Maximizing Spam Smacker

Out of the box, SPAM Smacker comes with hundreds of common words and phrases that normally appear in spam messages. These words can and should be edited based on your organization's requirements. For example, there is a subject keyword block on "viagra" which may need to be removed if you organization sells Viagra.

Immediately after installing and starting SPAM Smacker, you should test mail flow from outside of your environment and view the logs to make sure SPAM Smacker is working correctly. During the first few days after install, make sure you review the logs of all messages blocked daily to ensure that valid messages are not being blocked. You can view the basic log information from the web console or you can read the log files in the directory where SPAM Smacker is installed on each server. After an acceptable duration of successful operation, you may want to reduce logging by setting the DetailLogging registry key to False.

The default SPAM blocking level is set to 4 (see Filtering Levels below), and the SPAM tag level is set to 5. To change these settings, edit the SPAMBlockLevel and SPAMTagLevel registry keys.

Managing Keywords

Warning on adding keywords
When adding keywords, keep in mind that ANY e-mail that contains the keyword or phrase you enter will be blocked unless the message meets one of the override criteria. This means, for example, if you put the word "the" in the body keyword field, many messages will be blocked. However, even less obvious words like "sex" could block legitimate e-mails. For example, a person outside your organization could send an otherwise valid e-mail to someone inside your organization asking, "What sex are your children?" Therefore, be careful when adding keywords, especially when adding them to the body filters, since the body normally contains a larger number of words than other fields in a message.

When adding keywords to the recipient field, make sure any common letters or single word you enter has a trailing or leading space to prevent the string of characters you enter from possibly matching a user's name or e-mail address. For example if you entered "sex," all users with these three characters in their name, like Sexton, would no longer receive incoming SMTP messages. Therefore, for words that might be part of someone's name or e-mail address, pad them with spaces, i.e. " sex " instead of "sex".

Adding multiple keywords
SPAM Smacker supports searching for multiple keywords as a single criterion. To enter multiple keywords, separate them by commas. For example, if you added "make up to, dollars" to the Body Keywords, SPAM Smacker would then block message that have both "make up to" and "dollars" in the body. When searching for multiple keywords, SPAM Smacker searches the entire field for the existence of all of the words; it does not check the order in which they are entered. For instance, "dollars, make up to" would find the same matches as "make up to, dollars".

Managing Domains

There are four (4) domain categories in SPAM Smacker. In general, you only need to enter the last two parts of a domain. For example, enter "microsoft.com" instead of "server1.seattle.wa.microsoft.com."

Bad Domains
Bad Domains are based on the claimed domain name from the delivering SMTP server or the real domain name of the IP address of the delivering SMTP server.

All messages from these domains are blocked unless they meet one of the override criteria.

Commonly Spoofed Domains
Commonly Spoofed Domains are based on the claimed and real domain names.

Any message that "claims" it is from one of these domains is blocked if the real domain name of the sending SMTP server does not match the claimed domain name. In addition, if dynamic SPAM blocking is enabled, any host that sends an e-mail that spoofs one of these domains will be dynamically blocked.

Valid Domains
Valid Domains are based on the real domain name only.

Messages from these domains are never added to the Dynamic Block List, never checked for black list membership, and never listed in the NewSPAMHost file.

Good Domains
Good Domains are based on the real or claimed domain name.

Messages from these domains override all filtering.

Managing Dynamic SPAM blocking

SPAM Smacker includes support to dynamically block future e-mails from a host. There are three (3) ways a host can be dynamically blocked:

1. A message is sent to a user on the "Dynamic Recipient Triggers" list,
2. The sending server spoofs the local server's domain name or IP address, or
3. The sending server spoofs one of the "Commonly Spoofed Domains."

When a host is detected, the last two parts of its domain name or the first three parts of its IP address is examined. If the domain name cannot be resolved, it is added to the "Dynamically Added SPAM Hosts" list. Any future e-mails from these hosts will be blocked. To disable adding new hosts to this list, change the registry key "AddDynamicHost" to False. To prevent any mail from a host on this list from being blocked, change "CheckDynamicHosts" to False. If both of these registry keys are set to False, dynamic SPAM blocking is disabled.

Filtering Levels

If any of the following criteria are met by a message, it will be blocked unless it either meets one of the override criteria or the filter is disabled.

Always on:

• SPAM Smacker always scans the Organizational Unit (OU) specified during setup for contacts whose DisplayName (CN) matches the sending SMTP server's IP or Class C IP address. If a match is found, the contact's telephone field is incremented by 1 and the office field is stamped with the current date and time. You can use this information to determine which contacts are being used to block spam.
• SPAM Smacker always checks the Bad Domain names list (the [DomainsBad] table) in the configuration database.
• SPAM Smacker always checks the SPAM Recipients list (the [SPAMRecipients] table) in the configuration database.
• SPAM Smacker always compares the sending host name to the local host name to determine whether or not the local host name has been spoofed.

SPAM Smacker can be configured for the following Filtering Levels:

0 =	Compares the message recipients to the Bad Recipients ([RecipientsBad]) table.
1 =	Compares the message recipients to the Recipient keywords ([WordsRecipient]) table.
2 =	Compares the message Subject to the [WordsSubject] table for keywords and common formatting by SPAM software, i.e. lots of spaces in subject.
3 =	Compares keywords in the message Body to the [WordsBody] and [WordsSubject] tables.
4 =	Compares sending domain name, real domain name, and reply-to e-mail domain to the Host keywords ([WordsHosts]) table.
5 =	Checks for a spoofed "free" domain name. If the sending domain name is in the "Commonly Spoofed Domains" ([DomainsFree]) table, SPAM Smacker does a reverse DNS lookup on the sending IP address and makes sure it matches the claimed domain name.
6 =	Checks for a mis-formatted header. If all three of the sending, claimed, and real domains are different, the message is flagged as spam. This is a very aggressive SPAM filter, and it is suggested that you use this SPAM level for tagging messages only.

Overriding SPAM filtering

There are several ways you can allow certain message to override the SPAM filters:

1. Add the real domain name of the system sending the message to the "Good Domains" list. Only the last two parts of the domain name are necessary.
2. Add the recipient e-mail address of the message to the "SPAM Filter Override Recipients" list.
3. Add the recipient user to the "SPAM-Override" AD group (or whatever group name you entered during setup). Currently, SPAM Smacker checks the membership of this group only, and not the membership of nested groups. Therefore, users that do not wish to have their mail filtered must be added explicitly to the override group.
4. List the first three (3) bits of the sending system's IP address in the LocalSubNet registry key.

Note: Messages sent to and from mailboxes on the same Exchange server are processed directly by the Information Store and are not passed through the SMTP virtual server. Therefore, these messages are never filtered.

Maximizing Filtering Performance

Because some spammers do not support reverse DNS lookups for the IP addresses of their mail servers, attempts to obtain the domain names of their IP addresses fail. The NSLookup command waits a maximum of two seconds for a DNS server to respond. Therefore, when performing a blacklist check, each blacklist server polled could cause a two second delay. If you keep the default of polling five (5) blacklist servers, you could experience up to a 10 second delay before the SPAM filter is ready to process the next message. If your SMTP queues backup as a result of receiving a large volume of incoming mail, you may wish to make the following changes:

• Add domains that send your organization a large volume of e-mail, but no spam, to the Good Domains list in the web console. You should not add any common domain names like "microsoft.com" or "msn.com" to the Good Domains list since spammers commonly spoof these domain names and since domains listed in the Good Domains list override all SPAM filters.
• Add the e-mail addresses of any public folders or mailboxes that receive a very large volume of e-mail to the SPAM Filter Override Recipients list. No messages are blocked if these recipients are listed in the To, Cc, or Bcc fields of the message.
• Block known spammers' IP addresses on all your incoming SMTP virtual server for which MX records exist. Otherwise, the sending server will connect to the first server that does not block it by IP address and deliver the message. You can automate adding these blocks by using the example code in Microsoft Q810913: http://support.microsoft.com/default.aspx?scid=kb;en-us;810913 or by using the AddHostBlocks.VBS file included in the Extras directory. See the Extra Unsupported Files section for more information.
• Reduce the number of blacklist servers being check by changing the BlackListServers registry key. Currently SPAM Smacker uses several free public blacklist servers. If you choose, to you could subscribe to one of the several pay blacklist servers (like maps.org) and use only one blacklist server.
• Change the registry key LogPossibleMatches to False. By default, this key is set to True which causes SPAM Smacker to test all SPAM filter levels, including checking all blacklists, even though your SPAM block or tag level may be set lower. If a match is found at a higher filter level the message is delivered, but an entry is added to the database stating that the message would have been blocked if the filter level were set higher. This information is used by the Possible Matches Quick Report.
• Disable blacklist checks by setting the DoBlackListCheck registry key to False.
• Set the SPAMOverrideGroup key to a blank value. When binding to the AD, there is sometimes 1-2 second delay.
• Reduce the SPAM Filtering Level.

SPAM Smacker creates an event log entry whenever a message takes longer to process than the value set in the MaxTimeThreshold registry key. All steps that take longer than one second to process are logged.