMED),SUB(Viagra),SUB(DrugStore)
You can enable a neural sender address matching algorithm. The neural algorithm is highly effective at matching the email addresses typically used by spammers to send emails, and can operate even if the sender address changes for every email, a technique often used by spammers to foil spam blockers.
The algorithm is designed to give almost no false positives, and a detection rate of around 80%, so combined with other techniques provides a great line of defence against spam that is difficult to block with other means.
You can choose to mark, block, weight or delete emails matched by the Neural sender matching.
Threshold to use for Neural sender matching. 45% gives a good catch rate (>85%) but may throw up some false positives. 75% will eliminate most false positives but catch closer to 60%
number
25 - 99 %
80 %
NeuralSenderThreshold=80
Updates
Whether any update checks should be made for the spam patternmatchers and engine
bool
On/Off, True/False, Yes/No, 1/0
on
Updates=on
UpdateInterval
How often automatic update cehcks should be made for the spam patternmatchers and engine
number
1 - 168 hours
4 hours
UpdateInterval=4
UpdateHost
The HTTP server to use for updates: only change in consultation with Hexamail
text
updates.hexamail.com
UpdateHost=updates.hexamail.com
UpdatePort
The HTTP port to use for updates: only change in consultation with Hexamail
number
80
UpdatePort=80
WebUIEnable
You can optionally enable a web interface for users to review their spam themselves and either Accept or Delete it.
bool
On/Off, True/False, Yes/No, 1/0
On
WebUIEnable=On
WebUIResendMarked
Marked email is sent to the recipients AND optionally stored in the quarantine. You can disable resending of marked email
to allow users to whitelist marked email in the quarantine, but not have it resent as a duplicate.
Alternatively you can turn off storing of marked email under SPAM Blocker/Action
bool
On/Off, True/False, Yes/No, 1/0
On
WebUIResendMarked=On
WebUIFormat
text
text
WebUIFormat=text
WebUILog
You can optionally enable verbose logging of user quarantine actions, for example which email they choose to Accept or Delete.
bool
On/Off, True/False, Yes/No, 1/0
On
WebUILog=On
WebUIAlertUsers
You can optionally have emails automatically sent to users when they have more than a configurable amount of spam, or spam older than a specified number of hours, in their spam quarantine that requires review.
bool
On/Off, True/False, Yes/No, 1/0
Off
WebUIAlertUsers=Off
WebUIAlertUsersCount
Use this setting to configure the number of new spam emails that you wish trigger alerts to your users
number
1 - 1000 spam
5 spam
WebUIAlertUsersCount=5
WebUIAlertUsersIfOlder
Use this setting to configure the maximum age of spam emails in the quarantine used to trigger alerts to your users
number
1 - 240 Hours
24 Hours
WebUIAlertUsersIfOlder=24
WebUIAlertIOn
Use this setting to send immediate alerts to users when a spam is blocked with a reason matching an expression in the list. This overrides any count or interval for spam alerts
and issues a full spam alert when the email matching is blocked.
text
WebUIAlertIOn=*attachment*
WebUIAlertInterval
Users are only alerted again once they have checked their quarantine. However if they check their quarantine and do not clear it this setting allows the number of hours between successive alerts to be set.
Use 0 to indicate that you wish them to receive alerts as per the age and count settings.
The web interface is generated and served by Hexamail Server to save you needing another webserver or installation of web server scripts. The web interface can be explicitly bound to a NIC on your machine. Specify the network address or hostname of the network card you wish the web user interface to bind to. Typically you will want to leave this blank to ensure binding to the default network device. Setting this to 127.0.0.1 can render it impossible for users not on the machine to conncet to the machine. If you have two network cards in the machine, you may wish to set this to the IP of the network card you wish user to connect via (e.g. one card may be an external card and one may be connected to the internal network. If all your users are on the internal network you can use the internal network IP as this setting to prevent external access to the web interface)
text
WebUIPort
the port you wish the web user interface to bind to. If you are running on the same machine as a web server use a port other than port 80, if you are on a machine with no webserver, port 80 is the most convenient for users as it is the default used by browsers.
text
8080
WebUIPort=80
WebUIURL
The URL you wish to send to users for them to access the web interface. The URL sent to users should correspond to the host and port setup for the web interface. If for example you have set the Port to 8080 and the host is left blank (to bind to all/default NICs), then the URL should be http://hostmachinename:8080/ Remember that if external users are to manage their own spam then the URL specified must be accessible from outside your local network, and your firewall must be configured to allow incoming TCP (HTTP) connections to this machine on the chosen port. If you leave this setting blank, a URL will be automatically constructed from the machine's hostname and configured port. In some cases this will not be accessible by users outside of your local network, so you will need to specify this if sending alert emails to users external to your network.
You can use URL lookup DNS database servers to block spam containing hypertext links.
This helps to block very short emails only containing links or emails with large amounts of text used to prevent content blocking.
For more information please refer to http://www.surbl.org/ and http://www.spamhaus.org/
DEPRECATED: See combined DNS URL editor
the dns based url lists that are to be used to reject email
text
ChallengeEnable
If this setting is enabled an email is sent to the sender of any email blocked. The sender must then enter a code
into the web interface to allow their email to be unblocked. Their email address is then added to the recipient's whitelist.
Note that emails are still also shown in the quarantine for the recipient, and users can also unblock from their quarantine interface.
Challenge / Response systems are good at preventing spam from automatic mailers, while allowing legitimate human senders to unblock their own emails,
reducing the burden on your users. However, users must still check their quarantine from time to time in case legitimate email from automatic mailers
is blocked. We recommend using Challenge / Response in conjunction with the other anti-spam detection methods, and thus only sending challenges for emails
that look like spam, rather than to all emails. If however you wish to send challenges for all incoming emails from new senders, i.e a full Challenge / Response system, you
can simply reduce the match thresholds to low values: in this way most/all email will be blocked and challenges sent.
bool
On/Off, True/False, Yes/No, 1/0
Off
ChallengeEnable=Off
ChallengeSubject
This is the subject line of the email that will be sent to verify the sender. You can configure the contents of the email by editing the file webui/userspamchallengeemail.tmpl
text
Sender verification required
ChallengeSubject=Sender verification required
ChallengeSender
This is the sender email address used to send challenge emails. Use an address that is not used by any user, and is not an alias or other address at your company.
You can optionally delete all emails sent to this address, allowing you to effectively get rid of non delivery reports etc when challenges are sent to addresses that are inactive or faked by the spammer.
Use the token <domain> to automatically insert your configured primary email domain.
text
senderchallenge@<domain>
ChallengeSender=senderchallenge@<domain>
ChallengeSenderDelete
Challenges are sent for all blocked emails, and therefore some may end up being sent to email addresses that are inactive or do not allow replies.
In this case a non delivery report will be sent back. Use this option to DELETE ALL EMAILS sent to the challenge sender address.
bool
On/Off, True/False, Yes/No, 1/0
on
ChallengeSenderDelete=on
ChallengeWhitelist
Senders who verify themselves after a challenge can be added to a whitelist. Select which whitelist to add the sender to using this setting. You can select the global whitelist that applies to all emails, the user's whitelist that adds the sender only to the original recipients of the email whitelists, or you can not add senders to any whitelist. If you select None the sender will have to verify themself until they receive an outbound email from a user in your domain.
select
None, Global, User
Global
ChallengeWhitelist=Global
ChallengeServer
You can use this setting to have all challenge email sent via a different server. You may wish to do this to deal with large volumes of challenge emails and or to prevent your server being blacklisted for sending to non existent addresses, which may have been used by spammers and hence have challenges sent back to.
bool
On/Off, True/False, Yes/No, 1/0
false
ChallengeServer=false
ChallengeHost
The ip address or host name of the server used to send challenge email. Leave blank to use standard servers as configured in the SMTP relay
server_notconfigured
ChallengeHost=server_notconfigured
ChallengePort
The SMTP port of your the server used to send challenge email
25
ChallengePort=25
SndrExpWeight
Any email found to contain any of these phrases in the mailer field will be weighted higher as spam
Any email found to contain any of these phrases will not be marked, blocked or deleted regardless of other tests and measures.
text
SbjExpMark
Any email found to contain any of these phrases will be marked as spam
text
Online Banking,Verify Your Account
SbjExpMark=Online Banking,Verify Your Account
SbjExpBlock
Any email found to contain any of these phrases will be blocked as spam
text
Best Home Insurance,DebtFree,Male meds,SexPharm,BestViagra,sex meds,sex pills,ero-boosters,Medstore,Medicine shop,How to lose *lbs,How to get skinny,Losing*pounds,How to get thin,erection pills,erection cures,med-payments,ViagraCheapest,SAALE,International Casino,boost female drive,reg(v[!1ijlIJL|\\]+[a4oAO]gra),reg(tee+n+),wild(Valium Online*),Vicodin,reg(^Re: new [0-9][0-9]+$),reg(^Re: my [0-9][0-9]+$),Don`t miss*,*ukrain*ladies*,*ukrain*girl*,*ukrain*whor*,New * social network*,Sexy *,Today`s*,Tomorrow`s*
SbjExpBlock=Best Home Insurance,DebtFree,Male meds,SexPharm,BestViagra,sex meds,sex pills,ero-boosters,Medstore,Medicine shop,How to lose *lbs,How to get skinny,Losing*pounds,How to get thin,erection pills,erection cures,med-payments,ViagraCheapest,SAALE,International Casino,boost female drive,reg(v[!1ijlIJL|\\]+[a4oAO]gra),reg(tee+n+),wild(Valium Online*),Vicodin,reg(^Re: new [0-9][0-9]+$),reg(^Re: my [0-9][0-9]+$),Don`t miss*,*ukrain*ladies*,*ukrain*girl*,*ukrain*whor*,New * social network*,Sexy *,Today`s*,Tomorrow`s*
SbjExpDelete
Any email found to contain any of these phrases will be deleted
text
word(vigara),Hot med products,*sex*viag*,PENIS ENLARGEMENT,ENLARGEMENT PILLS,PENIS*PILLS,belly-fat,ED Pills,Stomachfat,Pure Pharmacy,C I A L I S,L E V I T R A,V I A G R A,BEST MEDS,Cilais,Ciilais,Viigara,Levtiira,Puurchaase,Buuy,Cheeap,cheap medications
SbjExpDelete=word(vigara),Hot med products,*sex*viag*,PENIS ENLARGEMENT,ENLARGEMENT PILLS,PENIS*PILLS,belly-fat,ED Pills,Stomachfat,Pure Pharmacy,C I A L I S,L E V I T R A,V I A G R A,BEST MEDS,Cilais,Ciilais,Viigara,Levtiira,Puurchaase,Buuy,Cheeap,cheap medications
URLExpWeight
Any email found to contain any of these phrases in a url will be weighted higher as spam
Any email found to contain any of these attachment names will be deleted
text
*.$IMAGE_EXTENSION$,*.386,*.3gr
AtchExpDelete=*.$IMAGE_EXTENSION$,*.386,*.3gr
CntExpWeight
Any email found to contain any of these phrases will be weighted higher as spam
text
reg(http://[0-9]+.[0-9]+.[0-9]+.[0-9]+/),reg(8[0O][0O][ \-_][o0-9][O0-9]+[ \-_]),reg(8[0O][0O][ \-_][O0-9][O0-9]+[ \-_][O0-9]),SUB(ProGuard),million verified email addresses,to be removed from future mailings,government grants,guaranteed return,To be removed from this list,Enter site here,Click here to be,To opt out from future mailings,wish to be excluded,If you prefer not to receive e-mails,not to receive e-mails,opted in * one of our partner sites,penis,viagra,Vicodin,You are receiving this email because,ejacula,Create DVD,URGENT ASSISTANCE,CLEAR THIS MONEY,SUM OF * MILLION,Your funds are deposited,home based business,fCAN Spam Act,singles in your area,funds totalling,Order Online Now,Work from your ho,Work At Home Now,copy DVD,unsolicited commercial e-mail,100% risk free,special promotion,investment opportunity,Bank of Nigeria,CONFIDENTIAL*TOP SECRET,Government of Nigeria,F R E E,Bank Deposit paperwork,Nigerian Government,Multi-level marketing,TRANSFER OF *SUM OF,funds totalling US,reg(Nasdaq:[A-Z][ _][A-Z][ _][A-Z])
CntExpWeight=Guaranteed to work!!!!
CntExpAllow
Any email found to contain any of these phrases will not be marked, blocked or deleted regardless of other tests and measures.
text
CntExpMark
Any email found to contain any of these phrases will be marked as spam
text
CntExpBlock
Any email found to contain any of these phrases will be blocked as spam
text
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X,18003206070,Anti-Aging magnetic water,Debt Free,pen1s,a costly Watch,farm_seex,Hoodia,add COM after dot at the end,enlarge your penis,Prest1ge Repl1cas,R0lex,New pharmacy shop:,reg(v[jl1]agra),DebtFree,reg(Symb[o0O]l[ :]+[ ]+[A-Z ][A-Z ][A-Z ][A-Z ]),reg(T[il1]cker[ :]+[ ]+[A-Z ][A-Z ][A-Z ][A-Z ]),reg(St[0o]ck[ :]+[ ]+[A-Z ][A-Z ][A-Z ][A-Z ]),reg(Price Today: [$0-9][0-9\.][0-9]),reg(Sym[: ]+[ A-Z][ A-Z][ A-Z][ A-Z]),get out of debt,not to receive e-mails,opted in * one of our partner sites,talking library out for the holidays,gayz,First t1me,reg(Symbol: [A-Z][A-Z][A-Z][A-Z])
CntExpBlock=XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X,18003206070,Anti-Aging magnetic water,Debt Free,pen1s,a costly Watch,farm_seex,Hoodia,add COM after dot at the end,enlarge your penis,Prest1ge Repl1cas,R0lex,New pharmacy shop:,reg(v[jl1]agra),DebtFree,reg(Symb[o0O]l[ :]+[ ]+[A-Z ][A-Z ][A-Z ][A-Z ]),reg(T[il1]cker[ :]+[ ]+[A-Z ][A-Z ][A-Z ][A-Z ]),reg(St[0o]ck[ :]+[ ]+[A-Z ][A-Z ][A-Z ][A-Z ]),reg(Price Today: [$0-9][0-9\.][0-9]),reg(Sym[: ]+[ A-Z][ A-Z][ A-Z][ A-Z]),get out of debt,not to receive e-mails,opted in * one of our partner sites,talking library out for the holidays,gayz,First t1me,reg(Symbol: [A-Z][A-Z][A-Z][A-Z])
CntExpDelete
Any email found to contain any of these phrases will be deleted
Email detected as nonspam by the cloud processing will not be blocked by any other rules. This can reduce false positives but may also lower your overall spam catch rate
bool
On/Off, True/False, Yes/No, 1/0
off
CheckSpamEngineAllow=off
HoneyPotEnable
Enable the honey pot matching features. Note that the honey pot comes pretrained with some common matching agents, or bees. These can be disabled if they incorrectly macth email by accepting (releasing) matched email from the quarantine.
bool
On/Off, True/False, Yes/No, 1/0
On
HoneyPotEnable=On
HoneyPotAddDeleted
This switch allows email deleted from the quarantine by users or the admin to be used to create and reinforce bees
bool
On/Off, True/False, Yes/No, 1/0
On
HoneyPotAddDeleted=On
HoneyPotRemoveSent
This switch allows email released from the quarantine by users or the admin to be used to disable bees
bool
On/Off, True/False, Yes/No, 1/0
On
HoneyPotRemoveSent=On
HoneyPotSubject
This setting determines the action taken on a spam email when a bee matches on a subject characteristic.
Remember that your global settings for enabling mark, block, and deletion actions in the SPAM Blocker/Action will affect what action actually takes place. For example if
you set this to delete but have unchecked delete on the SPAM Blocker/Action page then the bee will be demoted to block, if block is unchecked it will be demoted to marking email.
This setting determines the action taken on a spam email when a bee matches on an image characteristic.
Remember that your global settings for enabling mark, block, and deletion actions in the SPAM Blocker/Action will affect what action actually takes place. For example if
you set this to delete but have unchecked delete on the SPAM Blocker/Action page then the bee will be demoted to block, if block is unchecked it will be demoted to marking email.
This setting determines the action taken on a spam email when a bee matches on an IP address.
Remember that your global settings for enabling mark, block, and deletion actions in the SPAM Blocker/Action will affect what action actually takes place. For example if
you set this to delete but have unchecked delete on the SPAM Blocker/Action page then the bee will be demoted to block, if block is unchecked it will be demoted to marking email.
This setting determines the action taken on a spam email when a bee matches on content.
Remember that your global settings for enabling mark, block, and deletion actions in the SPAM Blocker/Action will affect what action actually takes place. For example if
you set this to delete but have unchecked delete on the SPAM Blocker/Action page then the bee will be demoted to block, if block is unchecked it will be demoted to marking email.
Email to the configured honey pot addresses can either be deleted or blocked and stored in the quarantine.
Remember that your global settings for enabling mark, block, and deletion actions in the SPAM Blocker/Action will affect what action actually takes place. For example if
you set this to delete but have unchecked delete on the SPAM Blocker/Action page then the bee will be demoted to block, if block is unchecked it will be demoted to marking email.
A honeypot is a trap for spammers. Email to any of these addresses will be analyzed and potentially DELETED (depending on your chosen setting for email to the honey pot addresses).
Ensure that these addresses do not include any valid addresses of users, groups or automated services in your mailserver!
Email to these addresses will be used to deduce information about spammers and spam you are receiving,
which in turn can be used to block email to other recipients that is similar or from similar sources.
These addresses should be email addresses spammers are already attacking, but are invalid at your email server, or
new email addresses you choose. If you choose a new email address make it easy for a spammer to guess like
john@yourdomain.com or alan@yourdomain.com so they quickly discover it and use it to send spam to(!)
Some IPs relay on information to your installation.
These need to be excluded from honey pot analysis and automatic blocking. If you see email from specific IPs repeatedly incorrectly matched by honey pot bees you can simply add the ip here to prevent future matching.
text
127.0.0.1
HoneyPotExcludeIPs=IPs of relay servers or MTAs you never want blocked
Greylist
Enable greylisting of new triplets (IP, sender, recipient sets)
bool
On/Off, True/False, Yes/No, 1/0
on
Greylist=on
GreyTempBlock
The length of time to fail a new 'triplet' (IP sender and recipient combination) with a temporary failure error (a 4.x.x SMTP error).
This is the MINIMUM delay you will experience in receiving email from a new source triplet.
Delays may be longer if the sending server retry schedule is longer than the time specified here.
Well behaved clients and MTAs should retry multiple times for a period of time.
Spam software and bots often do not bother retrying and so will effectively be blocked.
Lowering this setting allows faster receipt of email from new triplets, but may expose you to spam tools that do retry.
number
2 - 360 Minutes
15 Minutes
GreyTempBlock=60
GreyExpireBad
The length of time to keep records about triplets that have not retried after a temporary fail,
often these are the records of spammers and not generally worth keeping for too long.
You do need to keep these records for long enough for legitimate senders to retry though, otherwise you will repeatedly block legitimate triplets.
Busy servers should set this setting low (2-4 hours) to avoid wasting resources. Less busy servers can extend this period to ensure more reliable delivery.
If you receive 1,500,000 email per day and it is mainly spam, you will require 25MBytes of RAM and disk space to store 4 hours of records.
number
2 - 12 Hours
5 Hours
GreyExpireBad=4
GreyExpireGood
The length of time to keep records about triplets that have succesfully sent email and are therefore no longer temporarily blocked.
Its worth keeping these for some time to allow legitimate clients and servers to send to your domain unhindered.
Some expiry is necessary to prevent a build up of no longer used records which waste resources.
Hexamail updates these records on every email that is passed, so the most common senders will never be delayed again.
number
1 - 365 Days
36 Days
GreyExpireGood=60
GreyWhiteIPList
You may not wish to delay the email from some servers using greylisting. This may be because they are known reputable servers, or
incapable of correct SMTP retry behaviour. If you find you can't receive email from a specific server, even after the block delay, you may wish to whitelist the IP here.
This IP list is in addition to your Always Allowed IPs and the list of Relay IP servers specified in SMTP Server. This list specifically allows IPs to bypass greylisting and nothing more.
The default list includes local network addresses, reputable servers and some servers known to have trouble sending thru greylisting servers.
If you set your SMTP Server log to DEBUG mode you will see whitelisted servers being skipped for greylisting, allowing you to identify servers you may wish to remove.
Don't greylist recipients excluded from spam checks
bool
On/Off, True/False, Yes/No, 1/0
GreyExcludeDontCheckRcptMatches
Don't greylist specified recipients
text
GreyOctets
This setting can be used to control how strict the greylist checking is. IF it is set to 4 it will check the entire IP address (IP4) or 16 for IP6.
If it is reduced to 3 or 2 it only checks the first parts of the IP address. This is useful if email is coming from very large
email providers with very many servers. In some cases the retried email is sent from a new server each time, causing strict greylisting to fail the email temporarily
for a long time. Using the 3 or even 2 setting can ensure the email is delivered more rapidly.
number
2 - 16 Octets
3 Octets
GreyOctets=3
GreyLocationEnable
Email found to originate from the listed countries will be greylisted if enabled
bool
On/Off, True/False, Yes/No, 1/0
false
GreyLocationEnable=false
GreyLocation
Any email found to originate from these countries will be greylisted
You can optionally schedule greylisting only for specific times of the week.
For example this can be used to prevent any unnecessary delay in email during working hours, but allow greylisting to take effect at weekends.
Just click the weekday/hour cell in teh grid to activate greylisting for that period. The cell will turn grey to indicate greylisting is active. Green denotes no greylisting active
for the period. Local times are used when checking the schedule.
Remember that only email from a new sender, ip and recipient triplet is delayed.
Enable geolocation detection of client IP addresses. This identifies the likely geographic location of connecting client IP addresses and can thereby be used to weight, block or delete email originating from specific countries.
Use this to weight block or delete email from countries from which it is unlikely you receive legitimate email
bool
On/Off, True/False, Yes/No, 1/0
on
Geolocate=on
GeolocateSenderMismatch
If the sender e mail address mismatches the email sending IP location you can choose to mark, weight, block or delete the email
Click the countries on the map to weight email originating from the selected country. Click again to block, and once more to delete. Click a final time to clear the setting for the specified country.
text
GeolocateWeight
Any email found to originate from these countries will be weighted higher as spam
text
AL,RU,RO,TR,CN,IN,TH,KR,GM,NG,ZW,ZR,ZM,YE,UZ
GeolocateWeight=RU,TR,CN,IN
GeolocateBlock
Any email found to originate from these countries will be blocked as spam
text
GeolocateBlock=RU,CN,NG
GeolocateDelete
Any email found to originate from these countries will be DELETED as spam
text
GeolocateDelete=RU,CN
GeolocateWhiteIP
You may not wish to block some IPs or IP ranges regardless of the country in which they are based. For example, you should not block Hexamail IP ranges.
text
82.117.36.*
GeolocateWhiteIP=82.117.36.*
URLGeolocate
Enable geolocation detection of URLs. This identifies the likely geographic location of contained URLs and can thereby be used to weight, block or delete email with links to websites in specific countries.
Use this to weight block or delete email from countries from which it is unlikely you receive legitimate email
bool
On/Off, True/False, Yes/No, 1/0
on
URLGeolocate=on
URLGeolocateMismatch
If a URL contained in an email mismatched the email sending IP location you can choose to mark, weight, block or delete the email
If a URL host contained in an email fails to resolve to an IP address due to invalid or expired DNS entries you can choose to mark, weight, block or delete the email
Click the countries on the map to weight email originating from the selected country. Click again to block, and once more to delete. Click a final time to clear the setting for the specified country.
text
URLGeolocateWeight
Any email found to originate from these countries will be weighted higher as spam
text
AL,RU,RO,TR,CN,IN,TH,KR,GM,NG,ZW,ZR,ZM,YE,UZ
URLGeolocateWeight=RU,TR,CN,IN
URLGeolocateBlock
Any email found to originate from these countries will be blocked as spam
text
URLGeolocateBlock=RU,CN,NG
URLGeolocateDelete
Any email found to originate from these countries will be DELETED as spam
text
URLGeolocateDelete=RU,CN
SpamURLWhiteHosts
You may not wish to block some domains or hosts regardless of the country in which they are based. For example, you should not block Hexamail www.hexamail.com
Increasingly spammers spoof email from other peoples addresses. Sometimes this can result in your users receiving non delivery reports (NDRs) for email they did not send.
An NDR typically takes the form of an email informing the sender, real or faked, that an email they sent could not be delivered, and often has the original email attached.
If these NDRs are in response to email that appear to have been sent from the user's account, it can be confusing and alarming for users.
It is wise to block these 'false' NDRs (spam NDRs) where possible to prevent further miscommunications and recriminations between the email parties involved.
Use the settings on this page to block NDRs received for email that was not sent from your server but was sent using spoofed addresses at your domain as the senders.
Setting up an SPF record can help alleviate the problem by allowing remote servers to check that the sending server is allowed to send from your domain. More information can be found at http://www.openspf.org/
bool
On/Off, True/False, Yes/No, 1/0
Off
SpamNDREnable=Off
SpamNDRAlias
Often you will have users with a single primary email address and multiple alias to which they can receive email. If they never send using these alias as their sender or replyto address you can automatically block
NDRs being returned to these addresses, knowing them to be spam NDRs
bool
On/Off, True/False, Yes/No, 1/0
Off
SpamNDRAlias=Off
SpamNDRWild
Often you will have users with a single primary email address and a wildcard alias to which they can receive email, e.g. use bob.parsons@yourdomain.com may haev the alias bob*@yourdomain.com.
If they never send using these alias as their sender or replyto address you can automatically block
NDRs being returned to these addresses, knowing them to be spam NDRs
bool
On/Off, True/False, Yes/No, 1/0
Off
SpamNDRWild=Off
SpamNDROutbound
If you are processing outbound email using Hexamail Server it can automatically gather information about all recipients of email from your domain.
You can then use this option to block NDRs arriving from addresses that have never been sent to through your server, evidently spam NDRs.
Ensure that all email sent from your domain is sent thru Hexamail Server for this to be 100% reliable.
For example automated email from a webserver or database application should also go out thru Hexamail Server in order that it can record those recipients too.
bool
On/Off, True/False, Yes/No, 1/0
On
SpamNDROutbound=On
SpamNDRAddresses
If you have wildcard alias setup or have not restricted incoming email to your defined users list then you can use this list to nominate any email addresses that keep receiving spam NDRs but are not valid addresses.
You can often receive NDRs to addresses spammers have chosen to use to spoof spam from, eg. xyz@yourdomain.com
text
SpamNDRAddresses=xyz@yourdomain.com
SpamNDRAction
Use this setting to select whether to quarantine the spam NDRs or have them immediately deleted. It is sometimes wise to quarantine them (block) while you are ensuring your setup is correct and then select to Delete once you are satisfied that no legitimate NDRs are being blocked based on your settings above.
text
Block
SpamNDRAction=Delete
SpamURLDownload
Use this setting to select whether to download content from URLs contained in email to check the web page content for spam
text
Off
SpamURLDownload=Off
SpamURLDownloadContentPhrases
Use this setting to select whether to check all your custom content phrases in downloaded content from URLs contained in email to check
text
On
SpamURLDownloadContentPhrases=On
SpamURLDownloadFail
If a URL contained in an email fails to download you can choose to mark, weight, block or delete the email
this sets the maximum size to which the spam list log file will be allowed to grow, in kbytes
number
1 - 32000 kbytes
4096 kbytes
SpamLogMaxSize=4096
SpamLogHistory
this sets the number of archived spam list log files you wish to retain
number
1 - 64 files
10 files
SpamLogHistory=10
SpamLogFlushSize
this sets at what size the spam list log file will be flushed to disk, in kbytes. If trouble-shooting set this to 0, set it higher for maximum performance
number
1 - 64 kbytes
64 kbytes
SpamLogFlushSize=64
SpamLogFlushPeriod
this sets when the spam list log file will be flushed to disk, in seconds. If trouble-shooting set this to 0, set it higher for maximum performance
number
1 - 600 seconds
60 seconds
SpamLogFlushPeriod=60
SpamHeader
Insert a MIME header into the email specifying which action was taken (marked,blocked,deleted). This header is not inserted for email that isn't matched as spam
text
X-HXMSpamAction
SpamHeader=X-HXMSpamAction
SpamHeaderValue
You can customise the header value, use to include the action taken
text
<action>
SpamHeaderValue=<action>
SpamHeaderReason
Insert a MIME header into the email specifying the reason the email was considered spam (or nonspam)
text
X-HXMSpamReason
SpamHeaderReason=X-HXMSpamReason
SpamHeaderReasonValue
You can customise the header value, use to include the reason
text
<reason>
SpamHeaderReasonValue=<reason>
SpamHeaderScore
Insert a MIME header into the email specifying the spam score of the email
text
X-HXMSpamScore
SpamHeaderScore=X-HXMSpamScore
SpamHeaderScoreValue
You can customise the header value, use to include the score
text
<score>
SpamHeaderScoreValue=<score>% Match
SpamHeaderScoreExt
Insert a MIME header into the email specifying the spam score of the email
text
X-HXMSpamScoreExt
SpamHeaderScoreExt=X-HXMSpamScoreExt
SpamHeaderScoreExtValue
You can customise the header value, use to include the score as a gauge.
The gauge is a row of *s, one for each 10 percent of score. So an email scoring 30% has a scoregauge of ***
text
<scoregauge>
SpamHeaderScoreExtValue=<scoregauge>
ExMailboxJunkFolder
Folder to move spam into using automatic inbox rules in Exchange 2010 onwards
text
Junk Email
ExMailboxJunkFolder=Junk Email
StoreMax
This setting allows automatic removal of old email when the maximum number to store is exceeded.
number
250 - 250000 email
75000 email
StoreMax=75000
StoreCache
This sets the maximum amount of memory used to cache email in the quarantine, sent and error stores.
NOTE if you change this setting you will need to press APPLY and then stop and start the service.
number
1 - 1024 mbytes
132 mbytes
StoreCache=132
StoreReap
This setting allows automatic deletion of email when it has been in the store for longer than the specified number of days
bool
On/Off, True/False, Yes/No, 1/0
off
StoreReap=off
StoreReapAgeDays
Automatically delete email older than the specified number of days
number
1 - 365 Days
30 Days
StoreReapAgeDays=4
StorePurgeAgeDays
Automatically purge deleted email older than the specified number of days
number
1 - 120 Days
15 Days
StorePurgeAgeDays=4
StoreNormalizedSubjects
Show automatically normalized subject lines. Only applies to the spam email store
bool
On/Off, True/False, Yes/No, 1/0
On
StoreNormalizedSubjects=On
ErrorStoreMax
This setting allows automatic removal of old email when the maximum number to store is exceeded.
number
250 - 100000 email
20000 email
ErrorStoreMax=20000
ErrorStoreReap
This setting allows automatic deletion of email when it has been in the store for longer than the specified number of days
bool
On/Off, True/False, Yes/No, 1/0
on
ErrorStoreReap=on
ErrorStoreReapAgeDays
Automatically delete email older than the specified number of days
number
1 - 200 Days
30 Days
ErrorStoreReapAgeDays=4
ErrorStorePurgeAgeDays
Automatically purge deleted email older than the specified number of days