Spam Filtering: Trap

[mcknet]

Junk mail (never any real mail) is being delivered to multiple e-mail addresses from the same IP address. Some addresses are real and some are made up (they have never existed). I can't enter the valid e-mail addresses in the trigger list, so I enter the invalid e-mail addresses. These addresses are attempted many times/day, but the file remains empty.

Does the account have to exist for this feature to store IP addresses in the spamtrap.txt file or is something not working correctly?

Scott

[Code Crafters]

The idea of the SPAM trap is to put fake email addresses for your domains (or others) on your website so that bots that crawl your site looking for email addresses to SPAM email these as well and are blocked by the SPAM trap list. You would normally have these email addresses embeded in the HTML of your site but not actually visible for real users to click on. You can also use asterisks as a wildcard. For example, *@domain.com would block any adddresses for the domain.com domain or trap* would block any addresses starting with trap. The SPAM trap list is managed in memory and then dumped to file periodically so the file can be manually edited to add or remove entries externally.

If the entries that should trigger aren't making it into the file it might be because some other SPAM filter is rejecting the email before the SPAM trap is used. The filters are triggered in the order they appear in the admin user interface. You can check the SMTP logs for details of what is happening to the mail in terms of SPAM checks and failures.

[mcknet]

If the entries that should trigger aren't making it into the file it might be because some other SPAM filter is rejecting the email before the SPAM trap is used. The filters are triggered in the order they appear in the admin user interface. You can check the SMTP logs for details of what is happening to the mail in terms of SPAM checks and failures.

Here's what's in the log:

... Failed: Action=[Received Recipient], Details=[addrkelly.richard@example.com: Relaying not permitted.]

There never has been addrkelly.richard or even kelly.richard and nobody has even used a . in their user name. From the same IP address at the same time, other e-mail addresses are accepted by the mail server, so the junk e-mail gets delivered to them.

I've entered about 15 e-mail address in the spam trap. I was hoping I could carefully select e-mail addresses like this and put them in the spam trap to help stop the junk e-mail that goes to the real addresses. However, looking over the logs, I see the IP addresses are almost never used again, anyway.

I have a couple ideas...

Create a list, like the spam trap list, that can trigger an immediate "Close Connection" or some kind of error message whether there were other valid e-mail addresses provided during that session or not. If an e-mail is being delivered to 3 or 4 people, including an e-mail address in that list, nobody gets the e-mail.

Add an option to the e-mail block list filter for individual accounts to act as though the recipient doesn't exist. Right now, the options are to put the e-mail in a certain folder or delete it. I'm assuming the delete option doesn't return a failure to the sender. Wouldn't a non-delivery type response help to end some of the delivery attempts from an unwanted sender to that recipient?

Scott

[Code Crafters]

The error given shows that the user doesn't exist on your Ability Mail Server and since the user didn't log into SMTP authentication for relaying authentication the mail isn't allowed to be relayed and will therefore never be delivered. If no valid recipients are entered the mail will never make it past the SMTP conversation.

As for the SPAM trap, you can add email addresses to this but this blocks the IP which if it changes is not very effective. However, if you the add the recipients (using *s if necessary) to the SPAM Black List instead then the connection will be rejected before any other SPAM filters are even considered. If you choose to reject the email then an error will be given in the SMTP conversation and the mail will never be queued for delivery; although without relaying access the mail would never be queued for delivery anyway. Note that if you use the SPAM flag or custom event options to allow the mail through marked as SPAM you must create a content filter rule to act on these flags or no further action will be taken.

You can also tick the option in the domain settings to not try to relay mail for non-existent users on your domain hosted locally as generally you wouldn't ever need to. This will also prevent mails being queued for external delivery for your domains. The Sender Domain Check SPAM filter is also a very effective SPAM filter for blocking mail coming from your domains with faked addresses.

[mcknet]

Valid recipients are included along with the invalid ones. That was one of the problems. I'm trying the blacklist, now. Thanks for the suggestion! I thought that was only for IP addresses!

I have each account set up to put e-mail marked as spam in the Junk E-Mail folder, so I never set up any other rules for those e-mails. It works well.

I have "do not try to relay mails addressed to non-existent users" checked and that works. That's where the "Relaying not permitted" errors come from, right?

Under sender domain check, I have the following checked:

- Client must have relaying access
- Sender e-mail address must exist locally
- Set spam

With those checked, the junk e-mail that appears to be from an e-mail address inside the company is put in the Junk E-Mail folder.

Scott

[mcknet]

Wait! Does this mean the spam trap feature was working?

Wed, 12 Aug 2009 01:58:33 -> 203.210.153.169 -> Success: Action=[SPAM Detection Triggered], Details=[SPAM detected by SPAM Trap.]

The spamtrap.txt file is still empty, but the logs show it was getting new IP addresses as well as the occasional detection shown above. I took all the e-mail addresses out of the spam trap and put them in the black list. Should I go ahead and add them to the spam trap again or would the black list be just as good or better?

Scott

[Code Crafters]

Yes, this line from the logs shows that the SPAM trap was triggered and the IP was stored. This IP would be updated to file periodically (most likely every settings auto-reload interval (general settings, default: 30 minutes). The black / white lists are the first to be evaluated so any definite bad addresses are slightly better off in the black list for efficiency to avoid the Trap and other SPAM filters needing to be evaluated. However, either will do just fine.

[mcknet]

This IP would be updated to file periodically (most likely every settings auto-reload interval (general settings, default: 30 minutes).

I see the server running 2.61 is updating spamtrap.txt, but the server running 2.63 still has an empty spamtrap.txt file even though the feature is working. I've tried shutting AMS down and opening it again, but the file remains empty. Any suggestions?

If I were to delete IP addresses from spamtrap.txt, would that change be picked up next time new IP's are written to the file or would the old ones be written to the file again?

Scott

[Code Crafters]

Make sure if you're running Vista that you run the software as an administrator (application mode or as a service) to ensure that the settings are saved in the Program Files (x86) directory rather than the users personal space (e.g. "C:\Users\<USERNAME>\AppData\Local\VirtualStore\Program Files (x86)". If you edit the text file via the dialog admin interface you should automatically open the correct file.

Yes, each auto-reload interval the SPAM Trap txt file will be merged before saving again. This means that any changes to file are copied to memory before overwriting the file with the merged version of both lists.

[mcknet]

Make sure if you're running Vista that you run the software as an administrator

Would I have to right-click and Run as Administrator under Server 2008 if logged on as Administrator?

I just looked at the one running AMS 2.63 on Server 2003. It has some IP addresses in the file, but I don't think it was saving them until after the server was restarted last week. I'm not sure what to say about that one.

Scott

[Code Crafters]

Yes, I think 2008 works the same as Vista. Generally you will run the software as an NT service (general settings). You can go into Control Panel\Adminstrative Tools\Services then right click properties then on the Login tab select to login with a particular administrator level windows account rather than with the local service permissions or similar. To run in normal mode you can right click run as administrator or more appropriately right click properties and set the application to always run in administrator mode which will generally prompt you to accept allowing admin permissions when running it.