Kerio Connect offers two primary forms of Anti-Spam protection - the built-in Apache SpamAssassin Anti-Spam Bayesian filter and the paid add-on Kerio Anti-Spam filter powered by Bitdefender. In older versions of Kerio Connect (versions 9.0.3 - 9.1.1), Kerio Anti-spam replaced the SpamAssassin’s SURBL and Bayes filters. Starting in Kerio Connect version 9.2, Kerio Anti-spam can now be used with Apache SpamAssassin to fine-tune the exact content you want your users to receive.
- Kerio Advanced Anti-Spam Filter
- SpamAssassin Bayesian Filter
- Spam Repellant
- Handling Identified Spam Emails
- Refining your Anti-Spam Filters
Kerio Advanced Anti-Spam Filter
The Kerio Anti-spam extension uses the Bitdefender online scanning service. It provides an advanced level of spam filtering for incoming messages. When an email is received with the filter enabled, Kerio Connect sends encrypted data to the Bitdefender online scanning service about the email content. If the Kerio Connect server is behind a firewall, it requires unrestricted access to *.nimbus.bitdefender.net on port 443 and bda-update.kerio.com on port 80 for this data transmission.
Bitdefender scans the data and returns their “score” ranging from 0 (non-spam) to 9 (Highly Likely). This Bitdefender score is then used within an internal algorithm and adds this score to the overall “Spam Rating” of the email. Based on the Spam Score Limits configuration, the email is delivered normally, routed to a quarantine mailbox, or rejected outright.
The configured value for the Advanced Anti-Spam Filter sets the BitDefender filter’s contribution/ weightage to the overall spam score. If you set it higher, it means you are more inclined to accept Bitdefender’s verdict regarding whether a given email is spam or not.
It is suggested that you monitor your incoming emails and adjust your weight configuration to determine what values work best for your environment. Suppose you see that BitDefender is harsh and identifies many false positives on some of the emails that you believe are legitimate. In that case, you can adjust its contribution to the overall score.
Types of Data that Kerio Connect sends to Bitdefender
Kerio Connect does not send any information that could be used to identify a specific person, such as the content of the original email body, attached images, or attached files. Bitdefender online scanning service receives the following information via HTTPS:
- The sender and the sender’s IP address of the original message from the email SMTP envelope.
- The email message fingerprint - a set of cryptographic hashes on different parts of the email headers and body.
- Note: The hashes are irreversible - Kerio Connect does not send the original email body.
- URLs, email addresses, and telephone numbers contained in the body of the scanned email message.
- MD5 hashes of:
- The FROM address, FROM domain, and REPLY-TO address
- Certain types of attachments, for example, Microsoft Office documents, PDFs, executable files
- The hashes of images that are embedded in the messages. The actual images are not transmitted.
Calculating the Kerio Anti-spam score
Kerio Connect calculates the Kerio Anti-spam score using a special algorithm and adds the score to the overall spam rating. The algorithm works as follows:
- If Bitdefender score is between 1 and 9 (spam)
- Kerio Anti-spam score = X*Y/9
- X is the score Kerio Connect receives from Bitdefender.
- Y is the Kerio Anti-spam setting. If SpamAssassin is disabled, you can set the Kerio Anti-spam settings to 2-18. If SpamAssassin is enabled, you can set the Kerio Anti-spam settings to 1-9.
- Kerio Anti-spam score = X*Y/9
- If Bitdefender score is 0 (non-spam)
- Kerio Anti-spam score = 0
SpamAssassin Bayesian Filter
The Apache SpamAssassin Bayes filter does not rely on an external database of emails, like with Bitdefender’s service. Instead, it uses self-learning over time to identify the types of emails that your users consider to be spam or not. Recipients can train the Bayes database to recognize messages as spam or ham. The filter breaks messages into small pieces called tokens and determines which tokens occur mainly in spam messages and mostly in ham messages.
The Bayes database must learn a lot of emails before it can function effectively. In general, the Bayes database begins to work after it has learned at least 200 spams and 200 hams. End-users must train the Bayes database enough to fight mutating spam effectively. This is performed via the “Spam” and “Not Spam” buttons within Kerio Connect Client/
SpamAssassin Training logic
- If the total SpamAssassin score is more than 12, and both the header score and body score are more than 3, consider the message as spam.
- If the total SpamAssassin score is less than 0.1, consider the message not spam.
Additional anti-spam tests in Kerio Connect, such as blacklists, SPF, header tests, train the Bayes database as follows:
- If the total score from tests other than SpamAssassin is more than the required tag score, and the SpamAssassin score is less than 0.1, consider the message spam.
- If the total score including SpamAssassin is more than (block score-tag score/1.8)+tag score, and SpamAssassin score is less than 12, consider the message as spam.
- If the total score from tests other than SpamAssassin is less than 0, and SpamAssassin trains the Bayes database with spam, consider the message as ham.
Together, these mechanisms result in a fine-tuned Bayes Database. The more emails the filter processes, the more refined it becomes at correctly identifying the spam your users are receiving.
The Spam Repellent is a simple but very effective spam filter. It delays the SMTP greeting, preventing messages sent from spam servers. Spam Repellent can decrease the load on the server because other anti-spam and antivirus tests do not process messages rejected by Spam Repellent. IP Address Groups can also be excluded from Spam Repellent.
By introducing delays and flow checks at the beginning of the SMTP communication, many automated tools will give up while legitimate email is not affected. Here is a sample entry in the security logs when Spam Repellent is on:
SMTP Spam attack detected from x.x.x.x:52864, client sent data before SMTP greeting.
The log above means that the server has started sending SMTP commands and the data too early, which indicates spam, as normal mail servers would wait.
Handling Identified Spam Emails
When an email is received, and the two filters have processed the email, a decision is made based on the specific configuration within the Spam Rating tab. Most important in the handling are the Spam Score Limits defined, as these determine the cut-off point for the aggregated “Tag” and “Block” behaviors set.
In some cases, you may want to alert your users to the fact that an email appears to be questionable, but you don’t want to stop it from reaching their inbox (for example, to help train the Bayes filter after it has been reviewed). In those cases, you can use the Tag Score to add a prefix to the emails.
Alternatively, once an email has a high enough score, you can outright block the emails and decide how to handle this. By default, the intercepted messages are rejected. You can choose to enable either of the optional “Block Actions.” These Block Actions are also available when defining Custom Spam Rules:
- Alert the sender via a bounce email.
- Forward the Blocked Email to a Quarantine instead of rejecting it.
When using the Advanced Kerio Anti-Spam, there is an additional mechanism that is enabled by default. Email messages that are identified as containing Malware or Phishing links are automatically blocked outright. These blocked emails will respect the normal block actions in place. To prevent this and rely solely on the Score Limit, this can be disabled via the mailserver.cfg by setting the values of <variable name= “BlockMalware”> and <variable name= “BlockPhishing”> in the Kerio Anti-spam table to 0 (zero).
However, this is often not desirable, but since this mechanism can sometimes incorrectly block legitimate emails, please refer to Legitimate Emails Rejected as Malware or Phishing Spam to remove the false detection from them, if that is the case.
Refining your Anti-Spam Filters
As there are a number of complex systems working together to produce the anti-spam protection within Kerio Connect, there is no "one size fits all" configuration that will work for every environment. Especially true when you are just beginning to Train your SpamAssassin database, the exact settings to meet your needs will organically settle after you have used the filters for some time.
While there are no "best settings" it is generally best to use all of the tools at your disposal and curate their values based on the responses that you get back. If you have licensed the Kerio Advanced Antispam filter, you can further refine the contributions from Bitdefender and the default SpamAssassin filter over time. Consider the following throughout your refinement of the filters:
Kerio Connect requires that you have at least one spam filter on at all times. For customers that do not have the Advanced Antispam filter (Bitdefender) licensed, the Spam Assassin filter is always enabled. For customers that do have it licensed, they can choose to have only one of the two enabled or both.
- If SpamAssassin has learned a lot of messages and you feel that it is generally accurate on adding/removing scores, then you may not need the Bitdefender filter to contribute quite as much to the overall score.
- On the other hand, if the Bayesian filter has not learned enough or you do not feel it is accurate in adding/removing score, you can increase the contribution of the Bitdefender filter as it uses much more complex calculations.
- You can initially expect a higher number of false positives and negatives while you work to find the exact values.
That said, there are some initial "best practices" to keep in mind when using the available Anti-spam features within Kerio Connect, as well as a clear method for making informed decisions about the settings you settle on.
Recommended Starting Settings
During the initial configuration of your Anti-Spam settings, remember that you will likely need to re-adjust the values. For this reason, it can be useful to set a reasonably low "Tag Score" and a relatively high "Block Score." This will ensure that only the most suspicious emails are outright blocked while allowing you to more directly begin training your Bayes filter via the Spam and Not Spam buttons.
In addition, you should consider making use of a specific "Quarantine address" in order to capture any of the flagged spam messages that would normally meet your defined "Block Score." This will provide you with a safe location to retrieve any of the legitimate emails that were "false positives."
For the specific filter settings, it is generally recommended to utilize both Bitdefender and SpamAssassin. As noted above, with a fresh Bayes filter, you will likely want to rely more on the Kerio Anti-spam feature until SpamAssassin has been able to learn from at least 200 Spam and 200 Ham.
Unless you have a specific reason to disable the feature, you should consider using the default Spam Repellent settings. Similarly, the default Blacklists provide a low-effort method for blocking known spammers with the default settings.
All of the other settings are generally very environment-specific, but if you intend to fully harden the security of your Mail Server, you can consider implementing Security-focused DNS Records alongside using CallerID and SPF.
Monitoring Spam and Ham
With your initial starting settings defined, you will now need to spend some time reviewing the messages that are getting flagged as Spam and Ham to confirm that the values assigned are correctly dialed in. As noted above, it is entirely expected that you will see a few false identifications at the beginning while your Bayes filter is learning.
From the Spam logs, you are able to get a high-level look at how close to your defined threshold a received email is:
In many cases, this alone will not be sufficient to understand why the filters blocked a particular email. To get a closer, more refined look at the causes of an email being flagged you can make use of the Debug Log Messages - Spam Filter, SpamAssassin Processing, and Kerio Anti-spam Processing:
As an example of monitoring the results of the two filters to refine these, below you can see the log results for an "Obvious Scam Email." This shows the benefit of using a balanced approach with both the SpamAssassin and BitDefender filters and refining these over time. The email in question:
Consider the following:
- This email was sent from a known-good sender (an alternate email for the recipient).
The email uses "known scamming" tactics, such as ALL CAPS in the title and anonymous links.
- Note that the suspicious-looking link is actually just a shortened Bit.ly link to Google.com.
- The Anti-Spam filters are using the same "starting point" settings above, but the Bayes filter has already trained on a large number of "Not Spam" emails from this same sender.
Bitdefender identified this as Spam due to the obvious scam tactics:
SpamAssassin identified this as Ham due to its past training:
Yet, the final result shows the message being blocked:
In this situation, as the Bayes Filter is actually fairly well trained, you might consider decreasing the contribution of the Kerio Anti-Spam filter to rely on SpamAssassin more: