With some large providers you can sign up for reporting to find out details about spam reports from their users related to you. Here's the one for outlook / Microsoft.

• https://postmaster.live.com/snds/JMRP.aspx

How to define an SPF record for my domain

Add this as a 'txt' record for you email domain, e.g. example.com  

In addition you should probably add a DMARC record to tell other servers to enforce spf for your domain:

So add the dns entry:  _dmarc.your.domain
A  'txt' record containing:     "v=DMARC1; p=reject; aspf=r; adkim=r"

Turn on DKIM

The post Sending Email to avoid Spam Filters - best practices. appeared first on SurgeMail.

Upgrade to our current release

• Download the latest release
• Use the config checker in the web admin tool and apply recommended settings.

Find the hacked account.

• tellmail send_top
• tellmail showq
• search rbl website http://multirbl.valli.org/

Use this command to list the top senders, usually the last 1-2 listed will be the hacked accounts.

tellmail send_top

Next examine msg*.rec log entries for these accounts, and find the 'Subject' of the sent messages, does it look like spam? If so disable the accounts in question (or change their passwords).

Next use:

tellmail showq

This will list message waiting to send, again this may help you identify problem messages/senders.

You may wish to use the command 'tellmail delete_contains SOMESPAMCONTENT' to delete queued messages that the spammer was trying to send.

Lastly search an RBL website to see if you have been blacklisted, if so, then for each blacklisting you need to contact the rbl and ask to be removed (at least for those that are not automatic).

http://multirbl.valli.org/

Check for accounts with weak passwords

Lastly you should run this command to find any accounts with trivially crackable passwords.

    tellmail test_weak

We've built a faster more extensive password checker into nwauth, if you have the latest version of it you can do this:
    nwauth -version
    +OK nwauth 4.3e capa=cluster2       
    nwauth -testweak
    +DATA Info: testing for 999 common passwords, pass 1
    +DATA Cracked: crack2@xyz.com
    +DATA Info: testing for variations on common passwords, pass 2

Settings to enforce better passwords:

Stop phishing!

Add this setting: Version 7.6 required.

setting g_phish_block "true"

This will replace url's in messages that are 'not' from friends, with a link that goes to your own mail server and warns the user not to proceed, the warning page then gives them the original link, and two links to websites to analyze the link. As well as a button to whitelist that domain in future.

Find forwarding accounts

Use this command to find all user accounts with a forwarding setting, these could result in your server being blacklisted and should be inspected or removed.

tellmail find_users "*" fwd "*"

Register for feedback.

Some systems like Google/Yahoo etc may allow you to register to get reports of spam coming from your server, registering with these services will give you a good heads up on details of the spam and make it much easier to resolve the origin account on your system.

Reading msg*.rec log entries.

Log entries for an incoming message look like this:

 9 21:35:30[130766127] Rcpt 208.117.50.44 <return@address.com> <myaccount@fake.co.nz> 0  ""  9 21:35:31[130766127] Received 208.117.50.44 return@address.com <myaccount@fake.co.nz> 120395 <XJkzvvWDQXeUsz7INbIxGQ@ismtpd0003p1lon1.sendgrid.net> "Relay=islocal, nrcpt=1, f="Booking.com" <email.campaign@sg.booking.com>, s=[Chris - Whakapapa Village and Adelaide! There's a deal with your name on it!]"  9 21:35:32[130766127] Aspam 208.117.50.44 return@address.com <myaccount@fake.co.nz> 120395 <XJkzvvWDQXeUsz7INbIxGQ@ismtpd0003p1lon1.sendgrid.net> "notrust *****: 5.8 sd=5.8 l=0.00 nok=2/0 m=2 nf=0 Close 0.05(X-SpamContent:clean) 0.95(X-myrbl:Color=brown) 0.91(isclickimage2) 0.82(isclickimage1) 0.20(X-Phrase:clean) 0.37(dkimok) 0.37(genuine) 0.60(spfpass) 0.46(X-NotAscii:utf) 0.53(X-LangGuess:English) 0.49(X-Verify-Helo:+OK) SanScore 0.0 5.8 Sval 5.8"  9 21:35:32.00 [130766127] Spam 208.117.50.44 <return@address.com> <myaccount@fake.co.nz> 120395 <XJkzvvWDQXeUsz7INbIxGQ@ismtpd0003p1lon1.sendgrid.net> "[o4.sg.booking.com] SpamDetect"  9 21:35:32.00 [130766127] Stored 208.117.50.44 <return@address.com> <myaccount@fake.co.nz> 120395 <XJkzvvWDQXeUsz7INbIxGQ@ismtpd0003p1lon1.sendgrid.net> "[o4.sg.booking.com] Stored locally /home/surgemail/netwin.co.nz/hc/gf/chrisp/mdir/new/1470796532.2114_15646.netwin.netwinsite.co" Cpu time used      0 cpu seconds

For an outgoing message it looks like this:

 9 21:39:48[130766226] Rcpt 115.188.8.177 <myaccount@fake.co.nz> <user@destination.com> 0  ""  9 21:39:49[130766226] Received 115.188.8.177 myaccount@fake.co.nz <user@destination.com> 566 <6a197213-738a-76f8-44d7-3e98ddb34224@netwin.co.nz> "Relay=smtpauth=myaccount@fake.co.nz, nrcpt=1, s=[test]"  9 21:39:49[130766226] NOSPAM 115.188.8.177 myaccount@fake.co.nz <user@destination.com> 566 <6a197213-738a-76f8-44d7-3e98ddb34224@netwin.co.nz> "trusted origin so skipping spam filtering g_smite_skip_relay"  9 21:39:53.00 [130766226] Sent 115.188.8.177 <myaccount@fake.co.nz> <user@destination.com> 566 <6a197213-738a-76f8-44d7-3e98ddb34224@netwin.co.nz> "[115-18-8-177.jetstream.xtra.co.nz] Delivered to remote host 12.9.234.50 used SSL - 250 message sent ok " 

In both cases the line you want when hunting a hacked account is the 'Received' entry, this shows you why the message was accepted by your server.

• smtpauth=user@xyz.com (The user gave valid smtp auth credentials, which are listed.)
• g_relay_allow_ip (The sender is from a trusted ip address you have listed)
• islocal (The message is to a local account/domain, or was being forwarded by one)
  

To find this look for the Relay=... text in the line, e.g. in this example the message is relayed because the sender authenticated correctly as myaccount@fake.co.nz

 9 21:39:49[130766226] Received 115.188.8.177 myaccount@fake.co.nz <user@destination.com> 566 
   <6a197213-738a-76f8-44d7-3e98ddb34224@netwin.co.nz> "Relay=smtpauth=myaccount@fake.co.nz, nrcpt=1, s=[test]"

The number in square brackets lets you find all related log entries, e.g. search on 130766226 in the above example

In some cases you will need to find events just before a log entry, to find what caused the message to be sent, to do this search on the date and time, e.g. "9 21:39:4" in the above example...

Settings to help auto detect spammers.

One or more of your users will have their account hacked and abused to send spam sooner or later, you can make it much harder, and you can detect it and stop it early using these settings and policies.

# Login guesses per IP before it is automatically and permenently locked out.   Use tellmail unlock ip.address to fix...
G_HACKER_MAX "10"   

# If hacker attempts to login to one of these then the ip is instantly locked out.  (Don't use accounts that exist)
G_HACKER_POISON "root@*,administrator@*"

# Only allow smtp logins if the user has previously logged in via imap/pop from the same address
G_SAFE_SMTP "true"

# Alert users when logins occur from unknown addresses that are not from australia or usa...
G_SAFE_WARNING "true"
g_safe_country "us,au"
 
# Max messages an authenticated user can send per 30 minutes, e.g. 5000
G_SPAM_USER_MAX "2000"

# Max outgoing messages per ipaddress/return path pair, 30 minutes, e.g. 5000
G_SPAM_FROM_MAX "2000"

# Detect local users sending 'spam like' email and send a report to the manager.
G_OUTGOING_N "5"

# White list for people you know send mail that looks a bit dodgy.
G_OUTGOING_WHITE "bob@here.com,1.2.3.4"

# send manager an  email if a local user sends more than 300 message in a day...
G_USER_SEND_WARNING "300"
g_user_send_ip "300"

# Apply some more strict password checking, and alert users with simple passwords...
G_CREATE_PASS_DIGIT "true"
G_CREATE_PASS_RECHECK "true"
G_HACK_TOUSER "true"

Settings to stop spoofing/forging of your domains.

1. Turn on SPF and DKIM and DMARC for all your domains.
2. Consider some of the below settings, some may cause false positives (blocking real email) so use with caution.
3. Use the config checker!

g_dmarc_use "true"
g_dmarc_enforce "true"
g_spf_nofriend "true"
g_friends_obey_spf "true" 
g_spf_enforce_local "true"
g_friends_obey_spf "true"
g_friends_local_match "true"
g_friends_spf "true"    # requires 7.3p-36 
g_from_stamp "true"    # stamp forgeries in the spam headers but don't actually stop them. 
                       # alternative is g_from_bounce setting (not recommended)

Optional settings depending on your tolerance for bouncing real messages.

g_from_exact "true"  # Bounce if the from doesn't match the authenticated sender
g_from_noforge "true" # Block some types of from forgery.
g_from_noforgeme "true" # checks for the special case of 'from=to' 
g_from_check "true"  # enables some checking of the from address.
g_from_nofriend "true"  # prevent friend matches for apparently forged return addresses.  

The post Find and stop spammers and hackers appeared first on SurgeMail.

How to configure rules:

• Simply create a file called mfilter.rul in the SurgeMail home area (as defined in SurgeMails config)
• Use the test command via the SurgeMail admin interface to check that your filter works as expected
• Please note that "local.rul" should be used for adding scoring for ASPAM not mfilter.rul.

Tracing problems

If you have problems getting mfilter to run you can use these two settings in surgemail.ini, they will provide logging to show exactly what is going on.

g_mfilter_trace "true"
g_mfilter_noisey "true"

then examine 'mail.log' after sending in a test message.

Syntax Of mfilter.rul File

There are 6 valid statements in a rule file:

Assignment
Action
if (Conditional_Expression) [and (Conditional_Expression)...] Action
else
end if
call built_in_function()

Assignment

$variable_name = "quoted string" [+ "quoted string" [+ $variable ...]]
$variable_name = function()

Action

accept "reason" | bounce "reason" | drop "reason" | forward "user@domain" | then | setflag("flagname") | clearflag("flagname")

Conditional Expression (if, else, end if)

Any pre-defined function, e.g. isbinary()
isin("subject","free pictures")
Numeric comparisons, e.g. lines()>100
Simple NOT operator, e.g. if (!isbinary()) reject "Only binaries allowed here mate!"
Calculations are NOT permitted, e.g. lines()+10 would fail

Recipients block for processing individual recipients

A single mail message may have many recipients, and in many cases the actions of your spam filter should vary depending on the recipients (you might, for example, want all messages to your account to get through even if the same message would be blocked if sent to any other user).

The recipient block (recipients...end recipients) is processed once for each recipient of the message.

Inside the 'recipients' block there is a dummy variable defined 'recipient' which is the specific recipient in question.

All the action's (except, bounce, drop) refer to the recipient only, not to the entire message, so when one of those actions that normally terminates message processing is encountered (accept, bounce, drop, etc) instead the action is applied only to that recipient and the recipient block is restarted with the next recipient defined.

(Example of mfilter rule to do processing 'per recipient')

recipients
       if (isin("recipient","manager@this.domain")) accept "Always accept for me        so spammers can talk to me"
       if (isin("recipient","sales@your.domain")) then
       	if (isin("subject","order")) then
       		# Make a Duplicate of sale order
       		call forward_cc("sales_copy@your.domain")
       	end if
       end if
end recipients 

Miscellaneous

Line Continuation

Lines can be continued by ending the line in a '\' character

Quoting Strings

All strings and header names should be within double quotes, sometimes you may get away without doing this, but we don't guarantee this will work in future. e.g. use: exists("Supersedes") not exists(Supersedes); quotes can be escaped in the usual way, e.g. "This \"Word\" has quotes around it"

Assignments

Assignments are processed at compile time, variables DO NOT exist at run time. Do not think of this as a programming language, but rather as a list of rules that are processed with each incoming message. Real run-time variables only exist in the form of the ifflag("xxx") function and the setflag("xxx") action.

For example, the following is NOT VALID, as the assignment is processed before the rules are run. The rejection would always read "big message"

$fred = "small message"
if (lines()>100) then
   $fred = "big message" (this will not work as expected)
end if
reject $fred

Odd stuff

The statement 'do_bounce_fast' should appear at the end of your mfilter.rul file, and it is used by the rexp_fast() rules. rexp_fast acts just like rexp() but it is much faster because it searches the message once for all of the rules in question, each rule must start with two simple non 'regular expression' characters. This enables mfilter to generate a hash table of all the regular expressions it's going to search for and then it can efficiently apply only the ones that appear to match as it runs through the message. Also rexp_fast includes the score to apply if the message matches the rule.

Actions & Commands

Actions

accept"reason" (Terminates processing)
bounce "reason" (Terminates processing)
reject "reason" (same as bounce)
forward "reason" (Terminates processing) (redirect is a synonym for this action)
print "reason" (Prints debugging line to log file mail.log)
setflag("flagname") "reason"
clearflag("flagname") "reason"

Functions that have actions but must be proceeded by the 'call' action as they are really functions and must be on a line of their own (not on the end of an if statement)

call forward_cc("new@email.address)
call replace("header_name","wildcard_match_pattern","replacement_pattern")
call report("manger@email.address","subject of message")

Builtin Functions

call add_header("Header: header information")
allmod()
exists("header")
head_len("header")
isbase64()
isbinary() )
isencodedhtml()
(isencodedtext()
isencodedurl()
isflag("flag-name")
ishtml()
isimage()
isin("header","string-not-case-sensitive")
lines()>3)
match("header","wildcard")
matchall("header","wildcardlist")
matchone("header","wildcardlist")
rexp("header","regular-expression")
size()
call spamdetect(n,"reason")
call spawn("d:/surge/filter.exe $FILE$")

New Functions

time_hour() - returns the 'hours' 0-23, useful for rules that apply at different times of day
time_min() - returns the minutes
isimage() - True if message contains an image
isjpg() - True if message contains a jpeg image
ispdf() - True if message contains a pdf file
image_size() - Approx size of image in bytes
nimage() - Approx number of images found in message
islocal() - Message is to a local user not an outgoing message
isloggedin() - Message is from a logged in local user
is_dayofweek("monday,tuesday") - True on those days of the week.

Notes

The "header" parameter can be any normal header, such as "Subject", "From" or "To". However, the are some additional pseudo-headers than can also be used as parameters in any function which takes a "header" parameter:

"head": refers to the entire message header.
"body": refers only to the message body (after any necessary decoding)
"urls": refers to any urls found in the body

Function Descriptions

call add_header("Header: header information")

Used to add a header to a message. eg

if (isin("x-spamdetect","****") then
call add_header("X-MailScanner-SpamCheck: LEVEL=****")
end if 

NOTE: This will cause bounces if used in local.rul or simple.rul, it can only be used in mftiler.rul

Requires Version 3.8 or later.

allmod("header")

This returns true if all the newsgroups in the specified header are moderated.

exists("header")

This is true if the header exists in the message and is non zero in length, eg: if (exists("supersedes")) then reject "We don't like supersedes headers"

head_len("header")

Returns the length of the named header, e.g.

if (head_len("date")>60) bounce "Naughty message"

isbase64()

This is true if the message appears to contain base64 binary encoded data.

isbinary()

This is true if the message has binary data either base64 encoding or uuencoded data.

isencodedhtml()

This is true if the message appears to contain MIME or uuencoded HTML instead of plain text data.

isencodedtext()

This is true if the message appears to contain MIME or uuencoded text data.  This will always be true if isencodedhtml() returns true.

isencodedurl()

This is true if the message appears to contain an uuencoded URL reference.

isflag("flag-name")

Used to check whether a flag variable has been defined as true. This can be done with the setflag("flag-name") action, e.g.

if (size()>100000) setflag("bigitem")
if (isimage()) setflag("bigitem")
if (isflag("bigitem")) reject "It was a big item or had a picture in it"

ishtml()

This is true if the message appears to contain HTML instead of plain text data.

isimage()

This is true if the message appears to contain a picture (either MIME or uuencoded)

isin("header","string-not-case-sensitive")

This is a simple 'content' searching function if the named header contains the string (a non case sensitive match is used) eg:

if (isin("Subject","Free"))
reject "Probably a spammer selling something"

This would reject a message containing a subject of "Get your Free pictures here" it would also reject a message containing a subject of "Is there any real freedom in the world?" so it's probably not a good rule

lines()

This returns the number of lines in the message.

match("header","wildcard")

This function applies a simple wild card matching algorithm as is typically used to match file names, eg:

match("From","*@netwin.co.nz*")

would match against a message from that domain.

matchall("header","wildcardlist")

Used for matching a single wild card against a header which contains a list of values, like Newsgroups:, Path: etc..., The match is TRUE only if all entries in the list match, eg:

if (matchall("Newsgroups","news.filters.*")) accept "It is only in the filters list so we will accept it"

matchone("header","wildcardlist")

Identical to the above function but returns 'TRUE' if any match occurs.

rexp("header","regular-expression") This function searches the named header for a regular expression, the matching is not case sensitive, use rexp_case() for a case sensitive version.

rexp_fast(spamdetect_score,"regular expression ","comment for spam header")

This is just like rexp, but it does the search more efficiently, the first 2 characters of regular expression must be plain ascii (not a regular expression) if it's found in the body of the message then the score is added to the spam_detect header

size()

Returns the size in bytes of the current message can be used with > and < operators.

call spamdetect(n,"reason")

This function can be used to mark a message as possible spam, the 'n' is a (floating-point) number and each time this function is called for a message the total is increased, then finally a header is added to the message;

X-SpamDetect: <stars>: <score> <reason1> [reason2 [reason3 ... ]]

<stars> is a string of n stars, where n is the total score (capped at 20)
<score> is the total spam score

The idea is that users can then set their mail clients to filter messages based on this pseudo header. For instance, filtering any message with "******" in its X-SpamDetect header will throw out any message with a score of 6 or more.

Please note that "local.rul" should be used for adding scoring for ASPAM not mfilter.rul.

call spawn("program.exe $FILE$")

This function runs a program on each message the $FILE$ macro is replaced by a temporary file name containing the actual mail message. The return value of the program (return n; in main() function) is returned by this 'spawn' function, so it can be used to filter the message or allow it to continue. eg:

if (spawn("d:/path/xfilter.exe $FILE$")) reject "That was spam according to xfilter" 

NOTE: The mfilter is only passed the first 14k of each message, and so the spawned program also only gets the first 14k not the entire message.

Actions

accept "reason"

Accepts the current article reporting the "reason" specified in the log files.

clearflag("flag-name")

Used to set the specified flag variable to the false state.

forward "remote@address.com"

Forwards the message to the specified address and terminates processing.

call forward_cc("new@email.address")

Sends the current message to this new Email address in addition to any existing destination users.

reject "reason" (or bounce "reason")

Rejects the current article reporting the "reason" specified in the log files and to the user

call replace("header_name","wildcard_match_pattern","replacement_pattern")

If the named header matches the 'wildcard_match_pattern' then the replacement pattern is applied, e.g.

replace("from","*@*.domain.name","BOB_%1@%2.other.name")Subject: "joe@this.domain.name"Would be translated to:Subject: "BOB_joe@this.other.name"

call report("manger@email.address","subject of message")

Sends an Email, including the top part of the offending message, to the specified person, with the specified subject. This is intended when you want to be alerted to something but don't want to simply forward the message itself which may be 'confusing' as it would look like the message had been sent to the manager directly.

setflag("flag-name")

Used to set the specified flag variable to the true state.

Regular Expression Syntax - In Brief

Please note you need to escape spaces in this implementation.
eg:

sweepstake lottery / international program
sweepstake lottery/ international program
sweepstake lottery /international program

So what you want is this. Just put slashes in front of the spaces.

sweepstake lottery( / | /|/ )international program

if (rexp("subject","sweepstake lottery(\ /\ |\ /|/\ )international program")) bounce "a"

\s = white space
\S = not white space
\d = digit
\D = not digit
\b = word boundary
\B = not word boundary
\x00 = Hex character

. (period) represents any one character.
[] (brackets) contain a set of characters from which a match can be made. It corresponds to one character in the search string.
\ (backslash) is an escape character which means that the next character will not have a special meaning.
* (asterisk) is a multiplier. It will match zero or more of the previous character. (Note: it is not a wildcard character as in file names.)
? (question mark) is a multiplier. It will match zero or one of the previous character. (Note: it is not a wildcard character as in file names.)
+ (plus) is a multiplier. It will match one or more of the previous character.
{} (squiggly brackets) contain a number which specifies an exact number of the previous character, or range {2,3}
[^] (brackets containing caret and other characters) means any characters except the character(s) after the caret symbol
in the brackets.
^ (caret) is the start of the line.
$ (dollar) is the end of the line.
(Note the following \< \> (begin and end word) are not implemented, use \b instead)

[:alpha:] represents any alphabetic letter.
[:digit:] represents any single-digit number.
[:blank:] represents a space or tab.

Lookahead operator
Free(?!dom|bsd) matches freesex but not freedom or FreeBSD

OR operator
| (pipe) is OR. It requires that the joined expressions have parentheses around them.

Examples:

e.a matches eta, eda, e1a, but not Eta
[eE].a matches eta and Eta
E.*a matches Eudora, Etcetera, Ea
ho+p matches hop, hoop, hoooop, but not hp
etc\. matches etc. but not etc

Example rule file:

$sex = "fuck|xxx|sex"
$free = "free(?!dom|bsd|nix|serve)"
$pics = "pi[cx]"
$free_pictures = $free + $pics
$bad_guys = + "|freepictures|jus.?.?\.doi.?.?\.to|great\.site|webbinaries" \
          + "|yad.?.?.?\.ion.?.?\.org|freehidden|joy.?.?\.to.?.?\.al|from.?behind" \
          + "|love(youhon|ergirl|chatting|stofuck)|forever\.yours|\@ju.?.?\.sex|town.\girl|beachbums" \i

# Do some processing which is specific to individual recipients
recipients
        if (isin("recipient","manager@this.domain")) accept "Always accept for me so spammers can talk to me"
        if (isin("recipient","sales@your.domain")) then
                if (isin("subject","order")) then
                        # Make a Duplicate of sale order
                        call forward_cc("sales_copy@your.domain")
                end if
        end if
end recipients

# Check for some known spammers and naughty subjects
if (rexp(subject,$free_pictures)) bounce "No emails about free pictures"
if (rexp(from,$bad_guys)) bounce "No emails from black listed people thanks"

# Strip local node names from from addresses:
call replace("From","*@*.parts.co.nz","%1@parts.co.nz")

accept "Great, we liked the message"

Example 2:

We want to block any message that has been found in SURBL database. We will use the exists function to check if that header exists.

if (exists("X-Surbl")) reject "Your SPAM is not wanted here."

You can easily change that to drop the message silently if you prefer

if (exists("X-Surbl")) drop "SURBL SPAM is not wanted here." 

(The reason will be logged so still important to put there)

Example 3:

We want to block any message with no subject header. SurgeMail adds a subject header if it is missing so we have to match on the text that SurgeMail adds.

if (isin("Subject","(No subject header)")) bounce "No Subject header"

Example 4:

We want to block any message with an empty subject header.

if (head_len("Subject")<1) bounce "Emtpy Subject header"

Example 5:

I have a user fred in one of my local domains localdomain.com I only want him to be able to send to other users at localdomain.com and not to any other domains.

recipients
if (isin("from","fred@localdomain.com")) then
     if (!isin("recipient", "localdomain.com")) bounce "Sorry you can only send to localdomain.com"
end if 

The post Mfilter rule syntax appeared first on SurgeMail.

How users can report/train spam

1. IMap users can drop spam messages into the 'Spam' folder
2. SurgeWeb users can click on 'Is Spam'

How it works

Spam is scored based on many things (source ip address, content, history of that sender etc). Once a score is arrived at the users preferences are consulted, if the score is above the users setting then the message goes into the Spam folder, and the sender is informed so they can request delivery (if they are a human).

We recommend a system default of 10 to give reasonable results for general purpose email systems.

The post Enable Spam handling appeared first on SurgeMail.

This is useful if senders are not using smtp auth but you still want friends to be added, typically used with surgewall...

Syntax: g_friends_add_trusted bool

g_friends_allow_spf - Allow all email through as if it was a friend during temporary allow

The user click on a button to disable friends for a few hours, during this time all messages will get treated as a friend and thus bypass SPF too.

Syntax: g_friends_allow_spf bool

g_friends_always - Always use friends list.

This enables the "Add all outgoing email addresses to list" feature and always checks incoming messages against the friends list so that SurgeMail can correctly tag or filter it.

Syntax: g_friends_always bool

g_friends_at_rcpt - Whether to check users friends list at rcpt stage

This setting is automatically added/removed by the web admin when global friends defaults are configured. It allows us to check friends at rcpt stage without paying a disk access cost for non-friends users.

Syntax: g_friends_at_rcpt bool

g_friends_autodom - Auto whitelist friends based on domain/ip

This means a friend or trained message will whitelist the entire domain/ip address combination until contradicted for all users

Syntax: g_friends_autodom bool

g_friends_bounce_friend - Allow exception rules to bounce a mesesage from a friend

This setting has no further documentation currently available

Syntax: g_friends_bounce_friend bool

g_friends_bounce_rej - Reject blank return path as friends failures

This setting has no further documentation currently available

Syntax: g_friends_bounce_rej bool

g_friends_bounce_second - Bounce the next time the user sends a message if waiting for confirm still

This can make it clearer that email is not getting through to the destination

Syntax: g_friends_bounce_second bool

g_friends_byemail - Use old email based friends rejections

This restores the old beahviour, you would normally only use this if your mail server was unaccessable via http as email based rejections are not as easy to use or as reliable as web based human confirmations

Syntax: g_friends_byemail bool

g_friends_check_spf - Disable friends bounces if SPF headers missing/failed to avoid backscatter.

If the incoming message may be forged it will bounce messages using an smtp error code to deny delivery but it will allow any real sender to bypass this. This settings is good if spamcop block your domain for sending friends challenges as it cuts down on the number of such messages. This avoids backscatter

Syntax: g_friends_check_spf bool

g_friends_cleanup - Cleanup/repair large friend.lst files

This setting has no further documentation currently available

Syntax: g_friends_cleanup bool

g_friends_confirm_debug - Log sucessful friends confirmation responses

This enables us to examine suspect replies to friends confirmations for indications that they were sent by spammers or mail robots.

Syntax: g_friends_confirm_debug bool

g_friends_confirm_subject - String to use as the subject of a friends confirmation email

String to use as the subject of a friends confirmation email. Defaults to: "Please reply to ||confirm|| message and allow delivery". This value must contain the text ||confirm||, this text is replaced by the unique message id that allows SurgeMail to find the message to release eg. confirm(1150419513.1880_1180.domain). It is also advisable to place the ||confirm|| near the start of the string as some clients will truncate long subjects and any truncation of the ||confirm|| value will result in failure to release the message.

Syntax: g_friends_confirm_subject string

g_friends_daemon_ok - Accept emails from any mailer deamon

This setting has no further documentation currently available

Syntax: g_friends_daemon_ok bool

g_friends_debug1 - NEVER USE, only for NetWin testing

This makes surgemail always send an email bounce rather than a safe reject, only intended for testing bounce messages

Syntax: g_friends_debug1 bool

g_friends_default_autoadd - Default auto addition when sending (recommended)

This setting has no further documentation currently available

Syntax: g_friends_default_autoadd bool

g_friends_default_mode - Default friends mode, smite (recommended) silent, or list

Valid settings are kids,disabled,smite,silent,list. Recommended silent or smite, in silent mode no challenge email is sent, in smite mode a challenge email is sent if the score is exceeded.

Syntax: g_friends_default_mode string

g_friends_global_add - Add to a global friends list if ip matches and sender doesn't match authenticated user

Used when you wish to whitelist outgoing addresses even though the sender/reply address does not match the authenticated user (e.g. messages sent via exchange)

Syntax: g_friends_global_add string

g_friends_global_exclude - Addresses not to auto add, e.g. *@paypal.com

This is good for avoiding meaningless entries or obvious entries that people might send email to by mistake

Syntax: g_friends_global_exclude string

g_friends_ignore - List of addresses considered friends for all users on the system

List of addresses considered friends for all users on the system eg: the system manager email address

Syntax: g_friends_ignore string

g_friends_ignore_trusted - If from trusted ip still apply friends

Useful when you have a gateway that is sending to surgemail

Syntax: g_friends_ignore_trusted bool

g_friends_lang_auto - Set users language settings automatically based on observed emails from friends

This setting improves spam handling

Syntax: g_friends_lang_auto bool

g_friends_latest_headers - Friends system re-read message headers

Causes friends to re-read message headers, allowing rules based on headers added during delivery

Syntax: g_friends_latest_headers bool

g_friends_local_match - If from!=returnpath and one is local, then block friends match

This setting has no further documentation currently available

Syntax: g_friends_local_match bool

g_friends_long - In friends web release addresses use a longer url

Uses an older style link

Syntax: g_friends_long bool

g_friends_msg - Message used for friends bounce.

e.g. Delivery pending, to deliver you must send an email to

Syntax: g_friends_msg string

g_friends_msg_link - Message used for friends link bounce.

e.g. Note: Delivery will ONLY occur if you click on this link

Syntax: g_friends_msg_link string

g_friends_name - What to call the friends system

This specifies what to call the friends system when referring to it on web pages and in email to our users, you can call it whatever you like

Syntax: g_friends_name string

g_friends_obey_spf - If SPF failed then no friends match allowed for local domains

If spf failed then don't allow a friends match

Syntax: g_friends_obey_spf bool

g_friends_old_status_email - Use older status email & processing

Use status.eml instead of status_html.eml

Syntax: g_friends_old_status_email bool

g_friends_only - Friends system

An anti-spam feature which screens incoming mail to ensure it comes from a human. For incoming mail from unknown addresses a message is sent to this person requesting them to reply to confirm they are human and the original message will be delivered. See this page for more details.

Syntax: g_friends_only bool

g_friends_pending_keep - Time to keep friend pending messages

How long to store users friends pending messages before deleting them (days)

Syntax: g_friends_pending_keep int

g_friends_pending_max - Max items in pending before deleting them

The default is 10000 Items

Syntax: g_friends_pending_max int

g_friends_pending_name - The imap name of the friends_pending (and spam store) quarantine folder - should match surgeweb imap_spam_folder - default is 'Friends Pending'

This shouldn't be changed unless this feature has not been used before as it will confuse your users. Any matching folder the user has of the same name will become invisible. So at least make it something other than simply Spam!!

Syntax: g_friends_pending_name string

g_friends_pending_vanish - Enable auto-vanish of pending messages on confirmation bounce

When a bounce for a confirmation message is received we vanish it, this setting will also delete the original message.

Syntax: g_friends_pending_vanish bool

g_friends_release_wash - Clean any subject marking (ie stars) when releasing/allowing

This setting has no further documentation currently available

Syntax: g_friends_release_wash bool

g_friends_rotate - Rotate user level log file, default 30k

Set log size, the log is also rotated when a friends report email is sent (if configured)

Syntax: g_friends_rotate int

g_friends_safer - Make friends always avoid back scatter.

By using a rejection during the incoming message instead of sending an email back scatter is completely avoided.

Syntax: g_friends_safer bool

g_friends_silent - Disable friends responses to users

This setting is to simply disable the confirm emails, not generally recommended as this makes friends a bit pointless.

Syntax: g_friends_silent bool

g_friends_silent_level - If spam score above this then don't send friends message

Not generally recommended.

Syntax: g_friends_silent_level int

g_friends_skip_ip - List of ip addresses considered friends for all users on the system

This setting has no further documentation currently available

Syntax: g_friends_skip_ip string

g_friends_spam_score - Default level to quaranteen message in spam folder (Recommended 8 or 10)

This sets the default when no friends.ini file exists, a level of 8 will give best all round results, a level of 10 will stop less spam but avoid false positives.

Syntax: g_friends_spam_score int

g_friends_spf - Refine friends matching using spf/dmarc when possible

This setting has no further documentation currently available

Syntax: g_friends_spf bool

g_friends_spf_fail_bounce - Bounce SPF failures, do not send friends confirmations (Not recommended)

The default behaviour is to only send confirmations if SPF checks pass, if they fail friends checking is skipped, no confirmation request is sent and the email is not blocked by friends.

Syntax: g_friends_spf_fail_bounce bool

g_friends_status_sort - Sort friends status messages with low scores at the top

This setting has no further documentation currently available

Syntax: g_friends_status_sort bool

g_friends_testurl - Test g_friends_url and status_url and url_host work externally

Reports to manager if any fail

Syntax: g_friends_testurl bool

g_friends_url - Specify default global url for friends release http://domain.name:port

Normally the default will work.

Syntax: g_friends_url string

g_friends_warnonce - Give bounce on only the first message

This used to be the default, but it meant people thought delivery was occurring!

Syntax: g_friends_warnonce bool

The post Global Settings g_friends appeared first on SurgeMail.

This setting has no further documentation currently available

Syntax: g_from_allow_ip string

g_from_allow_to - destination user to bypass local from check

This setting has no further documentation currently available

Syntax: g_from_allow_to string

g_from_bl - Domain Based Blacklist Zones, lookups FROM domain in dns

The 'from' domain is checked against the specified RBL which must be a special 'FROM' based rbl which lists spammers by from address. Most spammers fake from addresses so this is a fairly marginally useful method.

Syntax: g_from_bl name=string stamp=string

g_from_body_bounce - Reject if local from header address is probably faked

Checks if the sender is authenticated or from an address that can relay, if not then the message is bounced if it claims to be from a local domain. One of the settings to prevent forgery

Syntax: g_from_body_bounce bool

g_from_bounce - Bounce if from is probably faked

Bounce if from address is probably faked.

This check is activated for any mail with a local domain in the from address but not using SMTP authentcation, relay allow IP address or spam allow IP address.

Syntax: g_from_bounce bool

g_from_check - Check from matches valid local domain

Check from domains match valid local domains if user is authenticated, or g_from_allow.Should be used with g_from_bounce "true" which basically forces them to authenticate and then makes this setting work properly.

Syntax: g_from_check bool

g_from_domain - Default domain for from envelope

Fixes the 'from' envelope if the email client failed to specify a domain name, this doesn't fix the from header currently but we may change that in future!

Syntax: g_from_domain string

g_from_exact - Check from matches authenticated user

Check from matches authenticated user. If user is not authenticated the setting is skipped.

Should be used with g_from_bounce "true" which basically forces them to authenticate and then makes this setting work properly.

Syntax: g_from_exact bool

g_from_force - From address for all sent messages

Used when you want to make all messages use the same valid bounce address, reply-to header will contain original from if it doesn't exist

Syntax: g_from_force string

g_from_header - From header used in delivery bounces

From header used in delivery bounces.

Syntax: g_from_header string

g_from_list_too - Also enforce from rules from lists

Doesn't allow lists to bypass forge rules

Syntax: g_from_list_too bool

g_from_must_exist - Require local from addresses to exist or reject mail

Can be useful in blocking dumb spam robots

Syntax: g_from_must_exist bool

g_from_noforge - If envelope or from is local domain then the other must be too

This can prevent many common forms of forgery, this will bounce some real email, so probably better to use the noforgeme setting instead. One of the settings to prevent forgery

Syntax: g_from_noforge bool

g_from_noforge_some - If from matches this then from/envelope must match

Prevent forgeries of important local addresses, e.g. *support*

Syntax: g_from_noforge_some string

g_from_noforgeme - If to==from then from and env from must match

This can prevent many common forms of forgery, this is safer than the noforge setting above, and generally almost as effective. One of the settings to prevent forgery

Syntax: g_from_noforgeme bool

g_from_noforgename - If from contains two addresses the domains must match

Prevents forgery where the descriptive name is a fake email address that doesn't match the real address

Syntax: g_from_noforgename bool

g_from_nofriend - If forge setting would bounce message then allow message but don't allow friend match

This setting modifies the g_from_noforgeme behaviour so it doesn't block the message but does prevent a friend match occurring

Syntax: g_from_nofriend bool

g_from_ok - Whitelist for invalid from addresses we will permit

This setting has no further documentation currently available

Syntax: g_from_ok string

g_from_relay - If not authenticated and g_relay_allow_ip matched then block if not local domain or whitelisted

This one helps prevent a local virus sending out spam. It basically says non authenticated users who can relay due to a g_relay_allow_ip rule must send from one of your domains or use smtp authentication or be in a white list. Note this test is performed on the message envelope not the body. We recommend insisting on smtp authentication to reduce your risk of this type of problem.

Syntax: g_from_relay bool

g_from_relay_white - White list of domains for g_from_relay setting

This is domains that can be used as a 'from' address for non authenticated users, in addition to local domains

Syntax: g_from_relay_white string

g_from_rewrite - Rewrite from envelope for outgoing email, e.g. *@this.domain -> %1@another.domain

This lets you change the 'from' address from an internal domain name to a valid public domain name. The change is performed on the From envelope (return path), not the from header. And the chanage does not affect the return path written in local deliveries, only outgoing email. Mfilter rules can be used to rewrite the actual message headers.

Syntax: g_from_rewrite was=string to=string

g_from_rewrite_header - Rewrite the from header as well

Replaces the From: header in the mesage with the new address.

Syntax: g_from_rewrite_header bool

g_from_rewrite_sender - Rewrite the sender header as well

Replaces the Sender: header in the mesage with the new address.

Syntax: g_from_rewrite_sender bool

g_from_stamp - Stamp if from is probably faked

Stamp message with "X-Verify-Failed:" header if from address is probably faked.

eg: X-Verify-Failed: <user@mydomain.com> From mydomain.com is local but user not authenticated or from g_relay_allow_ip

This check is activated based on the same conditions as g_from_bounce.

Syntax: g_from_stamp bool

g_from_timeout - Timeout on g_badfrom_* checks

Timeout in seconds of g_badfrom_* checks. Default = 60 seconds. If this timeout is reached the g_badfrom check will be classed as having failed.

Syntax: g_from_timeout int

g_from_valid - Require an @ and dotted domain in all return addresses

This forces the sender to either give 'no' reply address or a valid one with an @ and a dotted domain

Syntax: g_from_valid bool

The post Global Settings g_from appeared first on SurgeMail.