PreciseMail Anti-Spam FAQ: Usage

 

Can PreciseMail Anti-Spam Gateway be used to detect viruses?

Yes, we recommend you use the add-on ClamAV or Sophos Anti-Virus modules. Without this module, PreciseMail Anti-Spam Gateway can detect some email-borne viruses, but it does not perform all the checks that an anti-virus program will perform.


Is it possible for users to allow or block messages based on an email's subject line?

Yes, through either the email-based command interface or the web GUI.


What is the precedence of user-defined and system-wide allow and blocklists?

"allow" entries override "block" entries, but user lists override system lists, so a user "block" will override a system "allow" (and a user "allow" will override a system "block").


Should I still use Sieve in PMDF for Spam filtering if I am using PreciseMail Anti-Spam Gateway?

While Sieve doesn't provide the sophisticated regular-expression pattern matching that PreciseMail Anti-Spam Gateway provides, it can still be an effective tool in the battle against spam. The biggest advantage to using the Sieve files is performance. If there are certain types of messages that can be discarded via Sieve rules, those messages are discarded by PMDF instead of being handed to PreciseMail Anti-Spam Gateway, thereby saving the overhead of the PreciseMail Anti-Spam Gateway processing. However, because of the relatively limited matching capabilities of Sieve, care must be taken to ensure that the comparison strings are unique to the kinds of messages you wish to discard.


Is there an easy way to accurately whitelist specific destination addresses?

There are a few ways this can be accomplished, but the easiest is to create a user whitelist file for the desired addresses that contains this line:

Whitelist_EnvFrom *

That will cause all mail to be whitelisted for that particular address. User whitelist files are stored in the directory PMAS_USERS: on VMS and in /pmas/users on UNIX.


Is there a way to disable return receipts only for messages that have been classified as spam?

The return receipt requests are ignored completely for messages that are discarded or quarantined. Those that are forwarded are still handled by the normal receipt handling.


Can messages that have been discarded by PreciseMail Anti-Spam Gateway be retrieved?

When PreciseMail Anti-Spam Gateway discards a message, it actually writes it to a discard directory, just in case a discarded message needs to be retrieved. The web interface can be used by the administrator to retrieve discarded messages, and optionally can be enabled to let end users review and retrieve their discarded messages.


Why do I need PreciseMail Anti-Spam Gateway, if I use a blacklist to eliminate spam?

PMDF and many other mail servers support the use of third party blacklists, such as RBL (Real Time Blackhole List) which is part of the Mail Abuse Prevention System (MAPS) (http://mail-abuse.org/rbl/). These blacklists are commonly used to block spam because they verify the DNS address of a sender using a reverse DNS lookup. If the DNS address cannot be verified, the e-mail is presumed to be spam and will not be delivered.

There are three problems with using blacklists to eliminate spam:

  1. Spammers are clever and they can easily circumvent blacklists if they are not used in conjuncture with other spam-fighting techniques. Spammers can circumvent reverse DNS lookup by using forged e-mail addresses from non-existent domains or the domains of legitimate senders.
  2. Reverse DNS that is not properly configured may result in the rejection of some valid messages. For instance, this could include mail from legitimate sites that simply have not yet registered their domain name, or during periods of bad information in DNS.
  3. If DNS or connections to the sites being used for DNS verification become unavailable then mail delivery will be impacted. Use of these spam blocking techniques can impact performance as well as result in unreliable mail reception due to the dependency on multiple DNS lookups for every incoming SMTP connection.

PreciseMail Anti-Spam Gateway is more effective at eliminating spam than blacklists because it uses a unique combination of heuristic and artificial intelligence technologies.


Writing Regular Expressions

When writing regular expressions, try to avoid using wildcards like * when searching the body. It's much better to use a range like {0,50} to limit the search to, in this example, 0 to 50 characters.

When * is used in certain cases, it can result in lots of single-character stepping and searching, and for large messages, this process can be very time-consuming.


What ports need to be open for PreciseMail Anti-Spam Gateway to work?

Open TCP ports between 8050 and 8100 for outgoing access to updates.pmas.process.com.


Is it possible for an administrator to set a specific domain as opt-in rather than setting it up by specific users?

Yes, using the administrator's GUI, log in as $default$@whatever.com, click "Opt-in", and save. That will create a $default$ user database entry that will get loaded for everyone in that domain that doesn't have a user database record already.

23-AUG-2006 08:49:30.67: Looking up user database info for goaok@bogus.com
23-AUG-2006 08:49:30.68: User database info lookup status for goaok@bogus.com: 1
23-AUG-2006 08:49:30.68: From db: email: $default$@bogus.com, quar_thres = 0.000
23-AUG-2006 08:49:30.68: Address goaok@bogus.com has opted out of PMAS filtering

In this example, $default$ was opted out, but you can see that it looks for the $default$ record when there isn't one for the user.


Can I use full email address for authentication?

Yes, but usage of full email addresses for authentication is not-quite-standard. It's not part of the POP3 and IMAP4 RFCs, though several newer packages are using it to provide support for virtual domains.

When authenticating against POP3 and IMAP4 servers, /virtual can be specified after the server host name to indicate that the server provides virtual domain support and that the entire email address should be used for authentication instead of just the username portion of the address.

Here are two examples of the configuration variables in /pmas/data/pmas_config.dat:

auth_pop3_hosts pop3.example.com/virtual,backup.example.com
auth_pop3_hosts other.example.com/virtual

Is there a way to limit the authentication tests so that, for example bob@pop.example.com is authenticated only against pop.example.com and bobexample@aol.com is authenticated only against imap.aol.com?

You can use the fourth parameter in the alias file to specify the authorization method for a particular address. The system checked is determined by the domain name of the authorization alias (the 3rd parameter), so if you specify these lines (or something like them), you should get what you want.

bob@pop.example.com bob@example.com bob@pop.example.com pop3
bobexample@aol.com bobexample@aol.com bobexample@imap.aol.com imap4

What is the best way to exempt all mail to the subdomain example2.example1.com from any PreciseMail processing?

There are three ways this could be done.

The best way would be to create a record in the PMAS user database for $default$@example2.example1.com and then opt it out:

$ pmasadmin :== $pmas_exe:pmasadmin.exe
$ pmasadmin user create "$default$@example2.example1.com"
$ pmasadmin user optout "$default$@ example2.example1.com" 

Assuming no user@example2.example1.com has their own opted-in record, all mail to such users will be passed through without scanning.

The second method is add rule allow envelope_to matches_wild "*@example2.example1.com" to 00_ALLOWBLOCKLISTS.CF

ule allow envelope_to matches_wild "*@example2.example1.com" 

A third method would involve a wildcard alias that writes example2.example1.com addresses to some specific email address that is opted out. If you wanted to ensure that all messages for example2.example1.com were opted out, regardless of whether or not a user had opted in, you could add the $default$ record as shown above, then add this alias to ALIASES.TXT:

*@example2.example1.com $default$@example2.example1.com 

Does PreciseMail support "include files"?

Yes, it does. Both the .CF rule files and the ALIASES.TXT will include files using @filename:

@pmas_data:my-local-aliases.txt 

They're read in and applied wherever the include line appears, relative to the other lines in the files.

Also note that the included files cannot include other files (i.e, only the master file can include files, but it can include however many files you wish to include.


How do I disable the addressbook upload to the allowlist (a new feature in PreciseMail v3.0)?

You can edit PMAS_HTML:PMAS_ALLOWLIST.TEMPLATE and remove the section that offers that option (and saving it as .HTML). PMAS V3.0-1 and higher includes a configuration variable that can be used to hide this feature.


Are DNSBL rejections logged?

Yes, they're logged in PMAS_LOG:PMAS.LOG, code L.

You can also turn on the logs for the PMAS PTSMTP worker processes by defining this logical:

$ define/system/exec pmas_ptsmtp_worker_log true 

and restarting PMAS. Those logs will include debugging information from the DNSBLplug.


Which has the higher precedence - quarantined or allowed?

Allowed. The order is this:

  1. User allow
  2. user block & reject
  3. user quarantine
  4. system allow
  5. system block & reject
  6. system quarantine
  7. normal PMAS rules and scoring

If a message matches an allow rule, the rest of the tests are ignored. If not, the block and reject tests are run; if one matches, the rest are ignored. Next the quarantine rules are run; if one matches, the message is quarantined, and the normal PMAS rules are never run. Only when a message does not match an allow, block, reject, or quarantine rule are the normal PMAS rules run.

And user rules always override system rules, so a user block will override a system allow (as, in fact, the system rules are never applied).


If a message size exceeds the limit for processing, are the global block-list rules still applied? Are user block/allow rules applied?

There is no limit, unless you define the site limit. And even if you define a site limit, the allow/block/rule rules are all applied.

A new configuration variable, MAXIMUM_SCAN_SIZE, can be defined to specify the largest size a message can be and still be scanned by PMAS. Unlike the old limit, the user and system allow/block lists are applied to the messages before the size is checked, providing more control over a large message's disposition. If the variable is undefined or defined as 0, there are no message size limits enforced.


How do I report missed spam that got through PreciseMail Anti-Spam Gateway?

Please report it to the Report-Spam@lists.process.com mailing list. We do not usually reply to Report-Spam posts, but every one is reviewed. We encourage customers to report missed spam as it is not always possible that we have seen a particular type of message.

It's best if you can send the message in its original, unaltered form.

Please do not forward the messages from Outlook or other PC clients, as they change the format and strip out useful information.


What files would I have to move from PreciseMail PTSMTP on OpenVMS to Linux to make the new Linux server have the same configuration as the old OpenVMS server?

The following directories need to be copied:

PMAS_ROOT:[DATA] -> /pmas/data 
PMAS_ROOT:[USERS] -> /pmas/user_rules 
PMAS_ROOT:[GROUPS...] (if they have any) 

Install PreciseMail on Linux, then copy those directory contents over.


I use PreciseMail PTSMTP configuration. How can I verify the number of concurrent incoming connections (to check if the max number of worker processes is acceptable)?

$ define/system/exec ptsmtp_show_status true

That'll cause the logical PTSMTP_STATUS_INFO to be maintained:

"PTSMTP_STATUS_INFO" = "Workers: 4, Pending accepts: 0" 

If you also define this one:

$ define/system/exec ptsmtp_worker_status true 

your workers' process names will show their active or idle status:

$ sho system

 2020C3C7 PTSMTP 0001a LEF 4 959555 0 00:09:32.29 17375 4925 
 2020B7C9 PTSMTP 0002i LEF 6 113464 0 00:01:15.11 7055 820 
 2020C7CA PTSMTP 0003i LEF 6 17602 0 00:00:14.11 4450 559 
 2020C5CB PTSMTP 0004i LEF 6 7660 0 00:00:06.29 3047 553 

It is good if "pending accepts" is 0 or close to it. That means no connection is waiting for a worker.