The Xwall Spam filter offers a wide variety of filters and blocks. Understanding these options is important for success. This page will show you the initial setup we use at our local client sites around Central Texas. It can help you to get your Xwall up and running in a short time. Of course, Xwall has many more filters and options.These are described in detail in the Xwall online manual. We strongly recommend to read the manual in order to setup Xwall tailored to your situation. The Online manual always reflects the latest enhancements and changes

Spam RBL relay list implementation

Keeping Spam out of your company's email system is an effort utilizing many different approaches. Spam relays known as RBLs are one of the tools available to you. These RBL lists are updated in real time and can make a dent in the Spam flood. RBL lists are compiled of open SMTP relays found all over the Internet. An open SMTP relay can be used by the Spamers to send out their Spam messages by the millions. Xwall takes the IP and/or domain name of the sender and compares it to the RBL lists you have implemented. Xwall is equipped with an exclude table (white list) to allow specified domains or IP addresses to pass even if they are caught by the RBL list. This Xwall feature makes the implementation of the RBL services much more useful.

To setup this filter start the Xwall Admin. Go to OPTIONS -> Spam. Check the first flag and click on ADD COMMON. This will add 3popular relay services. If you have a proxy in front of Xwall you may need to check position #3 since your proxy is the sender rather then the other SMTP server. Xwall operates more effective if is communicates directly with the sending SMTP server.

SMTP level blocking: Xwall allows you to block messages on SMTP level. Here are a few things to consider.

SMTP block is conserving your bandwidth. Xwall blocks if the connecting server is on a RBL list. It never allows the message to be sent

Since Xwall does not receive the message it's more difficult to exclude senders. You need to exclude the host or ip address rather than an email address.

Position #4 allows you to choose the action for this filter if is finds a spam message. If you use ESATInformer you should set the action to discard.

SURBL

This is a different type SLS service. Xwall is scanning your message for links. It get's the ip address of the desination and submits this address to the SUBL service. That hurts the spammers pocket book.

IMPORTANT: Xwall looks at domain and email addresses from right to left. That means if you type in COM all domains with .COM will be affected. Yahoo.com will affect all emails from yahoo.com. Do not use *.com it would only affect *.com , that equals nothing since * is not a legal domain character.

On the bottom of each warning message you find information regarding which service blocked the message and what caused the block (IP address or domain name.) That's the information you need to apply an exclusion. Simply go back to Option ->Spam, click on Exclude, select the type and enter the information.

Blocking Words

I usually set a few text and header blocks to start with. The text block it located under Admin ->option ->blocking->text. You will find familiar options. You need to be aware of the fact that you are dealing with strings. Please consider the string SOME will apply to words like AWESOME, SOMEONE, SOMETIMES and so on. If you want to block just the word SOME you must enter (space)some(space). This will eliminate the inclusion of AWESOME and so on.

Be careful with wildcards. The ? works often better than a badly implemented *.

Wildcards have to be implemented with caution too. While there is no problem with them it's us who will get it wrong. I added v*i*a*g*r*a to my strings just to find out it blocked many messages with no sign of viagra. Instead it looked for any instance of these characters - as it should. I just did not think. The way to get rid of these spaces or filler characters some of these Spamers use I needed to type in v?a?g?r?a.

Also note the exclude tab. You use it to exclude domains, IPs and email addresses from the block you implemented.

Allow your contacts to send you email.

Automatic whitelisting is a new feature available in Xwall version 3.27. This feature automatically adds the email addess of every outgoing message to the exclude list. The reasoning behind this ides is that if you send email to someone it's likely that you want them to be able to reply. You do not have to implement this feature to receive email from your contacts. But if you find many of them listed with RBLs you're using it will allow them to send you mail. While this might not be an issue if you're using Spamcop, it maybe a very welcome feature on more aggressive RBLs like Osirusoft or even Wirehub.

If you use aggressive RBL lists the automatic whitelist can help.

Would be nice ....BUT

Sometimes, a certain block works for some situations and sometimes it does not. Logically, Xwall still includes these block options. Take the PTR lookup as an example. It sounds like a great feature however, about 40% of the ISP in the US will not resolve some of their IP addresses. This may not be the case in other courntries. For US sites, I recommend not to use this option unless your email senders are known contacts and don't have that problem .

I estimate 40% of IPSs in the US do not resolve a PTR request.

In a few cases, the MX A record lookup can causes problems too. In general, I recommend to start out with just a few filters and blocks, concentrate on eliminating false positives and then go from there.

Next week

The Bayesian filter is a great help in the fight of Spam. It's success depends totally on you understanding the filter and on the principle "garbage in garbage out!" if it gets fed with Spam it filters out Spam. If you feed it with false positives, it will filter out good mail. To avoid this problem, just follow the guide lines above. Do not start this filter when you first setup Xwall. Wait until you have a good handle on things. You don't need to catch all the Spam but you do not want a lot of good mail identified as Spam. Once you're at this point you can enable the Bayes filter learn mode.

The Bayesian filter learns from the Spam the other filters catch.

You have to catch Spam before it can learn.

The learn mode will read all the messages declared Spam and automatically builds it's own database. The default settings are fine in almost all situations. I usually let it learn for 5-10 days before I start the full filter. The active Bayes filter now reads every message and grades the message in regard of probability to be Spam. The scale is 1-100. You simply set the break point. Usually 70%-80% works well. Again there are 3 steps involved in a successful implementation of the Bayes filter:

You need to learn about the Bayes Filter
You need to have other filters working right.
The Bayes filter needs to learn from the Spam

Do not end up on a RBL list

Please realize Xwall takes the place of Exchange server or your SMTP mail server when talking to the outside world. Therefore, the SMTP relay is now handled by Xwall. By default this relay is disabled. If there is a need to open the relay, Xwall can accommodate several options. I use authentication (NTML) in most cases. You also can set range of IP addresses to allow to relay. Specially if the relay is only needed inside your LAN. To allow a range of addresses to relay the syntax for the range "192.168.1.1 -192.168.1.255" would be "192.168.1." (Without the quotes.) Several addresses or ranges can be entered. In addition, you can limit the relay to a domain (host).

Better safe than sorry. Only implement a relay if you need it.

Test your SMTP relay now

Keep an eye on things

The Xwall screen shows the latest few lines of the current log. The last line, however, shows statistical information. While installing and tweaking the Xwall operation you should keep an eye on the "bottom line". A buildup in the message queues can announce troubles to come. Of course if you serve 2000 users 200 messages, the queue would not be much of a concern. However, if you only serve 50 users you want to look into it. These are some of settings and situations which will cause problems

DNS server not resolving external addresses properly
DNS request gets stopped at your firewall
You did open the SMTP relay to everybody and Spamer flood you
Xwall can't find the exchange server
You send back all the Spam messages (not recommended) and have not adjusted the retry time-outs

The stats codes on the bottom of the Xwall screen show the following values:

Sent = Sent messages
Recv = Received messages
S-O = SMTP outbound queue
S-I = SMTP inbound queue
E-O = Exchnage outbound queue
E-I = Exchange inbound queue
Con = Connection count

SLS List

Here are a few sls services tested by Gragam G. and veryfied as working an being effective for blocking spam as of October th6 2005.

SLS=bl.spamcop.net
SLS=sbl-xbl.spamhaus.org
SLS=dnsbl.sorbs.net
SLS=l2.spews.dnsbl.sorbs.net
SLS=relays.ordb.org
SLS=multi.surbl.org
SLS=blackholes.intersil.net
SLS=blackholes.five-ten-sg.com
SLS=dnsbl.njabl.org
SLS=list.dsbl.org
SLS=bl.csma.biz
SLS=sbl.csma.biz
SLS=flowgoaway.com
SLS=multihop.dsbl.org
SLS=cbl.abuseat.org
SLS=opm.blitzed.org
SLS=blackhole.securitysage.com
SLS=dnsbl.ahbl.org
SLS=opm.blitzed.org
SLS=relays.bl.kundenserver.de
SLS=dnsbl.rangers.eu.org
SLS=bl.spamcannibal.org