  There are individuals or sites that may try to deliver spam to your system on a consistent basis. Since this may pose a threat to you by clogging up your system with unwanted mail, FirstClass has tools that you can use to manage this problem.
Using filter documents and the Internet Services Filters folder
Filtering unwanted IP addresses and domain names is one of the most important steps you can take to fight spam. You do this by using and creating filter documents in the Filters folder, located inside the Internet Services folder on the administrator’s Desktop.
This folder holds filter documents (and rules documents) that can contain exact IP addresses, IP masks (groups of similar IP addresses), mail addresses, and domain names from individuals or sites you wish to trust or block. Coupled with enabling the "Reject connections based on Filters" on the Connections tab on the Basic Internet Setup form's UCE/Spam tab, this is FirstClass's primary feature to help control unwanted spam on your system.
You can update your filter documents whenever necessary but always remember to click Reload Config on Control tab on the Internet Services Monitor form or restart Internet Services to activate the changes.
 NoteIf you wish to use filter documents to block addresses, you must enable "Reject connections based on Filters" on the Connections tab.
The Filters folder overrides any other site configuration. For example, if you have enabled RBL lookups on your site and your RBL service finds an IP address trying to connect to your system on their "bad" list, Internet Services will accept the connection if you've placed that address in your Filters folder as a trusted site.
Alternately, if you've blocked a site in your filter document the connection is refused immediately, using the least possible processing power and system resources. This makes IP blocking especially useful for ridding yourself of troublemaker machines on the Internet, whether they are trying to hack into your system or deny service to your users.
Below are examples of the proper syntax to use in your filter documents.
Syntax for blocked IP addresses, domain names, email address
You can create filter documents in either FirstClass format or as simple text files and upload them to the folder. The format of a filter document conforms to that used in various Internet anti-spam sites, with one entry per line and domains optionally prefixed with an @. In all cases, begin your comments with #. Here are some examples of the proper filter
syntax:
• 123.123.123.123
#This blocks mail from 123.123.123.123.
• 123.123.12.*
#This subrange blocks mail from every SMTP server whose IP address starts with 123.123.12
• 111.*.*.*
#This mask blocks mail from every SMTP server whose IP address starts with 111.
• 123.123.12.123/130
#This range blocks IP addresses from 123.123.12.123, 123.123.12.124, .... 113.123.12.130.
• 123.123.12.123 - 123.123.12.130
#The same block as the previous example but in a different format.
• @spamdomain.com
#This domain block refuses mail from any server that declares itself part of the spamdomain.com domain or any user@spamdomain.com.
• spamdomain2.com
#The same as above with slightly different syntax.
#This email block refuses any email from this address if it appears in either the SMTP MAIL FROM or RFC-822 From: header.
• *.badplace.com
#This wildcard allows you to block any subdomain of badplace.com. This format is the same format used in the rules.SubjectBlock document.
• regexp:[bB][pP][0-9*\badplace\.com
# This blocks any subdomain of badplace.com that starts with "bp" or "BP" and has zero or more digits (for example, bp.badplace.com, bp1.badplace.com, bp12345.badplace.com, and so on)
Syntax for trusted IP addresses, domain names, email address
You can make an IP address or domain name trusted by placing a "+" sign in front. If you have the address trusted, Internet Services will not apply any mail rules to the message. Trusted IP addresses override blocked IP addresses. If you need to block a group of IP addresses but trust a single IP address within the range, make sure
you trust that particular IP address or domain name.
Trusted IP entries take one of two forms: a single IP address per line or an IP mask:
• +111.222.111.222
# This trusts mail from 111.222.111.222.
• +111.*.*.*
# This mask trusts every IP address that starts with 111.
• +.goodplace.com
# This trusts any subdomain of goodplace.com or user@goodplace.com.
Customizing built-in mail rules
Along with the filter documents, the Filters folder contains these rules files: rules.MailRules, rules.AttachmentBlock, and rules.SubjectBlock files. You can use these files to control and manage SPAM and junk mail, delete or block unwanted attachments, and stop messages containing illegal phrases or words. For an indepth discussion about these files, see the Working with SMTP mail rules section of the Internet Services online help, starting with About SMTP mail rules.
 AttentionThe rules.MailRules file is a heavily coded document and may be confusing to understand at first. We highly recommend that you become familiar with this document and specifically read the included commented lines before you customize the Mail Rules subtab or change any values in the rules.MailRules file.
The rules.MailRules file examines the content of incoming SMTP message headers and performs specific actions to score and reject spam deliveries and mark suspicious messages (see Understanding spam scoring).
You can control how the rules.MailRules scores spam by setting specific parameters on the Mail Rules subtab on the UCE/SPAM tab. By default, the rules.MailRules file contains code that picks up the values set on this tab and performs an appropriate action in response to the set values and how you've configured the rest of the tab.
Doing RBL lookups on suspicious SMTP servers
You can query the IP address of any SMTP server that connects to your site, using a RBL host, to see if the IP is a known source of spam mail.
NoteIP addresses listed as "trusted" in your Filters folder override the RBL lookup option.
If the IP address is found on a RBL list, Internet Services either refuses mail from that server or optionally tags it with an additional Internet header for later processing by SMTP mail rules. Although the reduction in incoming spam makes up for the additional load on your server of connecting to the RBL host in processing each connection, there may be a slight increase in the number of active SMTP inbound connections with this feature enabled.
To enable this feature:
1 Choose "Enable RBL lookups" on theRBL subtab on the Basic Internet Setup form.
2 Fill in the domain names of the RBL hosts you want to use.
 3 Type NDN text at "Help text".
This field should contain the text you want rejected senders to see in their NDNs (for example,"Your mail has been found on our RBL service list and will not be delivered. Please contact myRBLhost.com for further information.").
NoteIf you enable this feature, the order in which you list the RBL hosts should be from least aggressive to most aggressive. Internet Services checks the RBL hosts in the order listed.
If you don't want to reject sites that fail the RBL lookup, you can optionally insert a warning header into the incoming SMTP message instead. To do this, select "X-RBL-Warning header instead of NDN" on the RBL subtab on the Basic Internet Setup form:
 NoteIf you use this header option, you need to select the "Enable RBL lookups" on the RBL subtab on the Basic Internet Setup form.
If you choose this header option, the content of "Help text" is inserted as the data portion of the "X-RBL-Warning" header in the offending message.
In this case, you should replace the "Help text" with something that identifies to the recipients why the mail is being tagged and the name of the RBL site that triggered the header (enter "Help text" content that is easy to parse). By doing this, you will make it easier for your end users to write FirstClass user-created mail rules to process their messages.
Querying incoming IP addresses of SMTP servers
You can query the IP address of any connecting SMTP server that tries to connect to your site for an associated domain name. If no domain name is found, Internet Services refuses mail from that server. To select this feature, choose "Reject unknown domain names" on the Junk subtab on the Basic Internet Setup form.
 Since this task relies on querying the DNS server on each inbound SMTP connection, you may find that it puts an extra load on your system. Make sure your DNS server (see The role of the Domain Name Server) is functioning well in order to maintain good performance.
Filter excessively crossposted traffic
You can filter excessively crossposted traffic from any NNTP feed coming into your site. Crossposting in NNTP newsgroups is often an indicator that a message is junk mail of some kind. We recommend setting your limit between 10-15 on the Junk subtab on the Basic Internet Setup form.
 |