In this article you will find instructions on measures that can be taken to reduce the amount of image-based spam, not blocked by NEP with default settings applied. This will also affect the amount of regular spam let through.

Note that there is no standard answer for how every configuration should be set up, this document is just a pointer. Each step in this guide should be considered against your particular environment, and the safest approach is to perform one step at a time and monitor the effect before you perform any additional steps. The main reason for this is to make troubleshooting and rollback easier in case something should cause undesired results.

Table of contents in this article: 

  • Before you start 
  • SURBL 
  • Real-time Blacklist 
  • SPF 
  • Reverse DNS-lookup 
  • Sieve scripts

Before you start 

  1. Make sure you have the latest version of NEP. Version 4.35 (build 480) was much improved in regards of catching image-spam compared to previous versions. You can check which version you are running under Help ->About in the console.
    The latest versions can be found by following this link.
    If you are using the NetProtector 3000, use this link.
  2. Make sure that the spam let through is actually processed by NEP. One might forget to block direct access to the old mail-server via port 25, making it possible to circumvent NEP and send mail directly to your server. You can verify this by checking the headers in the mail, NEP will leave a Received: header. 
  3. If any of the steps involving DNS are applied, it is recommended to enable the option “Use high performance DNS client" found under System -> Settings -> Advanced in the console.

SURBL (Spam URL Real-time Blocklist)

Advantages: 

  • Blocks mail by comparing all embedded URL’s with a provided list. 
  • Causes large amounts of spam containing links to be blocked. 
  • Also blocks certain variants of image-spam

Disadvantages: 

  • Legitimate mail containing spam-related URL’s will be blocked

Setup: 

  1. Go to Anti-Spam -> Preferences -> SURBL (SpamLinks) 
  2. Check “Enable SURBL
  3. In the SURBL Server list, highlight each desired server and click Enable
    (see www.surbl.org for more info)
    NOTE: If you enable the multi.surbl.org server, it will include all the other predefined servers in the list. Enabling multiple lists may cause a delay in scanning, so consider using multi.surbl.org if you can. 
  4. Click Apply 
  5. Restart the MODUSCAN service under System -> Services for the changes to take effect.

Real-time Blacklist

Advantages: 

  • Will block many servers used by spammers.

Disadvantages: 

  • Can cause false positives if you add a bad, or poorly maintained server to the list. 
  • Adding a slow RBL server may cause unnecessary delays.

Setup: 

  1. Go to Security -> Real-time Blacklist 
  2. Check “Perform a look up for the SMTP host in the Real Time Black List
  3. Click RBL Servers 
  4. Click Add and enter the server you wish to add to the list 
  5. Click Apply 
  6. If you wish to add multiple servers, repeat step 4 and 5 
  7. Restart the SMTPRS service under System -> Services for the changes to take effect.

Notes: 

  • If you want authenticated users to bypass the RBL check, you need to uncheck “Perform RBL check after mailbox authentication" 
  • If you have trouble with connection from certain servers, add them to the exclude list.

RBL Servers:

  • Norman does not maintain or claim responsibility for any RBL servers, but in our experience, the following servers should be safe to add to your RBL: 
  •  sbl-xbl.spamhaus.org (recommended)
  • sbl.spamhaus.org (only if you do not use sbl-xbl.spamhaus.org) 
  • xbl.spamhaus.org (only if you do not use sbl-xbl.spamhaus.org) 
  • combined.njabl.org (This blocks dynamic IP’s. It may cause issues with certain small, not properly configured servers.)

SPF (Sender Policy Framework)

Advantages: 

  • Fake emails will be blocked if it claims to originate from a domain supporting SPF.

Disadvantages: 

  • Mail that comes from a legitimate server might be blocked if the IP-address of the server is changed without changing the SPF-record accordingly

Setup: 

  1. Go to Security -> Sender Validation & Accreditation 
  2. Check “SPF Support
  3. Click Apply 
  4. Restart the SMTPRS service under System -> Services for the changes to take effect.

Reverse DNS

Advantages: 

  • Spam is normally sent from fake mail servers without reverse DNS properly configured. Enabling this option will block these connections.

Disadvantages: 

  • Mail-servers that have no reverse DNS or have a MX-record that doesn’t correspond to the IP-address will be blocked.

Setup: 

  1. Go to Security -> Sender Validation & Accreditation 
  2. Check “Perform a look up for the SMTP host in the DNS
  3. Check “Reject Connection Immediately On Lookup Failure"
    Warning: This will cause IP’s without reverse DNS to be blocked (Uncheck this option if it causes problems.) 
  4. Click Apply 
  5. Restart the SMTPRS service under System -> Services for the changes to take effect.

Sieve script

The following script will stop a lot of image-based spam. Please note that this should be used with caution as it could cause quite a few false positives.

if allof

(
size :under 30K,
body :raw :contains [ "<IMG", ".gif", ".jpg", ".jpeg", ".png" ],
body :raw :regex [ "cid:[a-zA-Z0-9_\\-\\.]+@[a-zA-Z0-9_\\-]+\\.[a-zA-Z]{2,}" ]
)
{ discard; stop; }

The logic behind the script:
If the message is less than 30KB in size, has an image in the body of the message and a CID mime component with a domain-name in it, then discard it.

Setup: 

  1. Go to Anti-Spam -> Custom Filters 
  2. Click Add 
  3. Enter a name and a description 
  4. Enter the above mentioned script in the main window 
  5. Click Compile 
  6. Click OK 
  7. Select the script in the list and click enable. 
  8. estart the MODUSCAN service under System -> Services for the changes to take effect.