CanIt-Domain-PRO User's Guide
Contents
1. 92 9 3 Training the Bayesian Filter so ecoa ee a se ee 94 g31 Manual Younes o o pacs 22 code Sada Ge da BR aka back da 94 O4 Bayesian Score Settings s s e e s enea we a a a a na Ra an ee a 95 9 5 Custom Bayes Stopwords oa oseca ce ee 96 10 Email Archiving 99 10 1 Introduction to Archivmg 6 eesi escea ee 99 10 2 Configuring Archiving occiso nb ee ba ew be 99 10 3 Archiving Outbound Mail o ee eee eee 101 10 4 Archiving Internal Mail jo ee ok ee an eae ee ee ae a 101 MIS Searchme the AURA o A ee a a Rerata aah Gen 102 A dn eu Be ran BRS a Bk on ee eS 103 105 2 eee o ae ee PA eR ka eee elo Bat be ete es 104 103 3 HUS oo enak ee an a ee an LA Tea ah Wahh ah 105 10 54 Creating a Query Expression 2 ok 105 105 5 Creating a Query Group lt o 2440454 66 Ba ee ew ede eee ee 105 10 5 6 Performing a Search o e e cee O Be ee me a A al eS 105 10 5 7 Query Cookbook o ek oe a a we ea Gita 105 10 6 Saved Searches corra a EU ee eee ew aS 107 10 7 Viewing Archived Messages o oo 2444 4 25 44464 2 be ES ER er Pa ee 107 10 7 1 Redelivering Archived Messages e 0002 2 ee 108 10 8 Searching for Related Messages o eee eee eee es 108 10 9 Seeing Access History oc e c ea co Ree ah Ban a eee 109 TO 10Seeang Search History lt o cc ec 2a eae eG ae AA hee 109 10 Iran ARETES a tk ed era eA a oo A a en we ea SY 109 10 11 Zip Ple Collet coc Son Bo a a ka a2. CanIt Domain PRO Roaring Penguin Software Inc 6 1 PREFERENCES 69 Show relay column in quarantine display If you select No then the Relay column is not shown in the quarantine display This may improve the layout on small screens Show recipient column in quarantine display If you select Yes then an extra Recipient column is shown in the quarantine display Only the first recipient is shown if there are more than one then an elipsis is displayed Note that you cannot sort the quarantine display by recipient Preferred image format CanIt Domain PRO normally uses PNG images for its GUI If your browser has trouble displaying PNG images you can use JPEG images instead Show the Actions Taken page If you select Yes then when you take actions against messages senders and so on CanIt Domain PRO displays a summary page describing the actions taken If you select No then CanIt Domain PRO skips this summary page taking the specified actions and returning to the original page immediately Limit for COUNT queries On large spam quarantines it may take a long time for the database queries that count items such as the number of messages number of sender rules etc If you set this preference to a number from 500 to 10 000 then CanIt Domain PRO does not fully count items higher than the specified number For example if your quarantine contains 1877 messages but you set this limit to 1000 then CanIt Domain
3. M Custom Rules TT Mismatch Rules M MIME Types TT Filename Extensions r SPF Rules Bayesian Settings Bayesian Database Export Objects as Text Export Objects as Downloadable CSV Figure 5 15 Export Rules 1 Select all of the rules you wish to export by enabling the appropriate checkboxes 2 Click on Export Objects as Text to view the CSV file as a plain text file in your browser Click on Export Objects as Downloadable CSV if you want your browser to prompt you to save the text to a file The resulting CSV file can be imported into a spreadsheet program such as Open Office calc or other popular spreadsheet software 5 17 2 Format of the Exported Rules Each rule type in the CSV file has a specific layout The fields are as follows e For sender blacklists and whitelists the fields are 1 Sender The literal text Sender 2 stream The stream containing the rule CanIt Domain PRO Roaring Penguin Software Inc 5 17 IMPORTING AND EXPORTING RULES 63 3 address The sender s address 5 6 action The action to associate with the address one of allow always hold always hold if spamor reject who The user ID of the person who created the rule comment Any comment attached to the rule e For domain blacklists and whitelists the fields are Nn 1 Domain The literal text Domain 2 stream The stream containing the rule 3 4 action T
4. document cumulative or modicum Never whitelist your own e mail address or domain Spammers often fake messages as if they come from their intended victim precisely because they know that many people whitelist their own address or domain In fact as extra protection CanIt Domain PRO now ignores whitelists of your own address or domain 13 5 Group High Scoring Messages Together We recommend that you set the default sort order to sort by Score Descending This groups high scoring messages at the beginning and low scoring messages at the end of the pending list This makes it easier for you to dispose of the messages Reduce your workload by sorting message summaries by Score Descending This lets you use the interface more effectively CanIt Domain PRO Roaring Penguin Software Inc 13 6 ROARING PENGUIN BEST PRACTICES 125 13 6 Roaring Penguin Best Practices At Roaring Penguin Software Inc we ve spent quite a bit of time analyzing spam and spammers You may wish to try out some of our anti spam rules to see if they work well for you Here is a quick summary of the rules we use they may inspire you to develop your own anti spam rules 29 66 We use custom rules to add 3 to any message whose Sender contains offer noresponse 66 remove marketing or promo These rules may be a touch aggressive but we have found them quite effective e Another custom rule ad
5. e At 16 55 45 admin edited the rule She changed the always hold setting to always reject and updated the comment e At 16 55 51 admin deleted the rule Within a Change History page e To restrict the data displayed enter some search text in the Entry Contains field and press Filter Only entries that contain the search string in any column to the right of Details will be displayed e To restrict the date range enter dates in the form Y Y Y Y MM DD in either or both of the From and To fields CanIt Domain PRO will only display changes that fall within the specified date range You can combine date restrictions with search text to further restrict the display CanIt Domain PRO Roaring Penguin Software Inc 66 CHAPTER 5 BLACKLISTS WHITELISTS AND RULES CanIt Domain PRO Roaring Penguin Software Inc Chapter 6 Preferences 6 1 Preferences CanIt Domain PRO allows each user to customize certain aspects of the Web Based GUI To change your preferences click on the Preferences link CanIt Domain PRO Roaring Penguin Software Inc 67 68 CHAPTER 6 PREFERENCES Preferences for admin Online Documentation ID Setting Value P 50 Home page Dashboard v P 100 Number of entries to display per page 30 v P 300 Sort messages by Date v P 400 Sort order Descending y P 500 Method for choosing spam trap actions Drop Down List v P 600 Show relay column in trap display OYes ON
6. explains CanIt Domain PRO s Bayesian filtering module Bayesian filtering uses statistical analysis and training so that CanIt Domain PRO learns to recognize spam SPAM is trademark of Hormel Foods Corporation which graciously permits the term spam to be used to denote UCE CanIt Domain PRO Roaring Penguin Software Inc 11 12 CHAPTER 1 INTRODUCTION based on user feedback Chapter 10 Email Archiving describes an optional add on component to CanIt Domain PRO that archives your email and lets you search the archives using full text searches Chapter 12 Locked Addresses describes how CanIt Domain PRO permits users to generate ad dresses that they can give out to strangers but that those strangers cannot in turn give or sell to third parties Chapter 13 Tips contains guidelines for reducing your workload and for dealing with spam more effectively 1 2 Definitions We use many terms related to Internet e mail in this manual Here is a definition of some of the terms we use API Application Programming Interface In the context of CanIt Domain PRO the API is a method for interacting with CanIt Domain PRO from a program or script Backscatter Unwanted DSNs see DSN caused when e mail systems respond to faked sender addresses Bayesian Analysis is a method whereby an anti spam system keeps track of how often words appear in spam and non spam Once enough statistics have been accumul
7. For each MIME type you can Accept Hold Tag Reject or Discard e mail containing the type Note that the default is Accept This does not mean that mail will be specifically accepted regardless of other factors it just means that it will not be rejected because of a MIME type The Hold Tag setting causes e mail containing parts of the specified type to be held in the guarantine or tagged in a tag only stream and Reject causes the e mail to be rejected To add a new MIME type to the list enter it in the Enter a specific MIME type input box and press Enter You can then adjust its setting and click Submit Changes Note that with MIME types you can specify a different action for whitelisted senders If a sender address network or domain is whitelisted then the action in the Action for Whitelisted Senders column applies Otherwise the General Action applies You might use this for example to hold images from most people but permit them from anyone you have whitelisted MIME type rules may be set to expire by entering a date in the format YY YY MM DD in the Expiry box 5 7 Filename Extensions CanIt Domain PRO allows you to hold or reject e mail with attachments whose filenames end in certain extensions Some filename extensions may pose a risk to Windows machines To see the filename extension list click on Rules and then Filename Extensions CanIt Domain PRO Roaring Penguin Software Inc Note 5 7 FILENAME EX
8. Your new locked address pgivnq9vg5n7 la roaringpenguin com Lock type Domain Action if lock violated Hold message Figure 12 2 New Locked Address You can cut and paste the address from the Web page into the Web form or any other window 12 4 Viewing Locked Addresses To view locked addresses click on Rules and then Locked Addresses The Locked Address Listing page appears Locked Addresses 1 to 1 of 1 Page 1 Public Address Lock Type Locked To On Violation Active Comment Delete jvs1klz2061ar la roaringpenguin com Domain Hold message Yes Sample locked address J Delete Selected Addresses Create a New Locked Address Filter Conditions Parameter Filter Public address contains Pa Lock type Any y Locked to contains y Comment contains Fo Active Any gt Apply Filter Figure 12 3 Locked Address Listing On the listing page e Enable Delete and click Delete Selected Addresses to delete one or more locked addresses Deleting a locked address completely removes the address from the system Note that there is a very small chance that CanIt Domain PRO will generate the same address randomly in the CanIt Domain PRO Roaring Penguin Software Inc 120 CHAPTER 12 LOCKED ADDRESSES future causing confusion However the probability of this happening is extremely low so you don t really need to worry about it You re far more likely to be hit by lightning than to suffer from a Locked Address collision e
9. wise set it to No 2 Normally CanIt Domain PRO archives all mail that it delivers even if the mail was tagged as spam for those users running in tag only mode If you do not wish to archive tagged mail set Archive Mail Tagged as Spam to No Please note that disabling archiving of tagged mail may CanIt Domain PRO Roaring Penguin Software Inc 99 100 CHAPTER 10 EMAIL ARCHIVING cause some legitimate mail not to be archived Sometimes legitimate mail is inappropriately tagged 3 Normally CanIt Domain PRO does not archive non text attachments larger than 128kB In stead it replaces them with a note explaining that a large attachment was removed The note details the original attachment name MIME type and size You can increase the size limit by adjusting Maximum Attachment Size to Archive in kB Setting this value to O causes Canlt Domain PRO to archive all attachments regardless of how big they are If you enter a number larger than O but smaller than 128 CanIt Domain PRO automatically rounds it up to 128 The next three configuration items may be set only by the realm administrator They apply to the entire realm not just to the current stream 1 You can select how long to retain mail for Enter an integer in the Retain archived messages for this many months box to specify how long to retain messages A value of 1 means archived messages will never be deleted Any non negative number less tha
10. Here s how to build that query 1 Follow steps 1 through 8 in the previous example 2 Change the operator pulldown to AND 3 Select Subject from the field pulldown and matches from the relation pulldown 4 Enter Invoice in the text box 5 Click Add as New Group 6 Change the operator pulldown to OR 7 Select Body from the field pulldown and matches from the relation pulldown 8 Enter Invoice in the text box 9 Click Add Your query now looks something like this e Header From contains example org OR Envelope Recipient contains example org AND CanIt Domain PRO Roaring Penguin Software Inc 10 6 SAVED SEARCHES 107 e Subject matches Invoice OR Body matches Invoice Because groups are treated as a unit the query is evaluated as Header From contains example org OR Envelope Recipient contains example org AND Subject matches Invoice OR Body matches Invoice Although the query builder does not support the most general form of query all AND and OR combinations no matter how complex can be reduced to a form the query builder can under stand you can construct queries in disjunctive normal form and conjunctive normal form See http en wikipedia org wiki Disjunctive_normal_form for details 10 6 Saved Searches CanIt Domain PRO permits you to save a search for future use This lets you create a complex search query once and reuse it many times To save a search query
11. because this address is required to accept mail according to the SMTP standard 5 15 Enumerating Valid Recipients If you have a relatively small site you can enter a list of valid recipients into CanIt Domain PRO and CanIt Domain PRO will not accept mail for recipients unless they are in the table of valid recip ients Be sure to enter all your valid addresses including aliases and role addresses into the Valid Recipients Table To enter a list of valid recipients e Click on Rules and then Valid Recipients e Enter the full e mail addresses one per line of valid recipients Note that you can enter either a complete address like user domain com or just the local part user If you just enter the local part then any e mail address whose local part is found in the table will be accepted e Click Add Recipient s Normally CanIt Domain PRO does not consult the table of Valid Recipients If you want the table to be used for a particular stream set the Only accept mail for accounts in the Valid Recipients table Stream Setting to Yes You should only enable Only accept mail for accounts in the Valid Recipients table in the default stream if you wish to enable Valid Recipients checking for all streams Enabling it globally is not recommended in most cases The list of valid recipients is kept on a per stream basis When looking up a recipient CanIt Domain PRO first determines which stream the address would map to
12. e If an HTML message references external images CanIt Domain PRO normally blocks them replacing them with a stock image that notifies you that external images are blocked If you wish to load external images anyway click on Show External Images This link is found at the bottom of the message display e If a message has attachments they are displayed in a list after the message body Click on an attachment name to download the attachment 10 71 Redelivering Archived Messages To have CanIt Domain PRO redeliver a message out of the archive click on Redeliver Message while viewing the message The Archive Redelivery page appears Redeliver Archived Message RE no subject Please enter the list of recipients for the remailed message one email address per line Redeliver Figure 10 4 Archive Redelivery Page By default CanIt Domain PRO offers to redeliver the archived messages to the original recipients of the message However you can edit the text in the text box to have CanIt Domain PRO deliver the message to any email addresses you choose To queue the message for delivery click Redeliver Note that CanIt Domain PRO may take several minutes to actually deliver the message since redelivery runs as a periodic background job 10 8 Searching for Related Messages Within the message display page click on the link Related Messages to search for related messages Given a target message other messages are considered related
13. only administrators should adjust this setting S 1700 Permit use of auto whitelisting If this is set to No then no senders will ever be auto whitelisted for this stream even if the system administrator has set up a known network with auto whitelisting S 1750 Number of days before auto whitelists expire Auto whitelists created by Canlt Domain PRO eventually expire setting S 1750 controls how long the expiry time is S 2100 Plain text boilerplate to append to messages Any text you enter into this box will be ap pended to all plain text e mails for the stream S 2200 HTML boilerplate to append to messages Any text you enter into this box which should be valid HTML code will be appended to all HTML e mails for the stream If you enter text in the plain text box but leave the HTML box empty then CanIt Domain PRO uses the plain text data surrounded by lt pre gt and lt pre gt tags for HTML messages The remaining quarantine settings are related to Bayesian analysis and are described in Chapter 9 CanIt Domain PRO Roaring Penguin Software Inc 8 3 NOTIFICATION OF PENDING MESSAGES 85 8 3 Notification of Pending Messages CanIt Domain PRO can send out e mails periodically reminding you to that you have pending mes sages in your quarantine To turn on notifications click on Preferences Notification The Notifica tion Page appears Notification A Not receiving notifications Make sure your mail server isn t
14. size 8000000 limit 1024000 This occurs when the message is larger than the administrator s threshold for scanning spam The message size and the threshold value are indicated in the header e undef no license key found This occurs when the product s license key has not been installed or is expired In this case the message was not scanned for spam e undef Database unavailable message NOT spam scanned This occurs when the CanIt Domain PRO database is not accessible for some reason This is generally indicative of a problem with the CanIt Domain PRO installation A 1 2 X CanltPRO Stream This header contains the name of the stream and all streams it inherits from The general format of this header is X CanItPRO Stream mystream inherits from otherstream default where mystream is the current stream and otherstream and default are streams that my stream is inheriting rules and settings from A 1 3 Subject CanIt Domain PRO may tag the Subject header with scoring information This tag may be cus tomized on a per stream basis See String to put in tagged subjects in Section 8 2 for details on what this tag may contain A 1 4 X Spam Flag This header is added if CanIt Domain PRO is operating in tag only mode and the message scores over the tag threshold It always appears as X Spam Flag YES CanIt Domain PRO Roaring Penguin Software Inc 130 APPENDIX A MAIL HEADERS ADDED BY
15. 3 CONTENTS d7 Searching th Quarante ccs Se doe m ag e a ae Ss Pe eS 28 de Closed Ing BAN es a a Pen EE da E EE a ae a 30 AO Whois QUETES oia deora medot uec eae RE ee bd a LE 30 4 9 1 Sending Abuse Complaints snaa a 31 4 10 Quarantine Analysis AI Pe we ee Ro 32 Blacklists Whitelists and Rules 35 51 The Sender Acton Table os od wba ae an ae Ra ee Ra a 35 5 1 1 Holding Unlisted Senders o sanesa an aes ww eae ES 37 52 The Doma Acton Tables e s Bon Sete a a we A A ew we Nem 37 5 2 1 Domain Matching Rules 22 ke ee eS 38 39 The Network Action Table co maa dade Ge da Sawa a ea pak a 38 SA Country RUES a ek ee A A ee ee Tanah dh ata A 39 5 5 Bulk Blacklisting and Whitelisting o e 40 30 MIME TOPES cocida daria ada a 41 57 Pilename BABA en ei E A a es er E 42 5 7 1 Matching Entire Pile Names lt lt soa coase a senda as 43 5 7 2 Matching Filename Extensions inside an Archive 43 5 7 3 Matching All Attachments gt lt o os ao cc goons cocoes tago 44 30 Custom Rules e io a al te ae a a e eee ee A E ee we eed 44 Sol Felg oas ees gaa e Ae ee aah E ab 45 30 2 Relatons os ca caora bee be eh ee eA a iba bd bk 45 OO GOU a ele raud p ia clad A A a al A a nah Gee 46 DET ERME ee bd ct age E be N 46 Ga MANIS 0m Ble BOS ee Ba ae SS weet LE te 46 5 8 6 Creating and Deleting Custom Rules o o 46 S67 Header Matching oe 6524 edb Sed ae oe SES RS a Bos 47 S
16. Click on the name of a locked address to edit it e Enter appropriate values in the Filter Conditions fields and click Apply Filter to restrict which locked addresses are displayed This lets you search for particular locked addresses If you ve entered meaningful comments when creating locked addresses it can be very useful to search on the Comment field 12 5 Editing a Locked Address If you click on a Locked Address s name the Locked Address Editor appears Edit Locked Address Parameter Value Address pgivng9vg5n7 la roaringpenguin com Private Address dfs roaringpenguin com Lock type Domain x Action if lock violated Reject mail gt Locked to kanit ca 0 Active e Yes C No Comment Submit Changes Locked Address history Date Message Host Queue ID 2005 08 16 10 02 04 04 Created carbon roaringpenguin com Web Interface 2005 08 16 Locked to domain canit ca sender 4 10 16 16 04 was blat canit ca carbon roaringpenguin com j7GEFq8201 9852 2005 08 16 Lock violation from 10 16 38 04 bloot roaringpenguin com Back to Locked Addresses carbon roaringpenguin com j7GEFq8301 9852 Figure 12 4 Locked Address Editor In the Locked Address Editor you can take the following actions e Change the lock type by selecting a new value for the Lock type field CanIt Domain PRO Roaring Penguin Software Inc 12 6 DECIDING ON A LOCK TYPE AND VIOLATION ACTION 121 Change the violation
17. Domain PRO performs Bayesian Analysis it does not permit you to train its Bayesian analyser Enabling Bayesian analysis but disabling Bayesian training might make sense if you only want to inherit training from another stream S 2400 Inherit Bayes training history from these streams This is a per stream setting that allows one stream to share other streams Bayesian history For example if there is a stream that has particularly good Bayes training you can enter its name in this setting to inherit its training In general you can use a comma separated list of stream names and all of their training will be inherited If you enter base default in this box your stream will inherit a site wide hand voted Bayes database If your administrator is using the Roaring Penguin Training Network RPTN to share Bayes data you should enter RPTN in this box If you include the value PARENTS in the list of streams in this box then the stream will inherit Bayes training from the default stream in its realm as well as the default streams of ancestor realms all the way up to the base realm You can also specify a value of PARENTSn in the list of streams from which to inherit Bayes training The n is a decimal number indicating how far up the inheritance hierarchy to go For example consider the following realms Suppose sub inherits from parent which in turn inherits from base Consider the stream user in the realm sub e A value of PARENTS1
18. Minute Hourly or Daily If you select Daily you may also select the number of days to show and the end date of the graph 4 Select the graph type Vector uses the HTML Canvas element to display the graphs You can zoom in by drawing a rectangular zoom area with the left mouse button Zoom out by clicking on Zoom Out If the Vector format does not work typically if you are using Internet Explorer rather than Firefox choose the PNG Images graph type which produces non zoomable PNG image output On Vector graphs that plot either a single host or the total across the cluster up to three additional lines may be present e The Avg line shows the average value of the data The 1 Stddev line shows the average plus one standard deviation e The 3 Stddev line shows the average plus three standard deviations CanIt Domain PRO Roaring Penguin Software Inc Chapter 8 Streams In CanIt Domain PRO all of your mail goes into a particular stream and that stream holds all of your rules blacklists whitelists and so on You may have access to one stream or to more than one stream This chapter shows you how to change the settings on your mail stream and to access other streams 8 1 Opting Out of Spam Scanning Each stream can individually opt in or out of spam scanning If a stream is opted out of spam scanning then all mail for that stream is passed unchanged In addition blackli
19. PRO administrator the alias entry will be created immediately Otherwise the system will send a confirmation email to the alias address this email should arrive within 20 30 minutes The email will contain a confirmation link Once you receive the email and click on the confirmation link the alias will be created The CanIt Domain PRO administrator can create a wildcard alias of the form example com This will alias every address within the example com domain unless there exists a more specific alias 6 4 2 Deleting Aliases To delete aliases check the appropriate boxes in the Delete column and click Submit Changes 6 5 Quick Links Because of the hierarchical arrangement of CanIt Domain PRO Web pages it may take two clicks to get to a page Some pages allow you to add them to a personal menu of Quick Links For example go to the Rules Custom Rules page At the bottom of the page is a button called Add to Quick Links Click on that button and the Custom Rules page will be added to your own personal menu of quick links In this way you can make pages you access frequently available from any other page with a single click CanIt Domain PRO Roaring Penguin Software Inc 72 CHAPTER 6 PREFERENCES To remove a page from the Quick Links menu visit that page and click on Remove from Quick Links at the bottom of the page To clear out all your quick links click on Clear Quick Links Confirm the clearing by clickin
20. Rules table Be sure to click Submit Changes to save your changes CanIt Domain PRO Roaring Penguin Software Inc 5 10 COMPOUND FILTER RULES 49 5 10 2 Creating a Compound Filter Rule To create a new compound filter rule click Add a New Rule The Compound Filter Rule editor appears Figure 5 10 shows a rule partway through the editing process Compound Filter Rules Current Rule e Subject Contains test OR Subject Contains foo AND e Header Sender is not bob example com AND Header Sender is not jane example com Delete AND Subject Contains Add Add as New Group Score fio Expiry Comment Reject test foo except from bob orjane _Save Figure 5 10 Compound Filter Rule Editor A compound rule consists of one or more groups Each group is joined to the following group with a logical operator The possible logical operators are e AND the rule fires only if both groups are true e OR the rule fires if either group is true e AND NOT the rule fires if the first group is true and the second is false e OR NOT the rule fires if the first group is true or the second is false A group consists of one or more conditions Each condition is joined to the following condition with a logical operator just as groups are joined together Normally the AND and AND NOT operators take precedence over OR and OR NOT However groups act as parentheses All conditions in one group are e
21. The SMTP envelope recipient addresses To or From a shortcut that matches if any of Envelope Sender Header From or Envelope Recipient would match Attachment Filename The file names of any attachments Stream The stream name Realm The realm name The following additional fields are available but are less generally useful than the basic fields outlined above e Incident ID The Canlt Domain PRO Incident ID if any e Client HELO The HELO string submitted by the SMTP client e Connecting Relay Address matches against the IP address of the relay that initiated the SMTP connection to the CanIt Domain PRO scanner e Connecting Relay Hostname matches against the host name of the relay that initiated the SMTP connection to the CanIt Domain PRO scanner CanIt Domain PRO Roaring Penguin Software Inc 104 CHAPTER 10 EMAIL ARCHIVING Sending Relay Address matches against the IP address of the sending relay This may be the machine that actually connected via SMTP to the Canlt Domain PRO scanner or it may be a machine parsed out of the Received headers of the email Sending Relay Hostname matches against the host name of the sending relay This may be the machine that actually connected via SMTP to the CanIt Domain PRO scanner or it may be a machine parsed out of the Received headers of the email Message ID The Message Id header value References The References header
22. Token values separately you can simply copy the entire X Canit Stats ID header into the Paste X Canit Stats ID header box to save time 5 Click on Spam Non spam or Forget to train the Bayes engine appropriately 9 4 Bayesian Score Settings To configure the scoring mechanism for Bayesian filtering click on Rules and then Bayes Settings The Bayes Settings screen appears Bayes Settings Bayes Training Table Stream Spam Non spam default 0 0 Your training history is not big enough yet to perform Bayesian analysis We require at least 100 spam and 100 non spam messages Clear Bayes Data Bayes Scoring Thresholds Percentage Score Delete a 0 lo 70 pe 90 400 95 SB Submit Changes OOo oO Figure 9 2 Bayes Settings The training history table shows the current state of the Bayes database CanIt Domain PRO Roaring Penguin Software Inc 96 CHAPTER 9 BAYESIAN FILTERING e Spam indicates the number of spam messages in the training database e Non spam indicates the number of non spam messages in the training database To configure Bayesian settings enter a set of percentage and scores into the table CanIt Domain PRO determines the score as follows e CanIt Domain PRO calculates the spam probability This is a number from Oto 1 It then multiplies by 100 to convert the probability to a percentage from 0 to 100 CanIt Domain PRO consults the Bayes Settings table to find the largest entry less th
23. WHITELISTS AND RULES Sending Relay Address matches against the IP address of the sending relay This may be the machine that actually connected via SMTP to the CanIt Domain PRO scanner or it may be a machine parsed out of the Received headers of the email Sending Relay Hostname matches against the host name of the sending relay This may be the machine that actually connected via SMTP to the CanIt Domain PRO scanner or it may be a machine parsed out of the Received headers of the email Body matches the body of the message line by line after MIME decoding Client HELO matches the argument of the sending relay s SMTP HELO or EHLO command DKIM Result matches against the DKIM result Header matches headers line by line Link Type of SMTP Client matches the link type of the connecting server as determined by the Passive OS Fingerprinting system Message ID matches the Message ID header contents OS Name and Version of SMTP Client allows you to match based on the operating system name and version determined by the Passive OS Fingerprinting system OS Name of SMTP Client allows you to match based on the operating system name deter mined by the Passive OS Fingerprinting system Connecting Relay Address matches against the IP address of the relay that initiated the SMTP connection to the CanIt Domain PRO scanner Connecting Relay Hostname matches against the host na
24. a Click on Archived Mail and then Authorized Hosts b Enter the IP address of your internal mail server as seen by CanIt Domain PRO in the IP Address box c Select the realm for which mail may be archived A given IP address may be authorized to archive internal mail for any number of realms If a message originates from that IP address and the From header does not map to any of the authorized realms then that message will not be archived d Click Submit Changes e Configure your internal mail server to copy all internal mail to the address x archive robot host where host is the fully gualified host name of your Canlt Domain PRO machine If you have a cluster of machines use the host name of the least loaded scanner 2 If your internal mail comes from a large set of IP addresses or an unpredictable set you may wish to use the Authorized Secrets feature instead a Click on Archived Mail and then Authorized Secrets b Enable the checkbox to add a new secret c Select the realm for which mail may be archived A given secret is tied to a specific realm d Click Submit Changes CanIt Domain PRO Roaring Penguin Software Inc Note Note 102 CHAPTER 10 EMAIL ARCHIVING e Configure your internal mail server to copy all internal mail to the address x archive robot secret host where host is the fully qualified host name of your CanIt Domain PRO machine and secret is the secret generated in Ste
25. a comment in the Comment box so you can describe why you made the rule the way you did 5 Click Submit Changes to activate the rule 5 12 SPF Rules SPF Sender Policy Framework allows the owners of a domain to assert which hosts are allowed to originate e mail claiming from that domain For example the domain aol com has an SPF record that lists which hosts ordinarily send out AOL mail If you receive mail from a host not in AOL s list of approved senders it is probably faked For more details on SPF please see http www openspf org To add SPF rules to CanIt Domain PRO click on Rules and then SPF Rules SPF Rules 1 to 2 of 2 Domain pass fail softfail neutral none error unknown Comment Delete Submit Changes i fo 5 Boo boo o fo fo Default scores paypal com 3 5 Is Jo o lo Jo Help legitimate Paypal messages Submit Changes Figure 5 12 SPF Rules If you enter a string in the Filter box CanIt Domain PRO will restrict the listing to those items that contain the string in the Domain or Comment column 5 12 1 How SPF Queries Work An SPF query is a DNS query looking for a specific record The SPF query takes as input the sender address the IP address of the sending host and the argument to the SMTP HELO command It can return one of seven values e pass means that the specified host is authorized to send mail for the domain e fail means that the specified host i
26. action by selecting a new value for the Action if lock violated field Manually change what the address is locked to by editing the Locked to field If you make the Locked to field blank then the address reverts to its pristine unlocked state Activate or deactivate the address by setting the Active field to Yes or No If you deactivate a locked address then any mail sent to it is rejected with a User unknown error Change the comment by editing the Comment field To make your changes take effect click on Submit Changes The bottom part of the Locked Address Editor shows the history of the locked address In this example we see the following history 1 The locked address was created at around 10 02am from the Web interface running on carbon roaringpenguin com At around 10 16am mail from blat canit ca arrived for the locked address and cause it to lock to the domain canit ca The mail arrived on the scanning machine carbon roaringpenguin com and had Sendmail gueue ID j7GEFg82019852 This last bit of information is useful only for system administrators who might want to correlate events with their mail logs A few seconds later mail from bloot roaringpenguin com arrived and was rejected because of a lock violation 12 6 Deciding on a Lock Type and Violation Action Here are some guidelines for deciding on which lock type to use If you wish to create an address for the purpose of subscribing to a maili
27. at system boot and continues running in the background until the system is shut down Envelope Mail messages often have headers specifying the sender the From header and recipi ents typically the To header However SMTP has a completely separate set of commands for specifying the sender and recipients The sender and recipients specified in the SMTP com mands are referred to as the envelope sender and envelope recipients and do not necessarily match the information in the message headers CanIt Domain PRO uses both the Header From and Envelope Sender address in Sender and Domain rules It always uses only Envelope Recip ients in its recipient rules Envelope Sender The sender address used in the MAIL FROM SMTP command This is not necessarily the same as the Header From address Most email readers display the Header From address rather than the Envelope Sender address Hash An algorithm that computes a short signature given a chunk of data Different inputs are very likely to yield different signatures so that a signature can be considered as a short hand identifier for the original data Header From The sender address used in the From header of an email message This is the sender address displayed by most mail readers See Envelope Sender for information about the SMTP sender address Greylisting A technique to block spam from certain spam sending software It works by issuing a Temporary Failure Code
28. click on the Quarantine link The pending messages screen will appear Pending Messages 1 to 1 of 1 ai 2 Y XI Page 1 Submit Changes Reject All as Spam Date 4 Subject AY Sender Y Relay Y Score AY po and Roaring Penguin 2005 03 28 Test dmo 192 168 10 1 Pendin 15 35 Mon GTUBE roaringpenguin com W hydrogen roaringpenguin com a Do Nothing spam test Submit Changes Reject All as Spam Page 1 Figure 4 1 Pending Messages 4 1 1 Message Summary Display The fields in the display have the following meanings Date is the date and time the message was first received CanIt Domain PRO Roaring Penguin Software Inc 21 22 CHAPTER 4 THE CANIT DOMAIN PRO QUARANTINE Subject is the message subject Sender is the sender in the From header of the message If the Header From address does not match the Envelope Sender address CanIt Domain PRO displays a warning like this If your mouse pointer hovers over the warning CanIt Domain PRO displays the Envelope Sender address Note that spammers can easily fake both the Header From and the Envelope Sender address Relay is the SMTP relay host which transmitted the message This is somewhat harder to fake than the sender address Note that sometimes a message can be sent from more than one SMTP relay host If that is the case you need to look up the incident details described later to get a list of all the relay hosts If CanIt Domain
29. comment Any comment attached to the rule For filename extension rules the fields are Extension The literal text Extension stream The stream containing the rule extension The filename extension action The action to associate with the extension who The user ID of the person who created the rule NHN FWY o comment Any comment attached to the rule e For Bayesian settings the fields are 1 Bayes The literal text Bayes 2 stream The stream containing the rule 3 percentage The percentage probability associated with the rule 4 score The score associated with the rule 517 3 Importing Rules CanIt Domain PRO can import CSV files that are in the format described in Section 5 17 2 earlier To import rules click on Preferences and then Import Rules The Import Rules page appears Import Rules Choose a file to upload Browse In case of conflict Preserve Original 7 Import Rules Figure 5 16 Import Rules 1 Enterthe name of afile to upload in the text box Use the Browse button to browse your local file system to find a file 2 Choose what to do in case of a conflict The default Preserve Original means that if the CSV file contains a rule that conflicts with an existing rule the existing rule is retained Alternatively you can choose Overwrite which overwrites any conflicting rules with rules from the CSV file 3 Click on Import Objects
30. domains for confirmed spam Country Report a list of the top 50 sender countries for confirmed spam Note that all of these reports base their statistics on the current quarantine contents Normally these reports only take into account messages explicitly marked as spam You can have them count pending messages too by clicking on Include Pending If you wish only to see items that haven t already been blacklisted or whitelisted click on Show Only Items with no Blacklist Whitelist You can obtain reports in CSV format suitable for importing into a spreadsheet by clicking on CSV Format Normally reports are shown only for the current stream You can get a report for all streams on the system by clicking on Show Results for All Streams CanIt Domain PRO Roaring Penguin Software Inc Note 7 3 GREYLISTING REPORT TI 71 3 Greylisting Report The greylisting report available only to administrators is useful only if you have enabled Tempfail unknown senders on first transmission It obtains its data from the table that records retransmission attempts The main greylisting report shows you the worst domain names used by senders of greylisted messages You can click on a domain name to see details about greylisted messages supposedly from that domain 7 4 Load Report This section describes features that only the CanIt Domain PRO System Administrator can use The Load Report shows the load on your CanIt Doma
31. near the top of the display This lets you set all the action boxes on the page with one click e Select the blue question mark to set all action boxes to Do Nothing CanIt Domain PRO Roaring Penguin Software Inc Note 4 3 REPORTING PHISHING URLS 25 e Select the red X to set all action boxes to Reject message e Select the green check mark to set all action boxes to Accept message 4 3 Reporting Phishing URLs If you select Reject and Report Phish Fraud for any incidents the after you click Submit Canlt Domain PRO will provide you an opportunity to report any URLs found in the phishing messages If CanIt Domain PRO finds URLs in messages marked fraudulent then the Phishing URL Reporting page appears Action Taken against Messages Back to Messages Date Subject From Score Status and Action 2015 02 24 My email to you test 11 4 Message Rejected 10 22 Tue example com W Back to Messages You have marked one or more incidents as phishing attacks or fraudulent emails Please provide feedback as to which particular links you believe are malicious by enabling the appropriate Malicious checkboxes Link Malicious innoccuous example catalog itemid 344 evil example hacked paypal php Y Submit Changes Figure 4 3 Phishing URL Reporting Page To report links as fraudulent 1 Enable the appropriate checkboxes in the Malicious column 2 Click Submit Changes Please do not report a link as fraudulent u
32. or senders in that specific domain can send mail to the locked address Anyone else who tries to send mail to the locked address will receive a User unknown error There are two settings that affect how a locked address works 1 The lock type can be one of Domain Address or Unlocked In the case of Domain anyone in the same domain as the initial sender can send to the locked address If the lock type is Address then only the initial sender and no one else can send to the locked address If the lock type is Unlocked then the address always allows anyone to send to it This may not seem very useful but in fact unlocked addresses are convenient for creating temporary e mail addresses that are easy to rescind later 2 The action if lock violated setting determines what happens if the lock is violated A lock is CanIt Domain PRO Roaring Penguin Software Inc 117 118 CHAPTER 12 LOCKED ADDRESSES said to be violated if e mail for a locked address arrives from someone who is not allowed to send to that address There are three options a Hold mail in quarantine causes the violating e mail to be held in your quarantine re gardles of what its spam score would be You should use this action if you use a locked address to post to a mailing list because readers of the mailing list could legitimately try to e mail you b wm Reject mail causes the violating e mail to be rejected with a User unknown err
33. pound symbol like this item item specific comment In the bulk entry text box blank lines and lines starting with a pound sign are ignored e If you want a global comment to apply to all items that lack an item specific comment enter the comment in the Global Comment entry box e If you want the rules to expire on a certain date set the expiry date in the Global Expiry entry box e Select the action Depending on your access rights you can bulk enter senders networks and domains Choose the appropriate entry type and action from the menu e Click Submit Changes to submit the bulk data 5 6 MIME Types CanIt Domain PRO allows you to hold or reject e mail with attachments of certain MIME types Some MIME types pose a risk and you might want to hold or reject e mail messages containing them In particular the message partial MIME type may pose a risk and we recommend you reject or hold it To see the MIME type list click on Rules and then MIME Types CanIt Domain PRO Roaring Penguin Software Inc 42 CHAPTER 5 BLACKLISTS WHITELISTS AND RULES MIME Types 1 to 2 of 2 Show Changes Page 1 Filter MIME Type Action All Alter Enter a specific MIME Type Add Rule a Action for F MIME Type Who General Action Whitelisted Senders EXPIY Comment audio x wav admin Reject 7 Reject 7 Outlook exploit message partial admin Reject Reject Security hole Submit Changes Reset Figure 5 6 MIME Types
34. simply create the query under Archived Mail Search Once you are happy with the query enter a name in the Save Search As box and click Save Search As To view your saved searches click Archived Mail and then Saved Searches The Saved Archive Searches page appears Saved Archive Searches 1 to 2 of 2 Name Comment Delete Invoices to example com All invoices sent to example com o Mail to or from Bob we need to keep an eye on Bob O Submit Changes Figure 10 3 Saved Archive Searches To use a saved search click on the name of the search You will be taken to the Archive Search Page with the query pre created from the saved search You may use the query as is or modify it as you wish To add a comment to a saved search fill in the Comment box and click Submit Changes To delete a saved search enable the appropriate checkbox and click Submit Changes 10 7 Viewing Archived Messages To view a message from the search results screen click on the message subject The message will be displayed in your browser From within the message display page you have a number of options e Click on All Headers to display all of the message headers By default CanIt Domain PRO displays only a subset of the headers CanIt Domain PRO Roaring Penguin Software Inc 108 CHAPTER 10 EMAIL ARCHIVING e Click on Download Message to download the original mail message The message is served up as amessage rfc822 MIME type
35. since midnight 1 January 1970 UTC This is a standard UNIX timestamp attachment_filenames An array of attachment filenames envelope_recipients An array of envelope recipient addresses force_to_stream A flag that is O for inbound messages and 1 for outbound or internal messages header from The contents of the From header header sender The contents of the Sender header if any helo The SMTP client s HELO domain if it could be determined id CanIt Domain PRO s internal ID message_id The contents of the Message Id header path The internal file path used by CanIt Domain PRO to retrieve the message queue id The Sendmail Queue ID of the processed message real_relay_address The IP address of the sending relay possibly parsed out of a Received header real relay hostname The host name corresponding to real relay address if it could be deter mined realm The realm in which the message was received refs An array of Message Ids parsed from the References header relay address The IP address of the connecting SMTP client relay_hostname The host name corresponding to relay_address if it could be determined size The size of the message in bytes stream The stream in which the message was received subject The message subject CanIt Domain PRO Roaring Penguin Software Inc Note 10 12 ARCHIVE EXPIRY DETAILS 111 10 12 Archive Expiry Details CanIt Domain PRO expires the archi
36. specific Sender s e mail address Add Rule Sender Who Action Expiry Comment badguy example com admin Always Reject z Sends silly jokes boss myco example net admin Always Allow x Boss talks listen Submit Changes Reset Figure 5 1 Sender Action Table The columns in the table are Sender The e mail address of a sender Who The user who last modified the sender s disposition Action Shows the current action which you can change The possible actions are e No Change keep the current action CanIt Domain PRO Roaring Penguin Software Inc 35 Note Note Note 36 CHAPTER 5 BLACKLISTS WHITELISTS AND RULES Always allow always allow mail from this sender without scanning for spam Danger ous attachments are still scanned and stripped Always hold for approval mail from this sender is always held for approval even if spam scanning does not flag it as spam However if spam scanning does flag it as spam then the message may be rejected if the spam score is high enough Hold Tag if looks like spam this is the default mail from this sender will be held if it scores high enough on the spam scale or tagged in a tag only stream Always reject messages from this sender are always rejected with a permanent failure code The rejection happens early on in the SMTP dialog before any message body is transmitted Delete from Table the sender is deleted from the table Also Can
37. the sign in the sender s e mail address Sendmail A UNIX based program for sending and receiving e mail Sendmail is designed to route mail from one mail server to another Spam Score A numerical score computed by CanIt Domain PRO that rates the likelihood that a mes sage is spam Stream is a virtual CanIt machine offered by CanIt PRO If an incoming e mail arrives for more than one recipient and the recipients each wish to have his or her own private spam quarantine Canlt PRO re mails the original message so each recipient has his or her own copy and can dispatch it as he or she sees fit Syslog A UNIX program that centralizes the logging of messages from various system daemons System Administrator is a user with administrative privileges in the base realm The System Ad ministrator is responsible for overall administration of the CanIt Domain PRO installation Tempfail See Temporary Failure Code Temporary Failure Code Also called tempfail this is a code sent to a relay host telling it that e mail transmission has failed temporarily and it should retry in a little while Typically the relay host retains the e mail message in a spool directory and retries transmission periodically The host eventually gives up after a certain period typically a few days has elapsed without successful transmission Ticker A Canlt Domain PRO program that runs periodic maintenance tasks Ticker Host In a CanIt Domain PRO cluster
38. the RSS feed completely by clicking Disable RSS Feed 2 You can create a different key by clicking Change RSS Key This will create a new URL the old one will no longer work You will need to update your RSS feed readers with the new URL Figure 8 4 shows how the pending messages feed might look in a typical RSS feed reader Many feed readers allow you to accept or reject the incident directly from within the reader without logging in to CanIt Domain PRO To see the incident details however you ll need to log in to CanIt Domain PRO CanIt Domain PRO Roaring Penguin Software Inc Note 88 CHAPTER 8 STREAMS bt Pending Messages Akregator aa Oo x Eile Edit View Go Feed Article Settings Help Articles B Search Status AlI Articles 7 E Pending Messages Article Date Buy cheap stuff now 2008 01 25 14 47 This is a spam message 2008 01 25 14 47 Buy cheap stuff now Date Friday 25 January 2008 14 47 Subject Buy cheap stuff now Sender spammer foo com Date 2008 01 25 14 46 22 05 Accept Reject Complete Story Figure 8 4 Example Feed Reader 8 5 Adding Addresses to your Stream Normally the CanIt Domain PRO administrator takes care of making sure all of your mail goes into the correct stream However if you have aliases or additional e mail addresses you can request those addresses to be added to your stream In this
39. the string equals the integer part of the spam score and X is any character except is replaced with a reason if one exists Possible reasons are HoldScore sender whitelisted etc d is replaced with the spam score with one decimal place of precision dp is replaced with the spam score with one decimal place of precision left padded with zeros so that four digits appear to the left of the decimal point h is replaced with the integer part of the spam score zero padded to four digits tests is replaced with a list of tests that fired yesno is replaced with No if the message scored below the spam threshold or Yes if it scored at or above the threshold YESNO is the same as yesno except it is replaced with NO or YES hold is replaced with the spam threshold as a decimal number tag is replaced with Tag in a tag only stream and Hold in a stream with a quar antine 39 66 trained is replaced with spam not spam or none indicating how the mes sage was auto trained CanIt Domain PRO Roaring Penguin Software Inc 84 CHAPTER 8 STREAMS scan_host is replaced with the host name of the CanIt Domain PRO filter remote host is replaced with the host name of the SMTP client remote_ip is replaced with the IP address of the SMTP client country is replaced with the ISO country code in which the SMTP client is locate
40. to accept mail for recipients unless they are listed in the Valid Recipients Table see Section 5 15 on page 60 S 710 Maximum number of entries in Valid Recipients table If this is set to non zero then Canlt Domain PRO will limit how many entries can be created in the Valid Recipients Table This is useful for providers who wish to impose such a limit you can set this setting and then remove the permission for stream owners to modify it S 750 Copy all mail in this stream to this e mail address If you enter an e mail address for this set ting CanIt Domain PRO will Bcc all mail passing through the stream to the address you specify Note Some countries have laws regulating the copying or redirection of mail For example in Canada Bill C 28 2010 section 7 prohibits the altering of destination addresses without the express consent of the sender or recipient Before you use this feature make sure you are in compliance with the law S 900 Hold Tag mail from any sender not listed in Senders Table If this is set to Yes then Canlt Domain PRO will hold messages from any sender that doesn t have a sender rule such as Always allow or Always reject For full details on this feature please see Section 5 1 1 on page 37 CanIt Domain PRO Roaring Penguin Software Inc Note 82 CHAPTER 8 STREAMS S 910 Ignore domain whitelist on SPF fail If this is set to Yes then CanIt Domain PRO ignores a domain whitelist if the SP
41. to inform the CanIt Domain PRO administrator of fraudulent links in phish ing messages Please see Section for additional information Blacklist sender mark the message as spam and automatically reject any future messages from the sender Blacklist domain mark the message as spam and automatically reject any future messages from the domain The domain is everything after the in the sender s address Blacklist network mark the message as spam and in addition ban connections from the SMTP relay host or hosts which transmitted the message Reset to Pending if the message has been disposed of but the incident has not yet been closed Section 4 8 you can reset the disposition to Pending This will give you more time to consider what to do with the incident To set message dispositions set the action boxes appropriately and then click on Submit Changes A summary of the actions will appear Note that if you set the Method for choosing quarantine actions preference to Checkbox Sec tion 6 1 on page 67 then instead of a drop down list you get a series of buttons like this 04 09 08 Figure 4 2 Checkboxes e Select the red X to reject a message e Select the green check mark to accept a message e Select the blue question mark to take no action 4 2 1 Quick Spam Disposal If your browser is JavaScript enabled then a line of buttons similar to Figure 4 2 appears after the word All
42. values for each preference and then click Update Pref erences CanIt Domain PRO Roaring Penguin Software Inc 70 CHAPTER 6 PREFERENCES 6 2 Changing Default Preferences If you are the CanIt Domain PRO administrator you can enter a user name in the Changing prefer ences for user box This allows you to change preferences for other users If you enter a single asterisk as the user name then any preferences you set become the default preferences for everyone Individual users can still override them If you enter root as the user name then any preferences you set become the default preferences for users with root privilege such as Realm Administrators 6 3 Changing your Password To change your password click on Preferences and then Change Password Note Only users in CanIt Domain PRO s user database can change their passwords If a user was authenticated via an external authentication method the Change Password link is not present To change the password 1 Enter your old password in the Enter your existing password box 2 Enter the new password in the Enter new password box 3 Enter the new password again in the Re enter new password box 4 Click Change Password 6 4 Aliases CanIt Domain PRO can maintain aliases that automatically get rewritten to a primary address prior to processing and delivery If your CanIt Domain PRO administrator has granted you permission you can maintain
43. way all e mail for the additional addresses also passes through your scanning rules and spam quarantine as shown in Figure 8 5 addr2 example org addr2 example org addr1 example org addr1 example org Figure 8 5 Multiple Addresses in One Stream Obviously you can only add e mail addresses whose mail is normally delivered through the CanIt Domain PRO server Although CanIt Domain PRO will let you add addresses such as hotmail com or gmail com addresses mail for those streams won t be scanned by Canlt Domain PRO because they are outside CanIt Domain PRO s control To add another address to your stream 1 Click on Preferences and then My Addresses Note that this menu item is normally disabled consult your CanIt Domain PRO administrator if you would like to have access to it CanIt Domain PRO Roaring Penguin Software Inc 8 6 SWITCHING STREAMS 89 2 Enter the e mail address you want added to your stream Include only the actual e mail address for example dfs roaringpenguin com and not your full name or any comments 3 Re enter the address to verify it 4 Click Add Address CanIt Domain PRO will compose an e mail and send it to the address you entered in steps 2 and 3 5 When the e mail arrives click on the link it contains to confirm the addition of the address Once you have confirmed the addition CanIt Domain PRO will route all mail for the address through your stream 8 6 Switching Streams A normal use
44. we A teh a ahd ae a 71 o fo koe ee a eee ee ee ba Se AS eae as ore ele ed 73 Pa WHOA ASS aa a eR A A A 75 To Sender Report oe aa ba a ic hae bob ed be 76 7A Cuser Load oa es hale ba ele bee a la eae Sos alah Gd 71 Dl Qmarantine Seung o ose o we a A ee a e a 80 2 Nouheaion Pate onp sel ear a eRe OS oa OP SS A a eS 85 Bo Heo Peed Pare ci e ee ek ee e OE ae a aE ee eee 87 a4 Example Feed Reader coc bon Bae a a bh a 88 8 5 Multiple Addresses in One Stream 2 2 0 0 0 000000 eee 88 S6 Sel Detauli Streami co ce ek ee aa we wee eas al ae es 89 Ol Bayes Vong SOLER ocio ea AA ae HO 94 9 2 Bayes Settings os o caom a a eS ee ee ed BA a 95 9 3 Custom Bayes Stopwords Page eu sacs ee dba wea a ee pa ee ee ba 97 10 1 Archive Configuration Screen ee ae ee 99 10 2 Archive Search Page 2 oa ea an a ea A eae ina 102 10 3 Saved Archive Searches oo e c oe ae ek ee ea ck e nan ee 107 10 4 Archive Redelivery Page oo csoc ece ee aa Gin aa bc In on 108 11 1 Configuring Secure Messaging sc oac sasa ne dea ee es 114 12 1 Locked Address Creation occiso RA ee an ew bee 118 122 New Locked Addtess o co ca ee bed ae ew nau ee a a ea ad aoe alan be 119 123 Locked Address Listing o i nea ce ee O A Bi 119 124 Locked Address Editor o s na nan ea nan e eS 120 CanIt Domain PRO Roaring Penguin Software Inc Chapter 1 Introduction Unsolicited commercial e mail UCB or spam is a pervasive problem More and more unwanted m
45. will make sub user inherit Bayes data from sub default e A value of PARENTS2 will make sub user inherit Bayes data from sub default and parent default e A value of PARENTS3 will make sub user inherit Bayes data from sub default parent default and base default In this case PARENTS3 is the same as PARENTS as is PARENTSn for any n greater than or equal to 3 S 2410 Prefer local Bayes training where sufficient data exists If set to Yes this setting causes CanIt Domain PRO to only use local Bayes data for tokens where sufficient local statistics exist and to fall back on inherited Bayes training including RPTN only where there is insufficient local data You may experiment with setting this to Yes it will improve the responsiveness and potentially the accuracy of Bayes training CanIt Domain PRO Roaring Penguin Software Inc 9 2 QUARANTINE SETTINGS ASSOCIATED WITH BAYESIAN FILTERING 93 S 2500 Add links to messages to train Bayesian analyzer This setting can be No Inline Separate Part or Plain Separate Part If you select No then CanIt Domain PRO does nothing special with messages that pass through it If you select Inline then CanIt Domain PRO adds hyper links to the end of the message Clicking one of the hyperlinks trains CanIt Domain PRO s Bayesian analysis engine allowing you to mark a message as spam even if it is not caught in the quarantine Separate Part is similar except the training l
46. you redistribute modified copies of CanIt Domain PRO or products derived from CanIt Domain PRO 8 If you violate this license your right to use CanIt Domain PRO terminates immediately and you agree to remove CanIt Domain PRO from all of your servers 9 Restrictions on modification a Notwithstanding Paragraph 5 you may not make changes to CanIt Domain PRO or your software environment which would allow Canlt Domain PRO to run without a valid Li cense Key as issued by Roaring Penguin You also agree not to set back the time on your server to artificially extend the validity of a License Key or do anything else which would artificially extend the validity of a License Key b You may modify the Web based interface only providing you adhere to the following restrictions c wa At the bottom of every CanIt Domain PRO web page the following text shall appear in a size color and font which are clearly legible Powered by CanIt Domain PRO Version x y z from Roaring Penguin Software Inc where x y z is the product version In addition CanIt Domain PRO shall be a clearly marked hypertext link to http www roaringpenguin com powered by canit php d You may not include elements on the CanIt Domain PRO Web interface that reguire plug ins such as but not limited to Macromedia Flash RealPlayer etc to function e You may not include Java applets on the CanIt Domain PRO Web interface f If you include JavaScript
47. 0 IM vorm Lowgate X 6 02 ES HTML Phishing Auction 286 6 0 MA HTL Phishing Bank 164 6 0 JB HTML Phishing Bank 3 4 02 BB vorm Lovgate z 2 02 I 14 others 28 02 Figure 7 2 Virus Statistics 7 2 Reports based on Quarantine Content The Senders Hosts Domains and Countries reports are based on the current spam quarantine contents To select a report click on Senders Hosts Domains or Countries The Sender Report is shown below CanIt Domain PRO Roaring Penguin Software Inc 76 CHAPTER 7 REPORTS Worst 50 Senders Number of items to show 50 Go Showing results for stream default Include pending and one shots No Show only items with no blacklist whitelist No Show Results for All Streams Include Pending and One Shots Show Only Items with no Blacklist Whitelist CSV Format Sender Confirmed Sender Status Domain Status Spam Messages kevgraham 43 z 7 rogers com W lt gt 29 o system m autocontactor com W 2i Always Reject vbates1959 yahoo com W 14 Always Reject yourfriend 14 Always Reject Always Hold for Approval email com W editorial prudentpressagency c 12 Always Reject om W Figure 7 3 Sender Report The available reports are Sender Report a list of the top 50 senders of confirmed spam Host Report a list of the top 50 SMTP relays which transmitted confirmed spam Domain Report a list of the top 50 sender
48. 6 CHAPTER 13 TIPS CanIt Domain PRO Roaring Penguin Software Inc Appendix A Mail headers added by Canlt Domain PRO CanIt Domain PRO adds several headers to an email message containing details of the filtering tests performed on the message This chapter lists these headers and describes their contents A 1 General Headers A11 X Spam Score This header contains combined details of all tests performed by CanIt Domain PRO It has two general forms The first is for messages that get fully scanned and scored and the second is formessages that bypass the standard scoring The first form is the most common and appears as X Spam Score 5 2 xxxxx Tag at 5 0 HTMLMESSAGE 0 001 234 0 5 RBL spamrbl example com 1 0 In this form the header contains the score as a number followed by zero or more stars indicating the spamminess in brackets and what the nearest hold or tag threshold was in brackets At the end of the line is a list of tests that were triggered by this message As of the current release these are the possible contents of this test list e SpamAssassin rule hit e g HTML MESSAGE 0 001 This shows a SpamAssassin rule hit These hits will appear first in the list of tests and generally consist of all uppercase letters digits and underscore _ The rule name is followed by a colon and then the rule score The list of possible rules is too long to describe in this document Cust
49. Additionally the ability to adjust Bayes stopwords is normally restricted to realm administrators To edit the custom stopwords list click on Rules and then Bayes Stopwords The Custom Stopwords page appears CanIt Domain PRO Roaring Penguin Software Inc 9 5 CUSTOM BAYES STOPWORDS 97 Custom Bayes Stopwords 1 to 12 of 12 This page lets you add stopwords to the Bayes engine Any word listed as a stopword will be completely ignored by Bayesian processing A We do not recommend adding any stopwords if your non spam is primarily in English Custom stopwords are intended to prevent common non English words from causing misclassification If you are unsure do not touch anything on this page Show Changes Page 1 Filter Word Filter Word Delete Enter new stopwords to the left one per line av dar ej f r ja nej och om sedan till tills upp Submit Changes o H o i o i o i o a o Figure 9 3 Custom Bayes Stopwords Page 1 To add new stopwords enter the new words in the text entry box at the top of the table one per line Then click Submit Changes 2 To delete stopwords enable the checkbox in the Delete column next to the appropriate stop word and click Submit Changes 3 To restrict the display to stopwords containing a certain string enter the string in the Filter box and click Filter Note that stopwords accumulate down the stream hierarchy A given stream will use its li
50. Archive or Do Not Archive as appropriate You may also add an explanatory comment to the rule When finished click Save to save the rule CanIt Domain PRO evaluates archive rules as follows 1 In the current stream it tests the archive rules in order until a rule matches It then stops evaluating the rules and returns whatever the rule that was hit says to do Archive or Do Not Archive 2 If no rule was hit CanIt Domain PRO looks in the default stream of the current realm followed by the default stream in all ancestor realms until it finds a hit 3 If no rule at all was hit then CanIt Domain PRO archives the message 10 13 2 Adjusting Archive Rules From within the Archive Rules page you can adjust rules as follows e To move a rule up enable the Move Up checkbox and click Submit Changes CanIt Domain PRO Roaring Penguin Software Inc 112 CHAPTER 10 EMAIL ARCHIVING To move a rule down enable the Move Down checkbox and click Submit Changes e You may edit the explanatory comment and click Submit Changes e To delete a rule enable the Delete checkbox and click Submit Changes CanIt Domain PRO Roaring Penguin Software Inc Note Note Chapter 11 Secure Messaging 11 1 Introduction to Secure Messaging CanIt Domain PRO has an optional add on component that provides secure messaging by intercepting outbound email and encrypting it before it is delivered to the recipients Rather than receiving
51. CANIT DOMAIN PRO It is used to trigger filtering rules and for compatibility with various email clients and other software that expect this header to be set on suspected spam See Subsection 8 2 on page 82 for details regarding tag only mode A 1 5 X Canit ID This header is added if a message is accepted after being held within the CanIt Domain PRO database It takes the form of X CanIt ID incident id where incident id is the ID of the incident in the current stream that was accepted to pass this message This header may be removed in a future release of the product A 2 Bayesian Filtering Headers If your site administrator has enabled Bayesian filtering you will see several extra headers A 2 1 X Bayes Prob This header contains the probability of the message being spam as per your Bayesian training It takes the form of X Bayes Prob 0 0001 Score 0 tokens from somestream RPTN The probability is expressed as a value between 0 not spam and 1 certainly spam The score is the score applied for that probability value Following the score is a list of the streams whose tokens were used for Bayesian analysis of the message See Chapter 9 for full details on Bayesian filtering A 2 2 X Canit Stats ID This header contains the ID of this message s Bayesian signature The ID values can be used to vote this message as spam or non spam by entering them into the appropriate page on the web interface though general
52. Canlt Domain PRO User s Guide for Version 9 2 4 Roaring Penguin Software Inc 24 April 2015 roarinch PENGUIN SOFTWARE INC CanIt Domain PRO Roaring Penguin Software Inc Contents 1 Introduction 11 1 1 Organization of this Manual o e Catar eee 11 L2 EIA oo e car a a aa a le ba eae 12 2 The Simplified Interface 17 3 The My Filter Page 19 A AE 19 32 The Quarantine IEA 20 3 3 Online Docuitientation lt co 42 240454 bw OL ea ea ea ee A 20 4 The Canlt Domain PRO Quarantine 21 41 Viewing the Quarantine lt e cs eca ocos aa asiata ka ca kaea ka at 21 4 1 1 Message Summary Display aooaa a 21 AAA EDU gt wo aed i a a A ee ea aa 23 4 13 Message Body Display oca cs ca ne ea be eee ee a 23 414 S mmary ol Links cocinan 48 be da Dawe Se ee Sawa an 23 42 Message Disposition ooo ela aoe Keane eee ee ee le 23 4 2 1 Quick Spam Disposal lt s ae ace 0 644 accat eua ta ee oe 24 4 3 Reporting Phishing URLS 22 40 2008 ei o ee ee ee es 25 44 Viewing Incident Details 2 240 424 4 bo ee Ra He eA ee ee dana Fa 25 341 Basie Detale ou ota aS doe Bh wd eo a Oe ee 26 4 42 Address Information o ao e ea soe ee ee we a 27 AAS History o s aeai oe OS A ee a ee Be R3 27 444 Spam Analysis Report 0 e 27 4 5 Viewing Other Messages We bon in ni in ba ea an ee 28 40 Wiewme Specie Incidents o e co e 24 ew ea ae aa ban an 28 CanIt Domain PRO Roaring Penguin Software Inc
53. F lookup returns fail We strongly encourage you to leave this setting at Yes S 915 Ignore domain whitelist on SPF softfail If this is set to Yes then CanIt Domain PRO ignores a domain whitelist if the SPF lookup returns softfail We encourage you to leave this setting at Yes S 920 Ignore sender whitelist on SPF fail If this is set to Yes then CanIt Domain PRO ignores a sender whitelist if the SPF lookup returns fail We strongly encourage you to leave this setting at Yes S 925 Ignore sender whitelist on SPF softfail If this is set to Yes then CanIt Domain PRO ignores a sender whitelist if the SPF lookup returns softfail We encourage you to leave this setting at Yes Rather than changing settings S 910 through S 925 you can override CanIt Domain PRO s ignoring of whitelists on SPF failures on a per domain basis with a specific SPF rule See Section 5 12 4 for details S 930 Enable SRS Sender Rewriting Scheme If this setting is set to Yes and the CanIt Domain PRO site administrator has enabled SRS then CanIt Domain PRO will rewrite envelope senders that pass SPF before forwarding them to the back end server You should not touch this setting unless you are a mail administrator and understand SRS For an explanation of SRS please see http en wikipedia org wiki Sender_Rewriting_Scheme S 1200 Only tag spam do not hold any messages If you set this to Yes then no messages are held in the quarantine becau
54. Impong Rules cocida be doe be doa a ee eae ada E 64 5 18 Reviewing the Change History soc e s ee ee ee Ee 65 6 Preferences 67 OL Preereiees Ds Oe eal ee be ee pe oE a 67 6 2 Changing Default Preferences coso a ae aa 70 6 3 Changing your Password os oc csoc 5 2 6 se ewe babe a aa ede 70 OA AIGOS cokane ae a ee ali a ai Ge KN Sale Geel ele deal gle aS 70 64 1 Creatingan AAS ooo Ge ae Se ee ae Hoe age Rae a ee 3 71 Gata Deleune AHIS oeoa ba eds Pa LAN Rae OE a 71 Go MORI 0 ce ee bo te eS a we i ho EE 71 7 Reports 73 FA StS asi ra ok E RA ee eo ees 73 LLI Gassintaton Reports lt ca ou de be ao eee Oe he ee eal ee dw 74 7 2 Reports based on Quarantine Content o e 0002 0005 75 Te Grylstime Report er scs doe e ee we ada a e a ee 77 7A Lpad Repair y da cia ee bh ee we ERS A na ha ne a 77 8 Streams 79 8 1 Opting Out of Spam Scanning 000000002 eee eee 79 CanIt Domain PRO Roaring Penguin Software Inc 6 CONTENTS due QUIranide SOMES co he ee Sd Re a a Se pe eS 79 8 3 Notification of Pending Messages e e ee eee 85 SA BSS Feeds oli aa a dd 87 8 5 Adding Addresses to your Stream o o 88 80 Swiiching Steams A oe we ee 89 8 6 1 Viewing All Streams at Once o o e e 89 9 Bayesian Filtering 91 9 1 Introduction to Bayesian Filtering o scs ccc ee ban 91 9 2 Quarantine Settings Associated with Bayesian Filtering
55. It Domain PRO treats the sender as if the setting Hold Tag if looks like spam had been used Expiry Allows you to set an expiry date after which the rule is automatically deleted If you leave the expiry date blank the rule will never be automatically deleted Enter the date in the format Y Y YY MM DD If you have a modern browser then clicking on the expiry field will pop up a handy JavaScript date selector to ease entry Comment Allows you to enter a comment if you like This can help you remember why you whitelisted or blacklisted a sender To set new actions adjust the Action entries appropriately and click Submit Changes If you want to set an action for an e mail address that is not in the sender list enter the address in the text box and press enter or click Add Rule You will then be given an opportunity to set the action for that address For convenience if you click on a sender address in the message summary Section 4 1 or incident display Section 4 6 CanIt Domain PRO will take you to the sender entry for that address You can filter the list of senders by typing part of a sender address in the Filter box and optionally selecting an action from the Action menu Then click Filter CanIt Domain PRO uses both the Envelope Sender and the From header to determine the sender of an e mail In most e mail clients the envelope sender will appear in the Return Path header You cannot use wildcards in the Sender Action Tab
56. L Rules F we Greylist Delay RBL Domain Description Action Score Minutes Comment zen spamhaus org entidad Hold lo 180 Hold everything from Zen SBL Passive psbl surriel com Spam Score y 4 2 0 Score PSBL Blocklist Spamhaus zen spamhaus org gs Reject Io 0 Reject snowshoe spammers Spammers Submit Changes Figure 5 11 RBL Rules The RBL Rules page lists all of the RBLs in the Master List along with how CanIt Domain PRO will use them To create an RBL rule for a specific RBL domain 1 Select an action to take if the sending relay is blacklisted by the RBL The possible actions are e Ignore the RBL is not used at all Hold Tag mail from a host in the RBL will be held in the quarantine or tagged in a tag only stream e Reject mail from a host in the RBL will be rejected CanIt Domain PRO Roaring Penguin Software Inc 5 12 SPF RULES 55 e Score points will be added to the score for any mail from a host in the RBL 2 If you selected an action of Score enter the number of points to add in the Score box 3 If you selected an action of Score or Hold Tag you can optionally extend the amount of time a machine is greylisted if it is in the RBL If you don t know what value to use enter a value of zero Otherwise enter a value from 1 to 2880 this will force an RBL listed machine to remain in greylisting for that many minutes before being allowed to pass greylisting 4 If you like enter
57. ND OR AND NOT or OR NOT as selected in the operator pulldown 10 5 6 Performing a Search When your query is complete click Add and Search to actually perform the query If you have entered data into the text entry box that data s expression is added to the query before the search is performed If the text entry box is blank the query is used without any additional expression 10 5 7 Query Cookbook This section shows some examples of how to build queries CanIt Domain PRO Roaring Penguin Software Inc 106 CHAPTER 10 EMAIL ARCHIVING All Mail to or from a Domain Suppose you with to see all mail to or from the domain example org You would want to search for messages where the sender or the recipient contains example org Here s how to build the query 1 Click on Archived Mail Search to start a new query 2 Select Header From from the field pulldown and contains from the relation pulldown 3 Enter example org in the text box 4 Click Add 5 Change the operator pulldown from AND to OR 6 Select Envelope Recipient from the field pulldown and contains from the relation pulldown 7 Enter example org in the text box 8 Click Add The query is now complete Click Add and Search to search All Mail to or from a Domain that Contains a Given Word Now suppose you want to see all mail to or from the domain example org that also contains the word Invoice in the subject or body
58. PRO IS NOT DESIGNED FOR TIME CRITICAL EMERGENCY MASS MAILINGS AN EMERGENCY MASS MAILING MAY OVERLOAD CANIT DOMAIN PRO AND CAUSE DELAYS ROARING PENGUIN HEREBY DISCLAIMS ALL WAR RANTY ON THE ABILITY OF CANIT DOMAIN PRO TO DELIVER MASS MAILINGS IN A TIMELY FASHION IF YOU REQUIRE EMERGENCY MASS MAILINGS YOU MUST CONFIGURE THEM TO BYPASS THE CANIT DOMAIN PRO FILTER THE CANIT DATA LICENSE Roaring Penguin makes available certain data that are used by Canlt This license covers the RPTN Bayes data and the Roaring Penguin RBLs The data are owned by Roaring Penguin and their use is licensed under the following terms You may update the RPTN data once per day per Roaring Penguin download username Roaring Penguin reserves the right to cut off downloads if more than one download per day per username is attempted You may use the RPTN data only in conjunction with your properly licensed Canlt installation You may not redistribute the RPTN data If your support term expires you lose the right to use RPTN data for any purpose whatsoever You may make use of the Roaring Penguin RBLs from within CanIt You may not query them with any other software You may use the Roaring Penguin RBLs only in conjunction with your properly licensed Canlt installation You may not redistribute the Roaring Penguin RBL data If your support term expires you lose the right to use the Roaring Penguin RBLs CanIt Domain PRO Roaring Peng
59. PRO can determine the country in which the sending relay is located it dis plays a small country flag to indicate the country of origin Score is the spam score assigned by the spam scanning rules The higher the score the more spam like the message appears Any message scoring 5 or higher is held in the pending quarantine A message may be held even if it scores lower than 5 If this is the case a Hold Reason will appear below the score Possible hold reasons are HoldRelay You have asked Canlt Domain PRO to always hold messages from the sending relay HoldSender You have asked CanIt Domain PRO to always hold messages from the sender HoldDomain You have asked CanIt Domain PRO to always hold messages from the sender s domain HoldRBL The sending host is in a real time blacklist and you have asked CanIt Domain PRO to hold mail from hosts in the blacklist HoldVirus A virus was detected in the message and you have asked CanIt Domain PRO to hold messages containing viruses HoldMIME The message was held because of a MIME type rule HoldEXT The message was held because of a filename extension rule Several icons may appear in the Score column e A paperclip icon indicates that the message has attachments Hovering over the icon dis plays the file names of the attachments e A SPF icon indicates an SPF softfail result yellow icon or fail result red icon e An Info icon indicates important no
60. PRO simply displays More than 1000 for the number of messages If you set this limit to the magic value 10 001 then CanIt Domain PRO does not limit how high it will count If you set the limit to the other magic value of 1 then CanIt Domain PRO eliminates most COUNT queries While this makes the interface somewhat less friendly it can speed things up tremendously on busy installations Show statistics table on login screen If you set this to Yes then CanIt Domain PRO displays a sum mary of the contents of the quarantine By default this is turned off because the query to generate the summary can take a considerable amount of time on a large quarantine Help Level Some CanIt Domain PRO pages have built in help text You can set the level of help to one of e Beginner the most verbose form of help text e Intermediate somewhat less verbose help text e Expert very terse help text e None no help text at all Hide help text by default By default the help text for each page is hidden and there is a Show Help link that reveals the help text This is to minimize the screen area taken up by help text and to keep it as unobtrusive as possible However if you prefer to see the help by default set this setting to No Use simplified GUI If you select Yes then you are given only a very simple interface to Canlt Domain PRO See Chapter 2 for details To change your preferences fill in the correct
61. Penguin Software Inc 32 CHAPTER 4 THE CANIT DOMAIN PRO QUARANTINE Compose Abuse Complaint for 212 247 154 161 Incident ID 25574 Warning The complaint e mail addresses have been harvested from a WHOIS lookup Please do not send complaints indiscriminately Please choose the appropriate e mail addresses from the list of choices which follow You can enter multiple e mail addresses in a single To field by separating them with commas From dfs roaringpenguin com Send To labuse swip net K To ip swip net To staff swip net E To per swip net m To ffredrik robertsson tele2 com T Subject 25574 Canit Spam Complaint 212 247 154 161 Send Complaint his is a CanIt Spam Complaint for incident ID 25574 Please quote this incident ID in further correspondence Spam e mail was relayed from host 212 247 154 161 Here are the details followed by the first 8kB of the spam e mail itself Figure 4 7 Spam Complaint CanIt Domain PRO harvests e mail addresses from the WHOIS query and fills them in It also com poses an abuse complaint which includes all the information required to process the complaint and includes the first 8kB of the spam message To send an abuse message follow these steps 1 Edit the To fields appropriately Canlt Domain PRO may harvest inappropriate e mail ad dresses please verify that they are the correct addresses for abuse complaints You can add multiple addresses in a single
62. TENSIONS 43 Filename Extensions 1 to 2 of 2 Show Changes Page 1 Filter Filename Extension Action All Alter Enter a specific Filename Extension Add Rule Action for a Whitelisted Senders EXPIY exe admin Reject v Hold Tag y Very dangerous url admin Accept 7 Accept z Required by users Submit Changes Reset Filename Extension Who General Action Comment Figure 5 7 Filename Extensions For each extension you can Accept Hold Tag Discard or Reject e mail containing the extension Note that the default is Accept This does not mean that mail will be specifically accepted regardless of other factors it just means that it will not be rejected because of an extension Do not include the period in the extension For example if you want to block files ending in exe enter exe not exe Filename extension matching is case insensitive To enter a new extension in the list enter it in the Enter a specific filename extension input box and press Enter Filename extension rules may be set to expire by entering a date in the format Y Y Y Y MM DD in the Expiry box With filename extensions as with MIME types you can specify a different action for whitelisted senders If a sender address network or domain is whitelisted then the action in the Action for Whitelisted Senders column applies Otherwise the General Action applies You might use this for example to hold ZIP files for most people but al
63. To field by separating them with commas 2 Enable the Send checkbox beside each To address you want to complain to 3 Edit the complaint text if you wish 4 Click Send Complaint to e mail the spam complaint 4 10 Quarantine Analysis CanIt Domain PRO s quarantine analysis feature lets you analyze the scores of messages held in the quarantine To view the analysis click Quarantine and then Analysis If you are a realm administrator you will be prompted to choose the analysis scope Pick one of Current Stream Only All Streams in Current Realm or All Streams in Current Realm and CanIt Domain PRO Roaring Penguin Software Inc 4 10 QUARANTINE ANALYSIS 33 Subrealms The last choice is available only if your realm has subrealms The system will draw a chart similar to the one in Figure 4 8 Quarantine Analysis 120 Mi ham lt total 4721 spam gt total 805397 20 40 60 80 100 20 140 Figure 4 8 Quarantine Analysis Up to two lines will be plotted The ham line shows the percentage of non spam messages scoring less than the score on the X axis The spam lines shows the percentage of spam messages scoring more than the score on the X axis These plots can be useful for picking appropriate thresholds For example in Figure 4 8 we see data plotted for 4721 non spam and 805 397 spam messages We see that 95 of non spam ie false positives scored less than 12 5 and that about 75 of spam messages scored
64. To add a new score override Enter the test name in the Test Name box Note that CanIt Domain PRO does not validate the test name if you make a mistake and enter a nonexistent test name CanIt Domain PRO will accept it but it will have no effect on filtering Enter the score which can be a floating point number in the Score box If you wish enter an expiry date for the override in the Expiry box and a comment in the Comment box Click Submit Changes To modify an existing score override e Enter new values in the Score Expiry and Comment boxes as appropriate e Click Submit Changes To delete score overrides check the approprate Delete checkboxes and click Submit Changes Score overrides obey stream inheritance just like any other rules and settings CanIt Domain PRO Roaring Penguin Software Inc 62 CHAPTER 5 BLACKLISTS WHITELISTS AND RULES 5 17 Importing and Exporting Rules CanIt Domain PRO can export your rules in comma separated value CSV format This format can be manipulated by a variety of software such as spreadsheets and database programs CanIt Domain PRO can also import rules in CSV format allowing for efficient bulk creation of rules 5 17 1 Exporting Rules To export rules click on Preferences and then Export Rules The Export Rules screen appears Export Rules Objects to Export TT Sender blacklists and whitelists M Domain blacklists and whitelists TT Host blacklists and whitelists
65. ain PRO administrator can enter a special stream x a single asterisk in the Switch Stream box This is not a real stream rather it makes 1t possible to view all quarantined messages CanIt Domain PRO Roaring Penguin Software Inc 90 CHAPTER 8 STREAMS rules blacklists whitelists etc in every stream The displays are adjusted to include an extra Stream column so you can see which stream contains a particular message rule or blacklist entry The entries in the Stream colums are links which switch to the appropriate stream when clicked CanIt Domain PRO Roaring Penguin Software Inc Chapter 9 Bayesian Filtering 9 1 Introduction to Bayesian Filtering Bayesian filtering is a statistical technique whereby CanIt Domain PRO assigns a spam probability based on training from users Bayesian filtering can greatly improve the accuracy of CanIt Domain PRO and makes it harder for spammers to evade filtering In CanIt Domain PRO Bayesian filtering works as follows 1 Each incoming e mail message is broken up into tokens Roughly speaking a token corresponds to a word In addition to single word tokens CanIt Domain PRO keeps track of token pairs which can greatly increase the accuracy of Bayesian filtering 2 End users train CanIt Domain PRO by marking a message as spam or non spam Each time a message is marked CanIt Domain PRO updates counters for each token and token pair in the message The training stati
66. ain the system simply by clicking on the appropriate training link If you click on a training link you ll be taken to the Voting screen Vote Stats ID Magic Token Paste X Canit Stats ID header Spam Non spam Forget Training Figure 9 1 Bayes Voting Screen The screen will reflect the results of your vote by saying that the message was marked as spam or non spam 9 3 1 Manual Voting If you do not have Bayesian training links you can manually train the Bayes engine as follows 1 In your mail reader view all of the message headers The way you do this depends on the software you use to read mail 2 Look for a header that looks like this X Canit Stats ID number hex string CanIt Domain PRO Roaring Penguin Software Inc 9 4 BAYESIAN SCORE SETTINGS 95 The number is a decimal number and the hex_string is a string of numbers and letters The number is the Stats ID and the hex_string is the Magic value If the header has three parts like this X Canit Stats ID numberl hex_string number2 Then number is the Stats ID hex_string is the Magic value and number2 is the Token The token is a date in the form YYYYMMDD 3 Click on Rules and then Vote 4 Enter the Stats ID and the Magic value in the appropriate entry boxes If there is a token enter it in the Token box Otherwise leave the token box empty NOTE Instead of entering the Stats ID Magic and
67. an or equal to the actual percentage It then uses the score associated with that entry In the example the table has entries for percentages 0 70 90 and 95 Incidents with a spam probability of 0 to just less than 70 percent do not adjust the score Probabilities from 70 to just less than 90 percent add 2 to the score Probabilities from 90 to just less than 95 percent add 4 to the score and probabilities of 95 percent or more add 5 points to the score In our experience it is dangerous to subtract points for e mail with a low Bayesian score Some spam is caught by the heuristics but would be missed by Bayesian scoring If you do choose to use negative scores for low probabilityes we recommend a small negative score around 0 5 If you wish to clear your training set click on Clear Bayes Data This deletes all of your traning corpus CanIt Domain PRO will no longer use Bayesian filtering until your training corpus reaches a sufficient size once again 9 5 Custom Bayes Stopwords CanIt Domain PRO s Bayesian analysis engine has a built in list of so called stopwords These are common words that are ignored for Bayesian analysis If your non spam is primarily written in En glish the built in stopwords work well However if you receive legitimate mail in a language other than English you may wish to add your language s common words as stopwords We do not recom mend adjusting stopwords unless you are sure you know what you are doing
68. and then looks the address up in that stream s list of valid recipients The CanIt Domain PRO administrator can globally enter valid recipients by placing the addresses in the default stream CanIt Domain PRO Roaring Penguin Software Inc Note Note 5 16 OVERRIDING BUILT IN TEST SCORES 61 Note that if your CanIt Domain PRO machine processes outgoing mail you should ensure that out going mail is streamed to a stream that does not check the Valid Recipients Table CanIt Domain PRO always treats the special address postmaster as valid because this address is required to accept mail according to the SMTP standard 5 16 Overriding Built In Test Scores CanIt Domain PRO has many built in tests based on SpamAssassin You can on a per stream basis override the scores assigned to built in tests Do not override built in test scores unless you thoroughly understand what you are doing To reduce the likelihood of problems by default only realm administrators can override built in test scores though normal users can be granted permission to do so To override tests scores click on Rules and then Score Overrides The Score Overrides page appears Score Overrides 1 to 2 of 2 Test Name Who Score Expiry Comment Delete admin DEAR_FRIEND admin 1 Lower this score somewhat O FILL_THIS_FORM_FRAUD_PHISH admin 5 2013 12 31 Submit Changes Temporarily increase this Phishing O Figure 5 14 Score Overrides
69. ated the system can calculate the likelihood that a new message is spam Blacklist A list of domains senders or hosts that are blocked from sending e mail CIDR Classless Inter Domain Routing A method for specifying an entire set of contiguous IP addresses CanIt Domain PRO is an enhanced version of Canlt PRO that allows two levels of delegation of responsibility See the next three definitions for more details CanlIt PRO is an enhanced version of Canlt that allows flexible delegation of spam control respon sibilities rather than requiring a single spam control officer Canlt is extra software built on top of MIMEDefang that provides sophisticated spam management functions Cron A UNIX program that runs tasks periodically DKIM DomainKeys Identified Mail A mechanism for proving that a particular organization s servers have relayed an email message DKIM uses cryptographic techniques to assert that a particular domain name is responsible for relaying the message DNS Domain Name System The mechanism used on the Internet to translate host names to IP addresses and more generally to associate various sorts of information with domain names CanIt Domain PRO Roaring Penguin Software Inc 1 2 DEFINITIONS 13 DSN Delivery Status Notification A message generated automatically to notify senders of prob lems or failure to deliver an e mail Daemon A long running UNIX program that typically starts
70. attack in which someone forges e mail pretending to be from a security organization a bank etc and convinces naive users to reveal sensitive information like user names and passwords PostgreSQL A free and open source SQL database heavily used by CanIt Domain PRO Ransomware is a specific type of malware It typically makes changes on your computer that are almost impossible to undo such as encrypting all your files and then demands payment within a short period of time to undo the damage Ratware is software dedicated to sending out large volumes of spam RBL Real time Blocklist A DNS based system for checking in real time whether or not hosts or domains should be blocked RPTN is the Roaring Penguin Traning Network This is a system whereby multiple CanIt Domain PRO installations can share Bayes training data RSS stands for Really Simple Syndication and is a format for publishing news feeds on the Web CanIt Domain PRO can produce an RSS feed showing pending incidents Realm Administrator is a user with administrative privileges in a realm Unlike the System Admin istrator a Realm Administrator can only administer his or her own realm Realm is a virtual CanIt PRO Within a realm realm administrators can create streams for end users and streams in one realm are independent of streams in another realm Relay Host When a mail server wishes to transmit e mail to your server using SMTP it establishes a c
71. bdomains of the specified domain while a rule that does not start with applies only to the specified domain CanIt Domain PRO uses the domain specified in the DKIM signature since that is the domain taking responsibility for signing the message This domain may or may not be the same as the domain of the sender s email address 2 Enter the scores for each return code in the appropriate columns If you leave a score entry box blank zero is used 3 If you wish enter a comment in the Comment box 4 Click on Submit Changes to add the rule To delete an DKIM rule simply enable the appropriate Delete checkbox and click Submit Changes 5 13 1 Vouch by Reference DKIM rules can use Vouch by Reference in a manner similar to SPF rules See Section 5 12 3 for details 5 14 Blacklisting Recipients Often a large volume of spam is destined for nonexistent users at your site This is usually because users leave the company but spammers still have their old e mail addresses Ideally the CanIt Domain PRO machine will check the validity of recipient addresses by checking against your real SMTP server or by validating against LDAP Active Directory or some other backend system with full knowledge of your valid addresses Unfortunately in some cases it may not be possible to validate against another system As a workaround for this CanIt Domain PRO lets the administrator blacklist recipients If you notice a lot of spam quarantined
72. c 28 CHAPTER 4 THE CANIT DOMAIN PRO QUARANTINE 4 5 Viewing Other Messages In addition to pending messages you can view other messages in the quarantine by following these links Pending shows messages whose status is pending Spam shows messages whose status is spam Non Spam shows messages whose status is not spam All shows all messages 4 6 Viewing Specific Incidents To view an incident given its incident ID click on Quarantine and then Specific Incident Type the incident ID and press Enter You can view another incident by typing its ID in the box and pressing Enter If you enter an incident ID that you know exists but CanIt Domain PRO cannot find it the incident may not be in the current stream If you are the CanIt Domain PRO administrator switch to the stream a single asterisk and re enter the incident ID This will search for the incident in all streams in the current realm 4 7 Searching the Quarantine CanIt Domain PRO supports advanced queries on the quarantine To open the Search page click on Quarantine and then Search The Quarantine Search page appears CanIt Domain PRO Roaring Penguin Software Inc 4 7 SEARCHING THE QUARANTINE 29 Search Trap Please enter your query terms below To omit a field from the query leave it blank Status is Any v Subject contains v rrr Sender is Recipient is hd ho Report contains A Hold Reason contains rr Relay Address c
73. certain part of the mail message called a field The available fields are Subject The subject of the message Sender The SMTP envelope sender what appears in the MAIL FROM command not necessarily what appears in the From header Recipient The SMTP envelope recipient what appears in the RCPT TO command not necessarily what appears in the To or Cc headers If you create a rule based on Recipient the rule fires if any recipient matches HELO The argument the server gave to the SMTP HELO or EHLO command Many spammers misguidedly think that if they provide your own server name in the HELO command your machine is more likely to accept the mail You can detect those spammers with a HELO rule Relay The canonical name of the sending relay as determined by a reverse DNS lookup If the lookup fails the relay name is set to its IP address in square brackets like this 127 0 0 1 RelayAddress The IP address of the sending relay Header Applies to all the header lines of the message If any header matches the rule then the rule matches Please see Section 5 8 7 for more details Body Applies to the message body Note that Body matches apply to decoded message parts after any MIME encoding has been decoded See Section 5 8 8 for more details RawBody Applies to the raw undecoded message including all headers and the undecoded MIME body In most cases you should not use RawBody matching instead use Body matchi
74. colons For example 1t might look like this X CanIt Geo ip 64 26 171 99 country CA region ON city Ottawa The possible key value pairs are summarized below Not all are always present sometimes the location of a server cannot be determined precisely e ip ipaddr this indicates the IP address of the sending server e count ry CC this indicates the two letter country code of the sending server e region reg the region state province etc in which the sending server is located e city city_name this indicates the city in which the sending server is located Not all IP addresses can be resolved to a city so this key may be absent e latitude lat longitude long the approximate latitude and longitude of the sending server If no city could be determined these simply represent the geographical cen tre of the country and may have no relation to the actual location of the server e postalcode post code the postal code in which the sending server is located areacode code the North American area code in which the sending server is located If no geolocation information is available the header looks something like this X CanIt Geo No geolocation information available for 127 0 0 1 CanIt Domain PRO Roaring Penguin Software Inc 132 APPENDIX A MAIL HEADERS ADDED BY CANIT DOMAIN PRO CanIt Domain PRO Roaring Penguin Software Inc Appendix B The Canlt Domain PRO Lic
75. consisting of more than one machine exactly one host is designated to run the Ticker tasks That host is called the Ticker Host Whitelist A list of domains senders or hosts whose e mail is permitted through without spam scanning CanIt Domain PRO Roaring Penguin Software Inc 16 CHAPTER 1 INTRODUCTION CanIt Domain PRO Roaring Penguin Software Inc Chapter 2 The Simplified Interface CanIt Domain PRO is extremely versatile allowing you to set many parameters such as blacklists whitelists custom rules and so on If you find this too confusing and time consuming you can make use of the Simplified Interface Note that your system administrator must have configured Canlt Domain PRO to support this if the simple interface is not available it could be that your system administrator decided not to turn it on If you enable the Simplified Interface by clicking on Simplified Interface in the main menu the CanIt Domain PRO interface looks something like this Welcome Spam Scanning Level Opt out of spam scanning Only tag spam Current Setting Leave decision to IT staff Delete mail scoring more than 8 points Set Spam Scanning Level Enable Expert Interface Log Out Figure 2 1 Simplified Interface Note that the specific choices might be different depending on how your system administrator con figured CanIt Domain PRO To set a spam scanning level simply enable the appropr
76. core The dkim result is the result of DKIM evaluation and dkim score is the score applied for that result Bayesian analysis score This shows the score applied due to Bayesian analysis This item will only be present if the Bayes engine results in a non zero score It takes the form of Bayes bayes probability bayes score This is the same as the content of the X Bayes Prob header where bayes probability is the probability between 0 and 1 and bayes score the score applied for that probability The second form of this header occurs when no scoring is performed This can occur because of a whitelist entry a quarantined and released message or because of an error in Canlt In this form the X Spam Score header will contain one of the following e undef user example com is whitelisted CanIt Domain PRO Roaring Penguin Software Inc A 1 GENERAL HEADERS 129 undef example com is whitelisted undef 192 168 1 1 is whitelisted The above three cases occur when a sender domain or host are whitelisted respectively e 5 2 message approved incident 12345 This occurs when a message was manually approved from the spam quarantine and passed through The first number is the original score of this message before approval e undef spam scanning disabled This occurs when spam scanning has been disabled for this stream In this case the message was not scanned for spam e undef message too big
77. ctly the receiver can be very confident that the domain purporting to originate the email message is in fact responsible for it If the DKIM signature fails then the message either didn t originate with the domain or has been altered in transit For more information on DKIM see http www dkim org To add DKIM rules to CanIt Domain PRO click on Rules and then DKIM Rules CanIt Domain PRO Roaring Penguin Software Inc 58 CHAPTER 5 BLACKLISTS WHITELISTS AND RULES DKIM Rules 1 to 2 of 2 Domain pass fail invalid temperror none Comment Delete Submit Changes IDM paypaicam fa 5 5 lo 5 Help legitimate Paypal messages yahoo com o5 5 Is lo 2 Mildly help mail from Yahoo Submit Changes Figure 5 13 DKIM Rules If you enter a string in the Filter box CanIt Domain PRO will restrict the listing to those items that contain the string in the Domain or Comment column CanIt Domain PRO lets you add or subtract points based on the results of DKIM signature verifica tion The possible results are pass The message had a DKIM signature and it was correctly verified fail The message had a DKIM signature but the signature was incorrect invalid The message had a DKIM signature but it was invalid ie malformed or corrupt No verifi cation could be attempted temperror There was a temporary failure in DKIM signature verification This could happen if the public key cannot be retri
78. d If this cannot be determined this tag is replaced with city is replaced with the name of the city in which the SMTP client is located If this cannot be determined this tag is replaced with S 1510 Create incidents for tagged messages Normally CanIt Domain PRO does not create quaran tine entries for tagged messages If you set this setting to Yes then CanIt Domain PRO creates quarantine entries even in tag only mode This permits you to view the full spam analysis report for tagged messages S 1600 Tempfail unknown senders on first transmission If you set this to Yes then CanIt Domain PRO will turn on greylisting This is an effective and cheap way to detect many kinds of spam sending software but it may introduce delivery delays the very first time a previously unknown sender tries to send you e mail S 1620 Minimum delay in minutes before accepting retry from unknown senders If you set S 1600 to Yes we recommend setting S 1620 to between 0 and 2 S 1640 Time in hours to delay messages containing Phish voted URLs If a message contains URLs with a certain minimum number of votes from other CanIt Domain PRO users that the URLs are fraudulent the message will be delayed Normally only administrators should adjust this setting S 1630 Minimum number of URL Phish votes required to delay a message 0 never delay The minimum number of votes required before a message is delayed because of suspect URLs Normally
79. d then Custom Rules Custom Rules 1 to 3 of 3 Page 1 Regular Expression Tester Filter Field Relation Data Score Expiry Comment Add Subject Contains 0 0 Add Rule ID Field Relation Data Score Expiry Comment Delete 123 Sender Contains v offer 5 y No offers thanks O 124 Sender Contains v bounce 1 2 Sometimes used by spamr O 125 Subject Matches RegExp 7 MSagra 20 No medications thanks O Submit Changes Figure 5 8 Custom Rules CanIt Domain PRO s custom rules allow you to adjust the spam score based on certain fields in each e mail message For each e mail message all of your custom rules are checked and any which match have their score added to the spam score Note that you can lower the spam score by specifying a negative number for a custom rule s score CanIt Domain PRO custom rules are less efficient than built in SpamAssassin rules You should not create more than one or two hundred custom rules in a given stream or in the default stream or CanIt Domain PRO will be very slow If you require that many rules you should investigate coding them up as SpamAssassin rulesets If you enter a string in the Filter box CanIt Domain PRO will restrict the listing to those items that contain the string in the Field Relation Data or Comment column CanIt Domain PRO Roaring Penguin Software Inc 5 8 CUSTOM RULES 45 5 8 1 Fields Each custom rule can examine a
80. deleting them or putting them in your Spam folder Basic Settings E mail address for notification of pending messages dfs roaringpenguin com Notification type Brief Notification M Maximum number of entries per notification message 1 1000 40 Do not include messages scoring above this threshold in notifications 1 2000 2000 Notification Times The current server time is 10 53 10 53am Please take your time zone into account when setting notification times Please select the times at which you would like notification messages to be sent Note that these times are approximate O tam O 2am O 3am O 4am O 5am O 6am O 7am O gam O 10am O 11am 12pm O 1pm 2pm O 3pm O 5pm O 6pm O 7pm O 8pm O 9pm O 10pm O 11pm O 12am Notification Days Please select the days on which you would like notification messages O Sunday Monday Tuesday Wednesday Thursday Friday O Saturday Submit Changes Send Pending Notification Now Figure 8 2 Notification Page To enable notifications e Enter the e mail address to which notifications should be sent Note that CanIt Domain PRO at tempts to guess the notification e mail address but it might guess incorrectly If CanIt Domain PRO displays an incorrect notification address simply erase it and enter the correct address e Select the type of notification message 1 Brief Notification will send short messages that simply inform you that you have pending me
81. dent If a message scores higher than this setting CanIt Domain PRO rejects it and does not create an incident There is therefore no way to search the quarantine for such messages Be sure to set this score high enough that the chances of a false positive are extremely remote On very busy mail servers rejecting obvious spam without creating an incident can reduce the load on the database server We do not recommend setting this below 20 S 300 Spam threshold Canlt Domain PRO will hold any messages scoring higher than this amount The default value of 5 has been carefully tuned to minimize errors Note that small changes to this setting can have large and nonlinear effects If you do change the spam threshold change it by a small amount such as 0 2 points at a time Wait for a day or so after any change to observe the effects before making any further changes S 400 Maximum allowable message size kB 0 means unlimited If non zero specified the max imum message size that will be accepted for the stream Note that any global setting of MaxMessageSize in the Sendmail configuration file will still apply As a safety measure CanIt Domain PRO will not reject messages smaller than 100kB regardless of the value of this setting CanIt Domain PRO Roaring Penguin Software Inc 8 2 QUARANTINE SETTINGS 81 S 800 Reject mail from domains with bogus MX records This setting can take one of three values e No do not test sender domains
82. ds 1 2 to any Relay containing left square bracket This indicates a reverse DNS failure on the sending host which is mildly correlated with spamming e We use a discard threshold of 20 this seems quite safe 13 7 General Anti Spam Tips 13 71 Use Receive Only Addresses on your Web Site Spammers love to extract e mail addresses from Web sites and not only do they use them for the obvious purpose of spam targeting but also they use them as fake sender addresses Therefore we recommend a general policy of publishing only generic e mail addresses on your Web site like info roaringpenguin comand sales roaringpenguin com When you reply to inquiries always use a real personal e mail address like dfs roaringpenguin com This has two benefits 1 If someone sends e mail purporting to come from info roaringpenguin com you know immediately that it is spam and you can reject it You can blacklist all your generic addresses inside CanIt Domain PRO 2 If someone complains about receiving e mail from one of the generic addresses you can point to your policy and assure the recipient that the sender address was faked 13 7 2 Do Not Reply to Spam Do not ever reply to spam e mail such replies simply serve to validate your e mail address Similarly do not visit Web sites purporting to offer opt out services they also serve to validate your address for further spamming CanIt Domain PRO Roaring Penguin Software Inc 12
83. e sign to add a rule pertaining to that sender Click on the sender domain the part after the sign to add a rule for that domain 3 3 Online Documentation This User s Guide and depending on your privileges other manuals is available online in HTML format from the CanIt Domain PRO Web interface The manuals may be accessed in a number of ways e Most pages have an Online Documentation link near the top right corner This is a link to the section of the manual that describes that page The bottom of each page includes a link to the User s Guide If you have sufficient privileges you will be given links to the API Guide Administration Guide and Installation Guide as well The bottom of each page includes a search box To search the manuals type a search phrase in the box and press enter All manuals to which you have access will be searched and the search results presented Note that the search is fairly simplistic It just searches for a substring anywhere in the manual When you click on a search hit you may need to use the search function in your browser typically Control F to find the exact location of your search terms CanIt Domain PRO Roaring Penguin Software Inc Chapter 4 The Canlt Domain PRO Quarantine The CanIt Domain PRO Quarantine is an area in which CanIt Domain PRO holds messages that it thinks might be spam 4 1 Viewing the Quarantine To view pending messages in the quarantine
84. e down enable the Move Down checkbox and click Submit Changes You may edit the explanatory comment and click Submit Changes To delete a rule enable the Delete checkbox and click Submit Changes CanIt Domain PRO Roaring Penguin Software Inc 116 CHAPTER 11 SECURE MESSAGING CanIt Domain PRO Roaring Penguin Software Inc Chapter 12 Locked Addresses 12 1 Introduction to Locked Addresses Locked Addresses are designed to solve the following problem You want to give out your e mail address to someone but you don t trust that person or organization not to turn around and give or sell it to others You want an address that can only be used by the person or organization you give it to and not by anyone else CanIt Domain PRO has a complete solution to this problem However it does require some adminis trative overhead before users can take advantage of the feature If your administrator has not done the setup then Locked Addresses will not be available for you 12 2 How Locked Addresses Work When you create a locked address CanIt Domain PRO generates a new random e mail address and associates it with your real e mail address The newly generated address is in an unlocked state Any e mail arriving for that address will be delivered to your real e mail address The very first time e mail arrives for the new address it locks on to either the sender address or the domain From now on only that specific sender
85. ee Body Matching o ba a a OR EE eA ee BE Oe 47 39 Passive OS Fingerprinting ss oc cacc a a BE na 47 3 10 Compound Filter Rules cs e coas saasaa ga ma Ba ee wa nd naa 48 5 10 1 Viewing Compound Filter Rules o 48 5 10 2 Creating a Compound Filter Rule o 49 3 10 3 Special Relations s so sa oa sira ee ee aa 53 5 10 4 Macro Values in Data Boxes 2 2 ec ee ee ee ee 53 5 10 5 Editing an Existing Compound Filter Rule 54 CanIt Domain PRO Roaring Penguin Software Inc CONTENTS 5 5 10 6 Deleting a Compound Filter Rule 2 2 0 2 5 eee ee ee 54 Sl BBI 6 oe ee BE aa ea a Ae eA EE pa NA a 54 22 SPF RUS ok eb A a LR ER Le hae ee be 55 5 12 1 How SPF Queries Work 2 04 0 00045 2464 24 2 ba dada we 55 12 2 Entering SPF Rules ooo oe Sh cok ee He mk naa 56 S123 ls oe kk eh nabati ew as Wee ew an ii 57 5 12 4 SPF and Effects on Whitelisting o edea 57 313 DEM Riles cae a a pee ee Hw de Ped Be ba eke ee eal See Ss 57 3 13 1 Vouch by Reference o mo soe a A Se a 59 5 14 Blacklisting Recipients lt seos socle oa eoeta a a ee aa 59 5 15 Enumerating Valid Recipients o o ea a 60 5 16 Overriding Built In Test Scores 2 oa ces rato ta eremo taakan 61 5 17 Importing and Exporting Rules 0 oo an en an an an 62 S170 Exportite BUS oo ca ak A a es an Tout adah 62 5 17 2 Format of the Exported Rules eee ee on ee a 62 217 3
86. elay address is replaced with the IP address of the connecting relay connecting_relay hostname is replaced with the hostname of the sending relay For convenience if you type as the first two characters in a compound rule text box an auto complete menu will pop up allowing you to select a macro name CanIt Domain PRO Roaring Penguin Software Inc Note 54 CHAPTER 5 BLACKLISTS WHITELISTS AND RULES 5 10 5 Editing an Existing Compound Filter Rule To edit a compound filter rule click on the ID in the Compound Filter Rules table The compound rule editor will open and permit you to edit the rule Click Save to save your changes 5 10 6 Deleting a Compound Filter Rule To delete a compound filter rule enable the Delete checkbox and click Submit Changes 5 11 RBL Rules The term RBL as used in CanIt Domain PRO stands for real time blacklist or real time blocklist An RBL is a DNS based list of known bad IP addresses Whenever CanIt Domain PRO is processing an SMTP session it can look up the originating host in a number of RBLs and take action if the host is on the RBL This list is a list of all possible RBLs that are available to you The CanIt Domain PRO administrator may add new RBLs to the list under Administration and then Master RBLs You then can make rules for the various RBLs on the list from here To create RBL rules click on Rules and then RBL Rules The RBL Rules page appears RB
87. elope sender if an SPF lookup on the message returns fail or softfail 5 2 1 Domain Matching Rules CanIt Domain PRO can use the same approach to match domains as Sendmail s access table does Suppose you receive e mail from user mail sub domain net Canlt Domain PRO performs the following domain lookups l mail sub domain net 2 sub domain net 3 domain net 4 net and the first entry in the database is selected Note that all but the first lookup have a period prepended to the domain name This means that a domain rule of example com applies only to example com itself and a domain rule of example com will be applied to any subdomain of example com unless there is a more specific rule for that subdomain Thus if you disallow e mail from baddomain com you also automatically block bouncer baddomain com and spambox baddomain com However you can explicitly al low goodbox baddomain com by adding another entry because a domain with more components is more specific than and takes preference over one with fewer components 5 3 The Network Action Table CanIt Domain PRO can apply actions automatically based on the IP address of the SMTP relay host To see the network list click on Rules and then Networks CanIt Domain PRO Roaring Penguin Software Inc Note 5 4 COUNTRY RULES 39 Networks 1 to 2 of 2 Show Changes Page 1 Filter Network Action All z Alter Enter a specific Ne
88. ely providing you do not violate this license If you have purchased yearly usage you may exceed your purchased limit by up to 10 until the yearly renewal date at which time you must purchase a sufficient limit for the increased number of domains or mailboxes If you have purchased a perpetual license or wish to increase your usage more than 10 above your paid up limit you must purchase the additional usage within 60 days of the increase 4 You may examine the CanIt Domain PRO source code for education purposes and to conduct security audits You may hire third parties to audit the code providing you first obtain permis sion from Roaring Penguin Such permission will generally be granted providing the third party signs a non disclosure agreement with Roaring Penguin 5 You may modify the CanIt Domain PRO source code for your own internal use subject to the restrictions in Paragraph 9 below However 1f you do so you agree that Roaring Penguin is CanIt Domain PRO Roaring Penguin Software Inc 135 released from any obligation to provide technical support for the modified software If you wish your modifications to be incorporated into the mainstream Canlt Domain PRO release you agree to transfer ownership of your changes to Roaring Penguin 6 You may make backups of CanIt Domain PRO as required for the prudent operation of your enterprise 7 You may not redistribute CanIt Domain PRO in source or object form nor may
89. ense READ THIS LICENSE CAREFULLY IT SPECIFIES THE TERMS AND CONDITIONS UNDER WHICH YOU CAN USE CANIT DOMAIN PRO This license may be revised from time to time any given release of CanIt Domain PRO is licensed under the license version which accompanied that release CanIt Domain PRO is distributed in source code form but it is not Free Software or Open Source Software Some CanIt Domain PRO components are Free Software or Open Source and we detail them below The following files may be redistributed according to the licenses listed here An asterisk in a file name signifies a version number the actual file will have a number in place of the asterisk File License src Archive Tar x tar Perl License src Config Tiny x tar Perl License src DBD Pg x tar Perl License src DBI x tar Perl License src Data ResultSet x tar Perl License src Data UUID x tar Perl License src Digest MD5 x tar Perl License src Digest SHAl x tar Perl License src File Spec x tar Perl License src File Temp x ta Perl License TOR src HTML Parser x tar Perl License src HTML Tagset x tar Perl License src IO Zlib x tar Perl License src IO stringy s tar Perl License src Log Syslog Abstract x tar Perl License src MIME Base64 x tar Perl License src MIME tools x tar Perl License src Mail SPF Query x tar Perl License src Mail SpamAssassin x tar Apache License Version 2 0 src MailTools x tar Perl License CanI
90. ent spam addresses from the same address Therefore Blacklisting individual addresses is usually not effective Whitelisting known good addresses for example mailing list sending addresses can be very effective The sender report may however highlight a persistent spam sender address which is worth blacklist ing 13 2 Don t Trust Sender Domains Just as sender addresses are often fake sender domains are too However some domains are known spammers and these can be profitably blacklisted The tip Blacklisting entire domains can be effective under limited circumstances Whitelist ing known good addresses for example mailing list sending addresses can be very effec tive Holding all mail from free e mail services like Hotmail and Yahoo can be effective if you use it in conjunction with whitelisting of known good senders from those services Use the domain report to help make these decisions 13 3 You May Trust Relay Hosts It is rather difficult to fake the IP address of the SMTP relay host so this attribute can usually be trusted We recommend using a DNS based blacklist service in your Sendmail configuration file to CanIt Domain PRO Roaring Penguin Software Inc 123 124 CHAPTER 13 TIPS reject the most obvious offenders However if you receive multiple spam messages from a given relay host it can be effective to block the host Blacklisting a repeat offender relay host is effective Whitelisting known good ho
91. ers 5 10 1 Viewing Compound Filter Rules To view compound filter rules click on Rules and then Compound Rules The Compound Filter Rules page appears Figure 5 9 Compound Filter Rules 1 to 2 of 2 Add a New Rule ID Comment Rule Score Expiry Delete Codeword for friendly company Subject Contains let me in Fs O AND Envelope Sender Ends with example com 2 People faking my bank Header From Contains ao po O mybank example AND Country Code is not ca Submit Changes Figure 5 9 Compound Filter Rules The Compound Filter Rules table has the following columns 1 ID An integer that uniquely identifies the compound filter rule Comment A comment explaining what the rule does or why it was created Rule The rule itself Rules will be described in the next section Score The score to add or subtract if a rule fires RR A UN Expiry An optional expiry date If supplied CanIt Domain PRO will automatically delete the rule after that date 6 Hits If you are running a CanIt Domain PRO appliance and have the Log Indexer add on com ponent installed this column shows the number of times a given rule has fired in the last 30 days Note that the statistics may be a few hours behind real time so newly added rules may not immediately show any hits 7 Delete A checkbox allowing manual deletion of a compound filtering rule You can edit the comment score and expiry directly within the Compound Filter
92. es the rule Click Save to save the compound rule Compound Rules affer the following fields Attachment Filename matches against any attachment filenames Country Code matches against the two letter ISO 3166 country code of the sending SMTP relay Envelope Recipient matches against any envelope recipient the email addresses in SMTP RCPT To commands Envelope Sender matches against the envelope sender the email address in the SMTP MAIL From command Header From matches against the email address in the From header Header Sender matches against the email address in the Sender header Since most email messages lack a Sender header this field is not usually useful Domain of Envelope Sender matches against the domain part of the envelope sender the email address in the SMTP MAIL From command The domain part is everything after the sign in an email address Domain of Header From matches against the domain part of email address in the From header Domain of Header Sender matches against the domain part of the email address in the Sender header Since most email messages lack a Sender header this field is not usually useful Subject matches against the message subject To or From matches against both Envelope Sender and Envelope Recipient CanIt Domain PRO Roaring Penguin Software Inc 52 CHAPTER 5 BLACKLISTS
93. essages are clogging mail servers and wasting employees time Canlt Domain PRO is a piece of software that runs on your mail server scanning e mail messages and picking out those which it considers to be spam Messages identified as spam are held until a human examines them and marks them as definite spam in which case they are discarded or as legitimate messages in which case delivery is permitted 1 1 Organization of this Manual This manual is divided as follows Chapter 1 Introduction is this chapter You should familiarize yourself with the terms in Section 1 2 before proceeding Chapter 2 The Simplified Interface describes the CanIt Domain PRO simplified interface for be ginning users Chapter 3 The My Filter Page describes CanIt Domain PRO home page that lets you see the status of your filter at a glance Chapter 4 The CanIt Domain PRO Quarantine describes CanIt Domain PRO s quarantine area and how to use it Chapter 5 Blacklists Whitelists and Rules explains how you can create additional rules for block ing or accepting e mail Chapter 6 Preferences explains how to set your personal CanIt Domain PRO preferences Chapter 7 Reports explains the types of reports CanIt Domain PRO can produce Chapter 8 Streams describes the concepts behind a stream CanIt Domain PRO puts all of your e mail rules and settings into a stream Chapter 9 Bayesian Filtering
94. eved none The message did not have a DKIM signature at all You can use different scores for different domains In the examples in Figure 5 13 you can see that we trust intl paypal com quite a bit so subtract 4 points for a DKIM verified message Since we always expect Paypal messages to have a valid DKIM signature we add 5 points for bad invalid or nonexistent DKIM signatures We trust yahoo com quite a bit less so we only subtract 0 5 points for a validly signed message We add 5 points for bad or invalid signatures but only two points for missing signatures Some people use their Yahoo email addresses without relaying through Yahoo s servers so it is reasonably common for their messages to lack a signature To enter a DKIM rule 1 Enter the domain the rule should apply to in the Domain entry box If you enter in the Domain entry box then the rule applies to all domains unless there is a more specific entry for the domain As with SPF rules DKIM rules are searched by stripping domain components until a match is found For example for the domain x example com CanIt Domain PRO searches for DKIM rules in the following order and stops when the first rule is found a x example com CanIt Domain PRO Roaring Penguin Software Inc Note 5 14 BLACKLISTING RECIPIENTS 59 b x example com c example com d com e x To reiterate a rule starting with applies to the specified domain as well as to all su
95. for a nonexistent recipient simply blacklist that recipient To blacklist a recipient e Click on Rules and then Blacklisted Recipients e Enter the full e mail addresses of the recipient you wish to blacklist You can enter more than one address just put each address by itself on a line e Click Blacklist Recipient s CanIt Domain PRO Roaring Penguin Software Inc Note 60 CHAPTER 5 BLACKLISTS WHITELISTS AND RULES If mail comes in for a blacklisted recipient CanIt Domain PRO fails the RCPT TO command for that recipient To remove a recipient from the blacklist click on the Delete link near the recipient s e mail address in the blacklisted recipients table The list of blacklisted recipients is kept on a per stream basis When testing if an address is blacklisted CanIt Domain PRO first determines which stream the address would map to and it then looks up that stream s list of blacklisted recipients Although a stream administrator can blacklist any address CanIt Domain PRO will ignore addresses that don t map to that stream For example if the stream administrator for user1 blacklists the address user2 domain net which presumably maps to a different stream CanIt Domain PRO will ignore the entry The CanIt Domain PRO administrator can globally blacklist recipients by placing the blacklisted ad dresses in the default stream CanIt Domain PRO refuses to obey a blacklist on the special address postmaster
96. for bogus MX records e Loopback the default reject mail from any domain that has an MX record in the 127 0 0 0 8 network e All Bogus reject mail from any domain that has an MX record in any of the fol lowing networks 10 0 0 0 8 127 0 0 0 8 172 16 0 0 12 192 168 0 0 16 169 254 0 0 16 224 0 0 0 4 240 0 0 0 5 0 0 0 0 32 and 255 255 255 255 32 In all cases if a domain lacks an MX record the Bogus MX test uses the A record if any S 950 Automatically populate pending notification addresses Stream owners can asked to be no tified of pending mail One piece of information CanIt Domain PRO requires is the e mail address to be notified If you set S 950 to Yes then CanIt Domain PRO will automatically set a stream s notification address the first time an e mail passes through the stream S 1000 Handling for messages containing viruses If you have a supported virus scanner you can set this to Accept to accept messages containing recognized viruses Hold to hold them for approval or tag in a tag only stream or Reject to automatically reject them The default setting is Hold Tag we do not recommend using Accept S 1050 Enable DKIM Signing for outbound messages originating from senders in this stream This setting should be adjusted only by realm administrators and is described in the Adminis tration Guide S 700 Only accept mail for accounts in the Valid Recipients table If this is set to Yes then Canlt Domain PRO refuses
97. g on Really Clear Quick Links Note that not all pages are quick linkable any page that is immediately reachable from the top level menu is not quick linkable and neither is a page that depends on user input or form data Quick Links are maintained on a per user basis so different users can have their own sets of quick links according to how they use CanIt Domain PRO most effectively CanIt Domain PRO Roaring Penguin Software Inc Chapter 7 Reports CanIt Domain PRO provides various reports which help you determine the major sources of spam To view the reports click on the Reports link The Statistics Page appears Note If the system administrator has disabled real time reports then the statistics page will not appear Instead you will be able to select from various types of reports based on spam quarantine data 7 1 Statistics CanIt Domain PRO keeps statistics about the disposition of e mail messages To view the statistics click on Reports and then Statistics The Statistics Page appears Statistics Please select a report Classification of Recent Mail Hourly Reports Summary of Greylisting per Hour e Summary of Mall per Hour Classification of Long Term Mail e Classification of Long Term Mail Top Domains Long Term Stat Top Streams Long Daily Reports Summary of Greylisting per Day Summary of Mail per Day E Mail Address Usage Number of Email Addresses Seen by Domain Fig
98. gs in the current stream and they all revert to their inherited value CanIt Domain PRO Roaring Penguin Software Inc 79 80 CHAPTER 8 STREAMS The ID column is a unique identifier for each setting it is not used except as a convenient way for Roaring Penguin support personnel to indicate a particular setting over the phone Stream Settings for stream default Show Setting Inheritance Forget My Settings Revert to Inherited Settings Show All Hide All r Filter Settings ID Setting Value S 100 Automatically reject messages scoring more than this amount 2000 1 0 to 2000 5 200 Auto reject messages scoring more than this amount without creating an 1000000 incident 1 0 to 1000000 S 300 Spam threshold So 10to100 S 400 Maximum allowable message size kB 0 means unlimited o 0 to 2000000 S 800 Reject mail from domains with bogus MX records Loopback v S 950 Automatically populate pending notification addresses OYes ONo S 1000 Handling for messages containing viruses Reject v Figure 8 1 Quarantine Settings The available settings are S 100 Automatically reject messages scoring more than this amount If a message scores higher than this on the spam scale it will be automatically rejected We do not recommend setting this below about 8 Lower values are dangerous and may cause legitimate mail to be rejected S 200 Auto reject messages scoring more than this amount without creating an inci
99. he action to associate with the domain one of allow always domain The domain hold always hold if spamor reject who The user ID of the person who created the rule 6 comment Any comment attached to the rule e For network blacklists and whitelists the fields are 5 6 1 Network The literal text Host 2 stream The stream containing the rule 3 4 action The action to associate with the network one of allow always network The network address in CIDR notation hold always hold if spam no rbl or reject who The user ID of the person who created the rule comment Any comment attached to the rule e For custom rules the fields are 1 Custom The literal text Custom 2 stream The stream containing the rule 3 field The field associated with the rule 4 5 6 7 relation The relation associated with the rule data The string data associated with the rule score The score to assign to the rule comment Any comment attached to the rule e For MIME type rules the fields are 1 2 3 4 MIME The literal text MIME stream The stream containing the rule mimetype The MIME type action The action to associate with the MIME type CanIt Domain PRO Roaring Penguin Software Inc 64 CHAPTER 5 BLACKLISTS WHITELISTS AND RULES 5 who The user ID of the person who created the rule 6
100. i a 109 CanIt Domain PRO Roaring Penguin Software Inc CONTENTS 7 O12 Archive Expiry Details e ea baw Rw hae aa eae BP ede 111 TLS selective Archiving o o os s o ae Re a A ER a BA nak a 111 10 13 1 Creating an Archiving Rule o o e 111 10 13 2 Adjusting Archive Rules 0 o o 111 11 Secure Messaging 113 11 1 Introduction to Secure Messaging eee ee eee 113 11 2 Configuring Secure Messaging cacca ons 00002 eee eee ees 113 11 2 1 Determining the Stream for Secure Messaging 114 11 3 Creating a Secure Messaging Rule oo ee a da ee a 114 11 3 1 Adjusting Secure Messaging Rules o o 115 12 Locked Addresses 117 12 1 Introduction to Locked Addresses o 117 12 2 How Locked Addresses Work lt lt lt ee ee 117 123 Creating a Locked Address cocoa o e 118 12 4 Viewing Locked Addresses 0 o o c cacate acam aa a A 119 12 5 Editing a Locked Address oo os ccc eee ee ee ee ee aa ee 120 12 6 Deciding on a Lock Type and Violation Action 4 121 13 Tips 123 13 1 Don t Trust Sender Addresses o ee eee 123 13 2 Don t Trust Sender Domains o os s bon re ren ee ee ee 123 13 3 You May Trust Relay Hosts a oca ane a ma a ee aa 123 134 Custom Rules oo on ba a ee ee ee DRS 124 13 4 1 General Recommendations 2 ee cnc e 124 134 2 Tune
101. iate button and click Set Spam Scanning Level To log out click on Log Out To turn on the normal interface click Enable Expert Interface The expert interface will be described in subsequent chapters CanIt Domain PRO Roaring Penguin Software Inc 17 18 CHAPTER 2 THE SIMPLIFIED INTERFACE CanIt Domain PRO Roaring Penguin Software Inc Chapter 3 The My Filter Page The home page in the Expert Interface is the My Filter page My Filter Accept and Reject List Always accept mail from v Add View current accept reject lists Senders Domains Networks Pending Messages 1 to 3 of 3 E ng ges Online Documentation All Submit Changes Date Y Subject AY Sender Status 2012 08 09 Roaring Penguin dfs Pending 10 50 Thu Test Non spam test roaringpenguin com W Do Nothing v 2012 08 09 Roaring Penguin dfs Pending 10 49 Thu Test GTUBE spam roaringpenguin com W Do Nothing y test 2012 08 09 Roaring Penguin dfs Pending 10 49 Thu Test GTUBE spam roaringpenguin com W Do Nothing v test Submit Changes Figure 3 1 My Filter The My Filter page is an overview of your filter settings and pending messages Most of your interac tion with CanIt Domain PRO can be done right on this page 3 1 Sender Rules From the My Filter page you can quickly add a sender address or domain and tell CanIt Domain PRO always to accept mail from that address or domain Simply set the pulldown menu t
102. in PRO only notifies you of new pending messages That is if no new mes sages have been quarantined since the last notification CanIt Domain PRO will not send out another notification However if you explicitly request a notification message from the Web interface then CanIt Domain PRO Roaring Penguin Software Inc Note 8 4 RSS FEEDS 87 CanIt Domain PRO will send one if there are any pending quarantined messages even if they have previously appeared in a notification email 8 4 RSS Feeds CanIt Domain PRO permits you to set up an RSS feed to view your pending messages To enable an RSS feed click on Preferences and then RSS Feed The RSS Feed Page appears Manage RSS Feed RSS Feed for Stream default Enabled Disable RSS Feed Change RSS Key Your RSS feed URL is http nydrogen roaringpenguin com canit showtrap php s default amp realm base amp rss 1 amp rsskey 33 1e53328ae40abee1 1 98c510e13181 Figure 8 3 RSS Feed Page To enable the RSS feed click on Enable RSS Feed An RSS feed URL will be generated this is the feed location that you put into your RSS reader The random looking rsskey parameter is what authenticates you to CanIt Domain PRO The RSS feed URL is sensitive Anyone who obtains the URL can read your Pending Messages RSS feed You should therefore keep the URL confidential If you think your RSS feed has been compromised you can take one of two actions 1 You can disable
103. in PRO system To access the report click on Reports and then Load Select which hosts you wish to monitor which measurements you wish to see and the timeframe to display Click Show Load to display the load A typical display is shown in Figure 7 4 Total Hourly Load Please select the load statistics to view Host Total v Measurement Scan Time z Timeframe Hourly z Graph Type Vector y Show Load Bookmarkable Link Scan Time in ms Hourly 3 00K E Avg Zoom Out 1 Stddev IX 3 Stddev E Scan Time in ms Oct 16 Oct 18 Oct 20 Oct 22 Oct 24 Oct 26 Oct 28 Figure 7 4 Cluster Load To display a load report CanIt Domain PRO Roaring Penguin Software Inc 78 CHAPTER 7 REPORTS 1 Select the host whose statistics you wish to display Select Total to display totals or averages for scan and RCPT times for all hosts in the cluster Select All to display graphs for all hosts in each chart 2 Select the measurement to display Possibilities are e Average Busy Scanners The average number of busy scanning processes at any given instant Scan Time The time in milliseconds to scan an e mail e Scans per Second The number of messages scanned per second e RCPT Time The time in milliseconds to process each SMTP RCPT command e RCPTs per Second The number of RCPT commands per second e All Display all measurements 3 Select the time frame of the report You can select Minute by
104. inks are stored in a separate HTML part rather than placed in the original message text Finally Plain Separate Part adds a sep arate plain text part with the voting links Some mail readers misbehave if there is a plain text message followed by an HTML part they render the HTML part as the message Microsoft Outlook in particular seems to suffer from this deficiency so Outlook users may want to choose Plain Separate Part S 2600 Add training links to messages even if whitelisted Normally CanIt Domain PRO adds Bayesian training links to all scanned messages If you do not want to add training links to messages from whitelisted senders domains or networks set this setting to No S 2610 Log Bayes training links to the mail log If you set this setting to Yes then CanIt Domain PRO logs two lines to the mail log allowing an administrator to train a message as spam or non spam Usually you should leave this setting at No because on most installations Sendmail itself logs the training links However if you have lowered Sendmail s Milter log level you may wish to set this setting to Yes to have the training links logged S 2700 Add training links in message headers If you set this to Yes then CanIt Domain PRO will add three special headers containing training links to the message These headers will be named X Antispam Training Spam X Antispam Training Nonspam and X Antispam Training Forget These permit the training of a message as spam
105. ion 27 score 26 spam analysis report 27 specific 28 status 26 license 133 data 136 load report 77 lock type 117 lock violation action 117 Locked Addresses 117 message accept 23 reject 24 message body display 23 messages related 108 messages pending 21 milter 13 MIME type 41 MIMEDefang 13 my addresses 88 My Filter 19 network action 38 notification 85 online documentation 20 open status 27 opt in 37 opting out 79 override score 61 password changing 70 pending messages 21 pending messages notification 85 postmaster 61 preferences 67 quarantine 21 sort order 23 quarantine analysis 32 query advanced 28 quick links 71 quick spam disposal 24 RBL checks skip 39 RBL rules 54 realm 14 receive only addresses 125 recipient blacklisting 59 valid 60 recipients 27 reject message 24 related messages 108 relay host 14 reopen 30 report greylisting 77 load 77 report fraud 24 report phish 24 reports 73 resolution 27 rule Bayesian 95 blacklisted recipients 59 bulk entry 40 custom 44 body matching 47 fields 45 header matching 47 relations 45 DKIM 57 domain 37 domain matching 38 file name 43 filename extension 42 importing and exporting 62 MIME type 41 network 38 RBL 54 sender 35 opt in 37 wildcard 36 SPF 55 CanIt Domain PRO Roaring Penguin Software Inc INDEX 139 valid recipients 60 WHOIS q
106. lassifies a piece of mail The default setting of 1000 means Canlt Domain PRO will practically never auto learn We do not recommend setting the auto learn threshold above zero CanIt Domain PRO Roaring Penguin Software Inc 94 CHAPTER 9 BAYESIAN FILTERING S 3100 Score above which to auto learn as spam If an incoming mail scores above this threshold CanIt Domain PRO automatically trains it as spam The default setting of 10000 means Canlt Domain PRO will practically never auto learn mail as spam We do not recommend setting this threshold below 10 S 3200 Permit unauthenticated voting If you set this to Yes then when you click on a training link to vote an e mail as spam or non spam CanIt Domain PRO will register the vote even if you are not logged in and without prompting you to log in Use this setting with care if S 3200 is Yes then anyone who receives a copy of your voting link can vote on the message 9 3 Training the Bayesian Filter Each time you accept or reject a message CanIt Domain PRO s Bayesian filter is trained on that message It is therefore easy to build up a body of trained spam messages Because many more messages in the quarantine are rejected rather than accepted it takes longer to build up a body of trained non spam messages For that reason you should enable Add links to messages to train Bayesian analyzer and train the system on non spam messages until a suitable body has been built up You tr
107. le For example rejecting f domain com will not work Instead reject domain com in the Domain Action Table CanIt Domain PRO will ignore a sender whitelist entry if the sender address matches the recipient address This is to prevent problems if you whitelist your own address spammers often fake spam so 1t appears to come from its victims Additionally by default CanIt Domain PRO will ignore a sender whitelist on the envelope sender if an SPF lookup on the message returns fail or softfail CanIt Domain PRO Roaring Penguin Software Inc 5 2 THE DOMAIN ACTION TABLE 37 5 1 1 Holding Unlisted Senders CanIt Domain PRO can allow you to decide to only accept mail from a specific list of sender ad dresses and to hold mail from all others This essentially gives you the benefits of a challenge response or sender opt in system without requiring that senders perform any extra additional actions before sending you a message To use this feature 1 Go to Rules Senders and add the addresses of people you wish to receive mail from as Always allow 2 Enable the Hold Tag mail from any sender not listed in Senders Table setting under Prefer ences Quarantine Settings Messages from the addresses you whitelisted will be allowed and all messages from senders not specifically listed in the Sender Action Table will be held in your Pending quarantine even if they score below your spam threshold 5 2 The Domain Ac
108. le aha ae 24 Phishing URL Reporting Page lt lt lt e 25 Taea P A 26 CIMAS SEMA id A he ee ed eR 29 Whois USES oe dg eh ara a o Ee ow Paw E Eee edo 31 Spam Comp oda ii e a ae ee Oe we ek Be da 32 Quarantine AMBISI 0 e lt ee oos en a ee Oe ee na 33 sender Action Table coria na om ea a we ce we wa Mee gay ew a 35 Domain Action Table ss si eoa ca aan Se aa nah Bea Tepat ban 37 Network Acton Table o ae AS Sa an de ee ed eo 39 Country Code Rules gt sec sn sob be dos be doa Dawa ee eo eae a dae x 40 BUK EO nbn eo a wey ee a eee a ee oe ea Mowe b 41 MIME Tpos o ee eo ee Ba E BO Se me Hew 42 Filename Extensions 60 4 ca bd ek ee RE EA eA ee ES 43 Custom RU ES cocos da Ra A ee a wee a aw ade ba aa 2a sue amp amp 44 Compound Piller Rules 2 a ma E A ban ee ae Se 48 Compound Filer Rule Editor oia nana ee a Oe a a 49 Pe RES oo A ms es ee be Ge 54 PEPO 2 rrer ee ee Hb ne Be a PARE na SRS RP ee eS ee N 55 DRIM BOS co cee a ee ek Be a a a ee Be He wt 58 asas i406 iG Co bd ae ew ee eee Ee ees ank a 61 EXPORCRUES 224 4 eA ne cada Ne ea ge Ga ee ba gue as 62 CanIt Domain PRO Roaring Penguin Software Inc 9 10 LIST OF FIGURES S10 MPO RUES ooo a Gk eo eh eds Sad BG we ere a ob a aa 64 Slt Change HINOS o a e e an oe a a a Se ES en Baek Bi ae i 65 Gl PERICOS ovia Gee a aan ead daedeakod eee ade eA ate dale ak es 68 Ga BUS POSE ec haces thes a ek ee SO A we we ae a 70 ho Blas Processie e onse dk ee ek
109. low them for anyone you have whitelisted 5 7 1 Matching Entire File Names In the Filename Extension list you can match an entire file name by prefixing the name with For example the entry message zip will match if the entire filename is message zip using a case insensitive comparison of course 5 7 2 Matching Filename Extensions inside an Archive If you prefix the extension with a greater than sign gt then CanIt Domain PRO matches the filename extension only if it occurs inside an archive file such as a zip file So for example if you wished to make a rule that triggered on zip but only if it is inside another zip file or some other archive use an extension gt zip If you include both ext and gt ext rules then the ext rule is used for top level files and the gt ext rule is used for files inside archives If you do not include the gt ext variant then the ext rule is used CanIt Domain PRO Roaring Penguin Software Inc Note 44 CHAPTER 5 BLACKLISTS WHITELISTS AND RULES both for top level files and for those inside archives 5 7 3 Matching All Attachments In the Filename Extension list you can match all attachments by using the extension x a single asterisk You can make specific entries to override the actions 5 8 Custom Rules In addition to the built in spam detection rules you can create your own custom rules which affect the spam score To create your own rules click on Rules an
110. ly it is simpler and easier to enable training links and vote directly from the body of the message The general format of this header is X Canit Stats ID 314300 31097dbb7b37 If the message has already been trained this information is available in the header as one of X Canit Stats ID 314300 31097dbb7b37 trained as spam X Canit Stats ID 314300 31097dbb7b37 trained as not spam If Bayesian filtering is enabled but for some reason a signature is not available in the database this header will appear as CanIt Domain PRO Roaring Penguin Software Inc A 3 GEOLOCATION HEADER 131 X Canit Stats ID Bayes signature not available A 2 3 X Antispam Training Spam Nonspam Forget If Bayesian filtering is enabled and a signature is available for the message CanIt Domain PRO may add three training headers containing a link allowing the message to be voted as spam voted as non spam or to have any existing votes forgotten These headers will appear similar to X Antispam Training Spam http example com canit b php i 12 amp m 31097dbb7b37 amp c s X Antispam Training Nonspam http example com canit b php i 12 m 31097dbb7b37 amp c n X Antispam Training Forget http example com canit b php i 12 amp m 31097dbb7b37 amp c f A 3 Geolocation Header The X CanIt Geo header contains geolocation information on the sending relay It consists of a set of key value pairs separated by semi
111. ly mode without actually tagging the subject Downstream mail servers can trigger on other headers such as the X Spam Flag header In addition to the tagged subject an X Spam Flag header is added to the message in tag only mode if it is spam See section A 1 3 on page 129 for details S 1500 String to put in subjects of approved messages If you enter something for this setting CanIt Domain PRO will add it to the start of the message subject for every message that was quarantined and subsequently released by a person S 1505 Custom header to add to messages If you enter something for this setting CanIt Domain PRO will add a custom header to every message that is delivered If the value of this setting starts with X and looks like a valid X header then it is used as the header after template substitution If the beginning of the setting does not look like a valid X header then Canlt Domain PRO adds a header X CanIt Custom Header with the value of this setting af ter template substitution as its value Within this setting you can use the following substitution sequences x is replaced with a series of asterisks one asterisk for each point in the message s score If the message scored over 20 however only 20 asterisks are used If the messages scored 0 or below no asterisks are output x is the same as except that upper case X is used instead of asterisk X is replaced with a string of X s where the length of
112. mail set Do not include messages scor ing above this threshold in notifications to a lower value We recommend setting this value at between 10 and 20 Normally CanIt Domain PRO sorts items in the notification message by date descending newest messages first If you prefer to sort by score ascending lowest scoring messages first change set Sort items in the notification email by to Score Ascending This makes non spam messages more likely to appear near the top of the notification email Select the times at which you would like notifications to be sent You can choose to be reminded as often as hourly A more practical choice might be three times daily Once at 8 00am once at noon and once at 4 00pm If you do not wish to receive notifications simply turn off all of the time checkboxes Be aware that the notification times are approximate Mail can be delayed for many reasons you should not expect to receive notifications promptly on the hour Select the days on which you would like notifications In Figure 8 2 for example notifications are disabled on Saturday and Sunday Click Submit Changes to make your settings take effect If you would like CanIt Domain PRO to send a notification message right away click Send Pending Notification Now Note It may take several minutes before you actually receive the notification requesting a notification merely queues the request for later processing Normally CanIt Doma
113. me of the relay that initiated the SMTP connection to the CanIt Domain PRO scanner Raw Body matches the raw body of the message line by line without any MIME decoding SPF Result matches the SPF result Size matches the size of the raw message in bytes For fields that can match multiple items such as Header Envelope Recipient Attachment Filename etc CanIt Domain PRO uses the following rules If the relation is a positive relation such as Contains Is Ends with etc then the condition matches if any of the items matches If the relation is a negative relation such as Is not Does not match RegExp or Does not contain then the condition does not match if any of the items violates the relation CanIt Domain PRO Roaring Penguin Software Inc 5 10 COMPOUND FILTER RULES 53 5 10 3 Special Relations CanIt Domain PRO has some special relations built in The special relations are Contains Credit Card Number this relation is true 1f the field contains a 13 to 16 digit number optionally with spaces or dashes after each group of four digits that yields a correct check digit using the Luhn algorithm the algorithm used to detect transcription errors in credit card numbers Contains Canadian Social Insurance Number this relation is true if the field contains a nine digit number optionally with spaces or dashes after each group of three digits with a valid Luh
114. more than 12 5 We also see that not a single non spam scored above 28 so 28 is a good choice for the auto reject threshold Looking at the spam line we see that an auto reject threshold of 28 would automatically reject about 20 of spam Please note the limitations in the data The ham data points are only for non spam that was trapped Non spam that was correctly allowed through will not appear in the graph Conversely the graph does not reflect false negatives spam that scored very low Therefore it tends to slightly over report the percentage of spam scoring above a given score and significantly under report the percentage of non spam scoring below a given score CanIt Domain PRO Roaring Penguin Software Inc 34 CHAPTER 4 THE CANIT DOMAIN PRO QUARANTINE CanIt Domain PRO Roaring Penguin Software Inc Chapter 5 Blacklists Whitelists and Rules CanIt Domain PRO allows you to make your own lists of senders domains and hosts that are always allowed to send you mail or never allowed to send you mail It also lets you create custom rules and other types of rules The following sections describe how to create these lists and rules 5 1 The Sender Action Table CanIt Domain PRO can take specific actions based on the sender s e mail address To see the sender list click on Rules and then Senders The sender page appears Senders 1 to 2 of 2 Show Changes Page 1 Filter Sender Action All 7 Alter Enter a
115. n 1 is automatically rounded up to 1 and any number higher than 1 is accepted as is 2 You can limit the maximum number of messages to place in a zip file Zip file creation is described in Section 10 11 3 Similarly you can limit the maximum uncompressed total size of a zip file The remaining items may be set only by the site administrator They apply globally to the entire realm not just to the current stream 1 Maximum Possible Archive Retention Time in Months limits the value to which realm ad ministrators may set Archive Retention Time in Months 2 Maximum Possible Attachment Size in kB limits how high users may set Maximum Attach ment Size to Archive in kB 3 Maximum Possible Number of Messages to Place in a Zip File limits how high realm admin istrators may set Maximum Number of Messages to Place in a Zip File 4 Maximum Possible Total Size in Megabytes to Place in a Zip File limits how high realm administrators may set Maximum Total Size in Megabytes to Place in a Zip File 5 Permit Realm Administrators to Request Zip File of Mail Before it Expires controls whether or not realm administrators are allowed to request automatic creation of zip files before mail expires CanIt Domain PRO can automatically generate a zip file of the oldest month s worth of mail when that mail is about to expire This lets you take a copy of the mail from the Canlt server so you d
116. n check digit Contains US Social Security Number this relation is true if the field contains a nine digit number with a space or dash required after the first three digits and the next two digits Unfor tunately US Social Security Numbers do not use a check digit CanIt Domain PRO will discard some obviously invalid possibilities but there may be the occasional false positive 5 10 4 Macro Values in Data Boxes In addition to literal strings in the data text boxes you can enter macros A macro begins with and ends with Macros can be intermixed with regular text CanIt Domain PRO substitutes the macro at run time The following macros are available envelope_sender is replaced with the envelope sender email address the address in the SMTP MAIL FROM command header_from is replaced with the email address found in the From header header_sender is replaced with the email address found in the Sender header Most messages lack such a header so this macro is not generally useful domain_of_envelope_sender is replaced with the domain of the envelope sender email address domain of header from is replaced with the domain of the From email address domain_of header sender is replaced with the domain of the Sender email ad dress sending relay address is replaced with the IP address of the sending relay sending_relay_ hostname is replaced with the hostname of the sending relay connecting r
117. n mark you will see mail that goes to domains not in the list For example entering example com example net shows mail that goes to domains other than example com and example net All of the reports can be viewed as HTML tables or exported as CSV or YAML If your PHP version includes the GD extension all of the reports include charts either pie charts or bar charts 7 1 1 Classification Reports The available classification reports are 1 Classification of Recent Mail a breakdown of recently received e mail by type 2 Top Mail Relays a breakdown of the top sending SMTP relays You can elect to see all relays only relays that have sent accepted e mail or only relays that have sent rejected e mail 3 Top Spam Recipients a breakdown of the top recipients of spam 4 Top Viruses the most popular viruses received You can organize the reports by the top virus names or by the top SMTP relays that have sent viruses Figure 7 2 is a sample Top Viruses report CanIt Domain PRO Roaring Penguin Software Inc 7 2 REPORTS BASED ON QUARANTINE CONTENT 75 Statistics Top Viruses Enter parameters for report Parameter Value Domain roaringpenguin com Only Current Stream Yes F No Virus Number Limit 10 1 to 50 Show Virus Name Show Statistics IM Email Phishing RB 1017 14 02 JB vorm Mydoom M 14 02 HTML Phishing Auction 296 8 0 JB HTML Phishing Bank 573 6 02 0 HmL Phishing Pay 187 6
118. new condition Enter data in the text box to finish creating a new condition Click Add to add the new condition to the current group Click Add as New Group to add the new condition as the start of a new group as opposed to joining the new condition to the conditions in the current group For example if the current rule looks like this Subject Contains test OR Subject contains foo and you are adding the condition Subject contains quux with an AND operator then clicking Add results in Subject Contains test OR Subject contains foo AND Subject contains quux which is interpreted as Subject Contains test OR Subject contains foo AND Subject contains quux However clicking Add as New Group results in Subject Contains test OR Subject contains foo AND CanIt Domain PRO Roaring Penguin Software Inc 5 10 COMPOUND FILTER RULES 51 Note Subject contains quux which is interpreted as Subject Contains test OR Subject contains foo AND Subject contains quux Click Delete to delete the most recently added condition Set the score expiry or comment by entering data in the corresponding field Compound rules with a zero score are not evaluated by CanIt Domain PRO during mail scan ning They are completely ignored If you wish to make a test compound rule that does not alter the final score much give it a score of 0 01 to ensure that CanIt Domain PRO actually evaluat
119. ng 5 8 2 Relations Fields can be compared in several ways Contains activates a rule if the field contains the string you specify The string matching test is not case sensitive and word boundaries are ignored Thus the string Roaring Penguin is considered to contain oAr Starts with activates a rule if the field starts with the specified string Matching is not case sensitive Ends with activates a rule if the field ends with the specified string Matching is not case sensitive Regexp matches considers the string you specify to be a Perl regular expression If the field matches the regular expression in a case insensitive match then the rule is fired Please note that it is possible to write invalid regular expressions these never match anything but produce error messages in your mail log You can also write regular expressions which take a long time to evaluate so be careful CanIt Domain PRO Roaring Penguin Software Inc Note 46 CHAPTER 5 BLACKLISTS WHITELISTS AND RULES Does not contain activates a rule if the field does not contain the specified string Is activates a rule if the field exactly equals the specified string in a case insensitive way Note that the last two comparisons Does not contain and Is are not likely to be useful for the Header Body or RawBody fields 5 8 3 Score The score associated with a rule is added to the spam score if the rule matches Negative scores may be u
120. ng list and you want to allow list members to e mail you off list then select a lock type of Unlocked If you find the address is abused you can simply deactivate it manually If you wish to create an address for the purpose of subscribing to a mailing list but you prefer not to be e mailed off list select a lock type of Sender or Domain and a violation action of Hold mail in quarantine This causes off list replies to be held in your quarantine for review If you wish to create an address for the purpose of obtaining information from one organization for example by filling in a Web form select a lock type of Domain and a violation action of Reject mail or Deactivate address If you wish to create an address that only one person can use for example you give out your business card to someone at a conference select a lock type of Address and a violation action of Reject mail or Deactivate address CanIt Domain PRO Roaring Penguin Software Inc 122 CHAPTER 12 LOCKED ADDRESSES CanIt Domain PRO Roaring Penguin Software Inc Chapter 13 Tips Managing spam requires constant attention but there are many things you can do to reduce your workload This chapter offers advice for setting your CanIt Domain PRO settings 13 1 Don t Trust Sender Addresses Many spammers use one time disposable sender addresses Many addresses are not even valid So we do not recommend blacklisting addresses unless you receive many differ
121. ng rules click on Secure Messaging and then Secure Messaging Rules This feature is only available to users who have Can Edit Secure Messaging Rules permission To create a Secure Messaging rule click on Add a New Rule The Secure Message Rule editor appears This presents an interface very similar to the Archive Rules Section 10 13 You create expressions and groups just as you would for creating compound rules Once the query has been created set the rule s action to Secure Delivery or Normal Delivery as appropriate You may also add an explanatory comment to the rule When finished click Save to save the rule CanIt Domain PRO evaluates Secure Messaging rules as follows CanIt Domain PRO Roaring Penguin Software Inc CREATING A SECURE MESSAGING RULE 115 In the current stream it tests the Secure Messaging rules in order until a rule matches It then stops evaluating the rules and returns whatever the rule that was hit says to do Secure Delivery or Normal Delivery If no rule was hit CanIt Domain PRO looks in the default stream of the current realm followed by the default stream in all ancestor realms until it finds a hit If no rule at all was hit CanIt Domain PRO does not encrypt the message 11 3 1 Adjusting Secure Messaging Rules From within the Secure Messaging Rules page you can adjust rules as follows To move a rule up enable the Move Up checkbox and click Submit Changes To move a rul
122. nless you are reasonably sure that it really is If you are unsure err on the side of caution and do not report it When you report links as fraudulent they are kept for review by the CanIt Domain PRO administrator who can make the final decision as to whether or not messages containing the link should be blocked 4 4 Viewing Incident Details To view the details about a pending message incident click on the date of the particular message while you are viewing the quarantine The incident page appears CanIt Domain PRO Roaring Penguin Software Inc 26 CHAPTER 4 THE CANIT DOMAIN PRO QUARANTINE Incident 258603 Please enter an incident ID 258603 Go Incident Incident ID 258603 Date 2009 07 30 12 05 51 04 Subject Welcome to Men s Health News Score 31 7 99 Status and Action Message was spam Bayes Training Spam Train as non spam Forget training See Bayes Tokens Open Status Closed Click to Re Open Resolution Auto reject message Resolved By spam Figure 4 4 Incident Page The Incident page contains the following information 4 4 1 Basic Details Incident ID is an integer assigned to each incident This ID is sent in the SMTP failure messages so you can trace down a spam incident Date is the date the message was first received From is the Header From the address in the From header of the message If this is different from the Envelope Sender a warning indicator appears Hover over
123. ny subdomain For example for the domain x example com CanIt Domain PRO searches for SPF rules in the following order and stops when the first rule is found a x example com b x example com c example com d com e x To reiterate a rule starting with applies to the specified domain as well as to all subdomains of the specified domain while a rule that does not start with applies only to the specified domain Enter the scores for each return code in the appropriate columns If you leave a score entry box blank zero is used 3 If you wish enter a comment in the Comment box 4 Click on Submit Changes to add the rule To delete an SPF rule simply enable the appropriate Delete checkbox and click Submit Changes CanIt Domain PRO Roaring Penguin Software Inc 5 13 DKIM RULES 57 5 12 3 Vouch by Reference RFC 5518 http tools ietf org html rfc5518 specifies a protocol called Vouch By Reference or VBR The allows a trusted domain to list a set of domains whose SPF records should be trusted Rather than entering dozens of domains in the SPF rule form you can ask CanIt Domain PRO to use a trusted vouch by reference domain To enter a VBR rule use the following in the Domain field vbr domain example com When Canlt Domain PRO sees a vbr domain example com rule it applies the following pro cess 1 Given a domain example org it looks up a DNS TXT record for example org vouch domain e
124. o Always accept mail from enter the address or domain in the text box and click Add Conversely you can tell CanIt Domain PRO to always reject mail from a sender or domain by chang CanIt Domain PRO Roaring Penguin Software Inc 19 20 CHAPTER 3 THE MY FILTER PAGE ing the pulldown menu to Always reject mail from entering the address or domain and clicking Add Sender rules are more fully explained in Sections 5 1 and 5 2 3 2 The Quarantine Under the settings and sender rule areas the My Filter page displays pending messages These are messages that CanIt Domain PRO thinks might be spam To release a message click on the corre sponding green checkmark To reject a message click on the red X After you have chosen what to do with quarantined messages click Submit Changes Messages you have chosen to reject will be discarded while those you have chosen to accept will shortly be delivered to your mailbox This may take anywhere from a few minutes to a couple of hours depending on how your administrator has configured CanIt Domain PRO If you are not sure if a message is spam or not click on the subject to see the first part of the message body This usually provides sufficient context for you to make the decision If you click on the message date CanIt Domain PRO will display a detailed analysis of why the message was held in the pending quarantine Click on the sender address the part before th
125. o P 700 Show recipient column in trap display OYes Ono P 800 Preferred image format PNG y P 850 Preferred date format Month Day P 900 Show the Actions Taken page OYes ONo P 1000 Limit for COUNT queries 5000 1to10001 P 1100 Show statistics table on login screen OYes ONo P 1200 Help Level Beginner v P 1300 Hide help text by default OYes ONo P 10000 Use simplified GUI Submit Changes As Per Auth Method v Figure 6 1 Preferences The preferences you can change are Home page controls the page you see when you visit the base CanIt Domain PRO URL Expire Remember Me information after controls how long CanIt Domain PRO remembers you if you enable the Remember Me checkbox on the login page Note that you should never use the Remember Me feature on a public computer use it only on a workstation to which you alone have access Number of entries to display per page controls the number of messages per page in the message summary Allowable values are 10 30 50 100 or 200 Sort messages by lets you sort messages either by date or by spam scanning score Sort order controls the sort order ascending or descending Method for choosing quarantine actions controls the type of graphical object you use to accept or reject messages The Drop Down List style offers a drop down list of choices while the Checkbox style offers two or three buttons to accept or reject messages or leave them as is
126. o not lose it when Canlt expires the data If you would like an automatically generated zip file enter your email address in the notication address box CanIt Domain PRO Roaring Penguin Software Inc Note 10 3 ARCHIVING OUTBOUND MAIL 101 Automatically generated zip files will be owned by the first user sorted alphabetically with adminis trative privileges in the realm You will need to log on as that user to retrieve the zip file Also your archive expiry time must be at least two months to use automatic zip file creation Click Submit Changes to update the settings 10 3 Archiving Outbound Mail If mail is forced into a stream by a Known Networks entry it is assumed to be outbound mail In this case CanIt Domain PRO archives the mail in the sender s stream rather than the forced to stream In this case the sender s stream settings are used to determine whether or not to archive the message and for how long to retain it 10 4 Archiving Internal Mail Normally CanIt Domain PRO does not even see internal mail because it stays on your internal mail server without passing through CanIt Domain PRO However CanIt Domain PRO has a mechanism for archiving internal mail To archive internal mail perform the following steps Only the Canlt Domain PRO administrator has permission to perform them 1 If your internal mail always comes from one or a few IP addresses use the Authorized Hosts feature to archive it
127. om Rule hit e g 234 0 5 This shows a Custom Rule hit and takes the form of rule number rule score The rule number number is unique within a CanIt Domain PRO installation across all streams and may identify a custom rule in the current stream or any of its parents CanIt Domain PRO Roaring Penguin Software Inc 127 128 APPENDIX A MAIL HEADERS ADDED BY CANIT DOMAIN PRO Compound Rule hit e g C123 1 0 This shows a Compound Rule hit and takes the form of Crule number rule score The rule number number is unique within a CanIt Domain PRO installation across all streams and may identify a compound rule in the current stream or any of its parents Country Code rule hit e g CC RO 1 2 This shows a Country Code rule hit and takes the form of CC country score The country is the ISO 3166 two letter country code and score is the number of points added RBL Scoring hit This shows an RBL hit with score applied It takes the form of RBL rbl name rbl score The rbl name is the name of the RBL triggered and rbl score is the score assigned to that RBL by the RBL Rules SPF Rule hit This shows an SPF scoring action It takes the form of SPF spf result spf score The spf result is the result of the SPF query pass fail etc see Section 5 12 for details and spf score is the score applied for that result DKIM Rule hit This shows a DKIM scoring action It takes the form of DKIM dkim result dkim s
128. on the Web interface you shall ensure that the interface functions substantially unimpaired in a browser with JavaScript disabled g You shall not include browser specific elements on the Web interface You shall ensure that the Web interface functions substantially unimpaired on the latest versions of the following browsers e Internet Explorer for Windows e Mozilla for Windows e Mozilla for Linux e Konqueror for Linux h You may not include banner ads on the CanIt Domain PRO Web interface 10 Restrictions on reselling services Unless you purchased CanIt Domain PRO as a service provider on the ISP rate plan you may not use CanIt Domain PRO to provide spam scanning services to third parties You may use CanIt Domain PRO Roaring Penguin Software Inc 136 APPENDIX B THE CANIT DOMAIN PRO LICENSE 11 12 B 1 CanIt Domain PRO only for your employees and contractors accounts on your own corporate servers Disclaimer of Warranty Virus Scanning NOTE ALTHOUGH CANIT DOMAIN PRO IS DISTRIBUTED WITH CLAM ANTIVIRUS WE DO NOT MAKE ANY REPRESENTATIONS AS TO ITS EFFECTIVENESS AT STOP PING VIRUSES ROARING PENGUIN HEREBY DISCLAIMS ALL WARRANTY ON THE ANTI VIRUS CODE INCLUDED WITH CANIT DOMAIN PRO OR WHICH INTER FACES TO CANIT DOMAIN PRO WE ARE NOT RESPONSIBLE FOR ANY VIRUSES THAT MIGHT EVADE A VIRUS SCANNER INTEGRATED WITH CANIT DOMAIN PRO Disclaimer of Warranty Time Critical Mass Mailings CANIT DOMAIN
129. onnection with your mail server The machine attempting to transmit mail to your server is called a relay host REST Representational State Transfer An architectural style for interacting with an API over HTTP or HTTPS Canlt Domain PRO s API is REST based Root Privileges A CanIt Domain PRO user with root privileges can create other users and configure basic operating parameters Also he or she can edit other users preferences and stream settings SMTP Dialog During the course of e mail transmission the two ends of an SMTP connection trans mit commands and results back and forth This conversation is called the SMTP dialog SMTP Simple Mail Transfer Protocol as described in Internet RFC 2821 This is the protocol used to transmit e mail over the Internet SPF stands for Sender Policy Framework It is a mechanism that allows a domain s administrator to list which hosts are allowed to originate e mail claiming to come from that domain For more details please see http www openspf org SRS stands for Sender Rewriting Scheme It is used in conjunction with SPF to avoid spurious SPF failures when a CanIt Domain PRO machine forwards mail to a back end server that performs SPF checks For a description of SRS please see http en wikipedia org wiki Sender_Rewriting_Scheme CanIt Domain PRO Roaring Penguin Software Inc 1 2 DEFINITIONS 15 Sender s Domain This is the domain part everything after
130. ontains A Minimum score o Maximum score O Not Before 2000 01 01 Not After Pp Cd Minimum Bayes Percentage 0 100 Pa Maximum Bayes Percentage 0 100 p Submit Figure 4 5 Ouarantine Search To perform a search Set the Status field to one of Any Pending Spam or Non Spam depending on how you want to restrict the guery Enter text in the Subject field to restrict the display to messages whose subjects contain that text You can choose from contains is or starts with to control how CanIt Domain PRO performs the search Enter text in the Sender field to restrict the display to messages whose senders contain that text Once again you can choose from contains is or starts with Enter text in the Recipient field to restrict the display to messages whose recipients contain that text You have the same three choices of match type as for Sender Enter text in the Report field to restrict the display to messages whose spam reports contain that text For example you could enter Custom rule to match only messages that triggered a custom rule Enter text in the Hold Reason field to match by hold reason For example you could enter HoldMIME to find messages that were held because of MIME type matching rules Enter minimum and or maximum scores or Bayes percentages in the appropriate field to limit the search to incidents within the specified bounds CanIt Domain PRO Roaring Peng
131. or This is the best setting to use if you re giving out an e mail address to someone you don t quite trust c wa Deactivate address is just like Reject mail except it also deactivates the locked address so no one at all can use it You can use this setting if you really want to punish someone for giving out your e mail address if they give it out then even they can t use it any more 12 3 Creating a Locked Address To create a Locked Address 1 Click on Rules and then Locked Addresses 2 Click Create a New Locked Address The Locked Address Creation page appears Create Locked Address Parameter Value Lock type Domain Action if lock violated Hold mailintrap Comment Create Locked Address Figure 12 1 Locked Address Creation 3 Select a lock type one of Domain Address or Unlocked 4 Select the action to take if the lock is violated one of Hold mail in quarantine Reject mail or Deactivate address 5 If you like enter a comment into the Comment field to help you remember why you are creating the locked address For example if you re creating an address to paste into a Web form you could put a little note about the Web site in the Comment field 6 Click Create Locked Address Your new address is displayed CanIt Domain PRO Roaring Penguin Software Inc 12 4 VIEWING LOCKED ADDRESSES 119 Your New Locked Address A new locked address has been created Parameter Value
132. or each relay host which attempted to deliver the message The table contains the time the host first attempted delivery the envelope sender the relay host IP address and host name and the number of delivery attempts from that host Note that CanIt Domain PRO stops tracking delivery attempts after 11 have been tracked the number of delivery attempts may be shown as gt 10 Click on the relay IP to open the Network Action page for that relay or on the relay name to perform a WHOIS query The recipients table lists all of the recipients of the message 4 4 3 History The history table is a log of actions taken for this incident This logs when the incident was opened and when it was closed and who closed it The columns in the history table are as follows e Who The user who performed the action Actions performed by CanIt Domain PRO itself are marked with a user of e When The date and time an action took place e What A description of the action e Canlt Host The host on which the action was performed This column is likely of interest only to CanIt Domain PRO administrators e Oueue ID The Sendmail Queue ID associated with the action Again this column is likely of interest only to CanIt Domain PRO administrators 4 4 4 Spam Analysis Report Finally the spam analysis report is a list of spam scanning rules which triggered along with the weight assigned to each rule CanIt Domain PRO Roaring Penguin Software In
133. or non spam or to forget training as indicated in the header name This can be a less obtrusive way to add training links to messages and it won t break PGP MIME messages However users need to know how to view full message headers to use the training headers S 2800 Remove pre existing Bayesian training links from incoming mail If an incoming piece of mail has CanIt Domain PRO training links in it they should probably be removed because they are likely to either originate from a different CanIt Domain PRO installation or have been forwarded inadvertantly If you relay all your mail through CanIt Domain PRO you should set this to Yes so links are removed from forwarded or incoming messages S 2900 Only train on error when spam corpus reaches this size Once your spam history reaches a certain size it may be worthwhile only to train CanIt Domain PRO if it misclassifies non spam as spam If you change this setting to 200 for example then once you have 200 items trained as spam CanIt Domain PRO only trains on items you accept out of the quarantine display page You can still explicitly train spam messages from the Incident Details page S 3000 Score below which to auto learn as non spam If an incoming mail scores below this thresh old CanIt Domain PRO automatically trains it as non spam If you use this setting you should enable Add links to messages to train Bayesian analyzer This allows you to correct errors if CanIt Domain PRO misc
134. or the Regexp matches relation be sure to enter a valid Perl regular expression 4 Enter the score adjustment value in the score box 5 If you wish enter explanatory notes in the Comment column CanIt Domain PRO Roaring Penguin Software Inc 5 9 PASSIVE OS FINGERPRINTING 47 6 Click Submit Changes to add the rule To delete a rule simply enable the appropriate Delete checkbox and click Submit Changes If you supply a rule with a very large positive score you can configure CanIt Domain PRO to automat ically reject e mail The default setting rejects mail scoring over 2000 which never actually happens without custom rules You can create a custom rule with a score of 2000 or more to auto reject mail Similarly a custom rule with a negative score of around 2000 will always allow mail it matches to come through without being quarantined 5 8 7 Header Matching A custom rule matching on the Header tests each header line and if one matches the rule is consid ered to match It is most useful to use Regexp match with headers because you need to match both the header name and value For example suppose you want to match bad spammer net in the From header This is not the same as a Sender rule because the Sender rule uses the envelope sender too You could create a rule like this If Header Regexp matches From xbad spammer net then score 10 5 8 8 Body Matching A custom rule matching Body or RawBody
135. orks e 192 168 2 1 32 specifies the single IP address 192 168 2 1 e 10 2 128 0 20 specifies the range from 10 2 128 0 through 10 2 143 255 e 10 2 3 4 24 is illegal because the last 8 bits are not all zero For more information on CIDR notation see http tools ietf org html rfc4632 secLion 23 1 5 4 Country Rules CanIt Domain PRO can add scores to messages based on the country in which the sending relay is located The Canlt Domain PRO administrator must have configured Canlt Domain PRO to download CanIt Domain PRO Roaring Penguin Software Inc 40 CHAPTER 5 BLACKLISTS WHITELISTS AND RULES country code data from Roaring Penguin for this feature to work Consult the Administration Guide section Ruleset and Geolocation Data Updates for details To create country scoring rules click on Rules and then Countries The country code rule page appears Country code Rules 1 to 2 of 2 Page 1 Filter Please note These rules refer to the country in which the SMTP relay is located not the country of the sending domain Country Score Who Comment Delete w 7 admin CN China People s Republic of 1 admin We do not receive real mail from China O PB VU Vanuatu 0 5 admin We have friends there O Submit Changes Figure 5 4 Country Code Rules To create a country code rule 1 Enter the two letter ISO 3166 country code in the Country box These country codes are listed at http www iso o
136. orm a WHOIS query on the domain Section 4 9 on page 30 e The Relay entry is split over two lines Click on the first line the relay s IP address to open the Network Action page Section 5 3 Click on the second line the relay s host name if resolvable to open a WHOIS query on the relay s IP address 4 2 Message Disposition In the message summary display any pending message has an entry box for controlling the disposition of the message The possible values for the action are described below Note that depending on how your CanIt Domain PRO administrator has assigned permissions some of these actions may not be available Do Nothing leave the status of the message as pending for now Accept Message mark the message as not spam so it will be accepted the next time it is received Whitelist sender mark the message as not spam and automatically accept any future messages from the sender CanIt Domain PRO Roaring Penguin Software Inc 24 CHAPTER 4 THE CANIT DOMAIN PRO QUARANTINE Whitelist domain mark the message as not spam and automatically accept any future messages from the domain Whitelist network mark the message as not spam and in addition do not hold any messages from the SMTP relay host or hosts Reject Message mark the message as spam so it will be rejected Reject and Report Phish Fraud This is similar to Reject Message but additionally provides the opportunity for you
137. p 2d above If you have a cluster of machines use the host name of the least loaded scanner Details for configuring your mail server to copy internal mail to an external address are beyond the scope of this document Consult your mail server vendor for assistance Make sure to configure your mail server to copy only internal mail to the x archive robot address You can also copy mail from internal users to external users providing your external mail does not go out via CanIt Domain PRO If CanIt Domain PRO is copied on messages that it has already seen it will ignore the copies When Canlt Domain PRO archives internal mail it relies on the From To Cc and Bcc headers to determine where to archive mail CanIt Domain PRO always archives mail in the stream correspond ing to the From email address It also archives mail in streams corresponding to all To Cc and Bcc addresses providing the domains of those addresses have an explicit entry in the Realm Mapping table 10 5 Searching the Archives To search the archives click on Archived Mail and then Search The Archive Search Page appears Search Archived Mail Start Date 2011 05 31 End Date 2011 06 30 Current Query e Header From contains example com OR Envelope Recipient contains example com AND e Subject matches invoice AND NOT Subject matches paid Delete AND Subject matches y Add Add as New Group Save Search As Add and Search Fig
138. r has a selection box of streams she is allowed to switch to whereas the CanIt Domain PRO administrator has a text box into which he can type the name of any stream To switch streams pick the name of the stream and click View This Stream To make the current stream your default stream every time you log in click Preferences and then Set Default Stream The following page appears Set Default Stream Your default stream is default Make current stream moop your default stream Set Default Stream Default stream from which others inherit _ Inherit from This Stream Figure 8 6 Set Default Stream A normal user has a selection box of streams she is allowed to switch to If you click Make current stream your default stream then the current stream the one printed near the top of the page will become your default stream Each time you log on to CanIt Domain PRO you will be logged in to that stream This option is only available to users in CanIt Domain PRO s user table It is not available to users who authenticate using an external authentication method The second option Inherit from This Stream lets you select a stream from which to inherit rules and settings Normally a stream inherits from the default stream but the administrator may have set up additional streams from which you can inherit Alternatively you can choose not to inherit from any other stream 8 6 1 Viewing All Streams at Once 66 9 The CanIt Dom
139. r this stream Setting Value Enable Secure Messaging yes Ono Encrypted mail retention time period in days Bo Submit Changes Figure 11 1 Configuring Secure Messaging e If you wish to enable mail Secure Messaging for the stream set Enable Secure Messaging to Yes Otherwise set it to No e Enter an integer in the Encrypted mail retention time period in days box to specify how long to retain encrypted messages Any messages older than the specified number of days will be expired by the nightly cron job A value of 1 means messages will never be deleted Any non negative number less than 1 is automatically rounded up to 1 and any number higher than 1 is accepted as is Click Submit Changes to update the settings 11 21 Determining the Stream for Secure Messaging CanIt Domain PRO only applies Secure Messaging rules to outbound mail that is to mail that has been forced into a stream because it originates from an IP address in the Known Networks table The stream used to control the application of Secure Messaging is the stream of the sender rather than the recipient s If CanIt Domain PRO is unable to determine the stream it uses the default stream in the sender s realm Therefore all critical rules should be created in the default stream in the sender s realm 11 3 Creating a Secure Messaging Rule CanIt Domain PRO allows you to create rules to selectively encrypt outgoing mail To manipulate Secure Messagi
140. reate Zip File to create a zip file If the file size and number of messages falls within the allowable limits set by the administrator CanIt Domain PRO will prompt you to enter an email address for notification CanIt Domain PRO generates zip files in the background when the zip file has been generated it sends an email to the notification address with a link for retrieving the zip file This can take anywhere from a few minutes to several hours To see all of your created zip files click Archived Mail and then Zip Files CanIt Domain PRO shows details about each zip file including the query used to generate it and the number of messages it contains Click on the File link to download a zip file Zip files you create expire after five days Be sure to download your zip file before it expires 10 11 1 Zip File Contents Each zip file contains two files per message The actual message itself is stored in a file called msg nnnnnn eml This is a plain text file in RFC 822 message format Additionally each message has a file called msg nnnnnn meta This is a file in JSON format see http 3json org for the JSON specification containing metadata about the message The metadata consists of key value pairs CanIt Domain PRO Roaring Penguin Software Inc 110 CHAPTER 10 EMAIL ARCHIVING archive_host The name of the host on which the message was received archive_timestamp The time at which the message was archived in seconds
141. rg iso country_codes If you do not know the two letter code for a country select the country name from the pull down list and the correct two letter code will automatically be entered 2 Enter the numerical score to add for messages originating from the country you chose You can subtract points for a country by entering a negative score 3 Optionally enter a comment explaining why you created the rule 4 Click on Submit Changes to add the rule Note that the Filter box on the country code rule page filters only by two letter country code not by country name 5 5 Bulk Blacklisting and Whitelisting Entering a large number of networks domains or senders into the blacklist whitelist tables can be time consuming CanIt Domain PRO provides an alternative interface for bulk entry To see the bulk entry page click on Rules and then Bulk Entry CanIt Domain PRO Roaring Penguin Software Inc 5 6 MIME TYPES 41 Bulk Blacklisting and Whitelisting Enter a list of items one item per line The global comment applies to all items unless they have an item specific comment To enter an item specific comment enter the item as follows item item specific comment Global Comment o Global Expiry po Please select an action Sender Always Allow x Submit Changes Figure 5 5 Bulk Entry e Enter the items you want to blacklist or whitelist one per line If you wish to enter item specific comments enter them following a
142. s ONG ok ak a a ERA ee SE AE ew 124 13 5 Group High Scoring Messages Together o e 124 13 6 Roaring Penguin Best Practices oo 125 13 7 General Anti Spam Tips 20 2 ee ee ee ee 125 13 7 1 Use Receive Only Addresses on your Web Site 125 133 2 Do Nat Reply to Spam os da en RATA KEB a Bata 125 A Mail headers added by CanIt Domain PRO 127 Al Cert Hadas ooo a a a ia 127 Adli X Spam Score 066 cs ee a ee ee a 127 A12 X CantPRO Streami econo dera Ga waa ea ea wa a 129 CanIt Domain PRO Roaring Penguin Software Inc CONTENTS A 2 A 3 Bed SUBO co a bana eo oe Sd wwe ban iba Als X Spanm Flie sc ne Se ban a bondan ba ALS XCD o a ce ck ee eh a ba es Bayesian Filtering Headers 1 2 o o o A21 X Bayes Prob o aa ee ee e ee eR te A 2 2 X Canit Stats ID 2 ees A 2 3 X Antispam Training Spam Nonspam Forget Geolocation Header 24 22 baba a 6 ee ee a aa B The CanIt Domain PRO License B 1 Index THE CANIT DATA LICENSE Lo oo ba CanIt Domain PRO Roaring Penguin Software Inc List of Figures 21 3 1 4 1 42 43 4 4 4 5 4 6 47 4 8 51 3 2 53 5 4 2 3 5 6 a 5 8 5 9 5 10 Sil 5 172 5 13 5 14 515 SIMpliled IDA e o e s ee a a an n a a 17 My Per bce ce peip oe ie Bow doe Pak doe aoe e ai y Bow S 19 Pending Messages oo coccion ma ee nb ee 21 Checkbooks oo is ia aa la ee da dee SA a Tan e
143. s not authorized to send mail for the domain and that the domain administrators would prefer you to reject the mail CanIt Domain PRO Roaring Penguin Software Inc 56 CHAPTER 5 BLACKLISTS WHITELISTS AND RULES softfail means that the specified host is not authorized to send mail for the domain but that the domain administrators want you to accept the mail anyway because it may be legitimate for some senders to relay through other machines neutral means that the domain administrator has no opinion about the legitimacy of the sending host none means that there is no SPF record for the domain error means that the DNS lookup encountered a temporary error unknown means that the SPF record has a syntax error CanIt Domain PRO allows you to add different scores for the various query results We recommend adding 5 points for fail and 2 points for softfail and leaving all other scores at zero You may cautiously subtract points for pass but we recommend doing this only for selected domains 5 12 2 Entering SPF Rules To enter an SPF rule 1 Enter the domain the rule should apply to in the Domain entry box If you enter in the Domain entry box then the rule applies to all domains unless there is a more specific entry for the domain As with domain rules SPF rules are searched by stripping domain components until a match is found Unlike domain rules an entry of example comwill also match example com as well as a
144. se of high spam scores CanIt Domain PRO simply tags the subject line of each message which would have been held with the string SPAM xxx and delivers it normally The number of stars after the SPAM tag is the integer part of the spam score In a tag only stream CanIt Domain PRO will not hold messages because of sender network or domain Hold rules but any Reject rules will still apply S 1400 String to put in tagged subjects This is the string that gets prepended to the subject line in tag only mode if the message is spam The default setting is Spam The following special sequences of characters may be used x is replaced with a string of asterisks where the length of the string equals the integer part of the spam score X is replaced with a string of X s where the length of the string equals the integer part of the spam score and X is any character except is replaced with the reason a message was tagged such as SpamScore HoldSender etc d is replaced with the actual spam score as a decimal number e g 13 6 amp h is replaced with the actual spam score as a four digit integer with leading zeros e g 0013 CanIt Domain PRO Roaring Penguin Software Inc 8 2 QUARANTINE SETTINGS 83 p is replaced with the Bayes probability a real number from 0 to 1 is replaced with a percent sign empty is replaced with an empty string You can use a tag of empty to run in tag on
145. seful for example if you want sensitive e mail not to be quarantined you can inform people you trust to put a magic string like Confidential 394753486 in the subject of the message You could then create a rule If Subject contains Confidential 394753486 then score 200 which artificially lowers the message score ensuring it will not be quarantined Custom rules with a zero score are not evaluated by CanIt Domain PRO during mail scanning They are completely ignored If you wish to make a test custom rule that does not alter the final score much give it a score of 0 01 to ensure that CanIt Domain PRO actually evaluates the rule 5 8 4 Expiry Custom rules may be set to expire by filling in a date in the format Y Y Y Y MM DD in the Expiry box If you leave the Expiry box blank the custom rule will never expire automatically 5 8 5 Hits If you are running a CanIt Domain PRO appliance and have the Log Indexer add on component in stalled the Custom Rules page includes a Hits column This column shows the number of times a given rule has fired in the last 30 days Note that the statistics may be a few hours behind real time so newly added rules may not immediately show any hits 5 8 6 Creating and Deleting Custom Rules To create a custom rule 1 Set the field to one of Subject Sender Recipient etc 2 Set the relation appropriately Contains Starts with etc 3 Enter the string you want to match in the text box F
146. ssages in the quarantine CanIt Domain PRO Roaring Penguin Software Inc Note 86 CHAPTER 8 STREAMS 2 Detailed Notification will send longer messages that include sender and subject details for pending messages 3 HTML with Links will send HTML email messages that let you accept or reject incidents directly from within your email reader without having to log into CanIt Domain PRO If you select HTML with Links then anyone who receives the notification will be able to accept or reject the incidents mentioned in the notification email You should therefore only select HTML with Links if your mail is not automatically forwarded outside of your control 4 Clickable Webform is similar to HTML with Links but includes additional form ele ments for accepting or rejecting large groups of messages at once Note that email reader support for HTML forms is spotty Therefore Clickable Webform may not work with your email program and you may have to fall back to HTML with Links Normally CanIt Domain PRO notifies you only about the 40 newest pending messages You can increase or decrease this limit by changing the Maximum number of entries per notifica tion message to an integer from 1 to 1000 Normally CanIt Domain PRO notifies you about all pending messages scoring up to 2000 points which is usually all pending messages If you do not wish to be notified of obvious spam but merely want notifications for questionable
147. st of stop words in addition to the stopwords in the default stream in its realm and the default stream in all parent realms CanIt Domain PRO Roaring Penguin Software Inc 98 CHAPTER 9 BAYESIAN FILTERING CanIt Domain PRO Roaring Penguin Software Inc Note Chapter 10 Email Archiving 10 1 Introduction to Archiving CanIt Domain PRO has an optional add on component that archives all email that actually gets deliv ered That is CanIt Domain PRO does not archive rejected mail or messages that expire out of the pending quarantine but it does archive everything else Archiving is an extra cost add on and may not be available in your installation of CanIt Domain PRO If you would like to purchase archiving please contact your sales representative See the Canlt Domain PRO Installation Guide for details about installing the archiver 10 2 Configuring Archiving Archiving may be enabled or disabled on a per stream basis To enable or disable archiving click on Archived Mail and then Configure The Archive Configuration Screen appears Configure Mail Archiving Archiving is currently enabled for this stream Setting Value Enable Mail Archiving Yes ONo Archive Mail Tagged as Spam O Yes ONo Maximum Attachment Size to Archive in kB 0 means unlimited 128 Figure 10 1 Archive Configuration Screen 1 If you wish to enable mail archiving for the stream set Enable mail archiving to Yes Other
148. st rules are ignored Hovever virus scanning is not skipped messages can still be held or rejected if they contain viruses To opt in or out of spam scanning click on Preferences and then Opt In Out Then click on the button to toggle between opting in and opting out Remember that opting in or out is done on a per stream basis not on a per user basis 8 2 Quarantine Settings Each stream can have its own settings called Quarantine Settings relating to certain spam handling options To edit quarantine settings click on Preferences and then Quarantine Settings The Quar antine Settings page Figure 8 1 appears Remember every setting on this page applies to only one particular stream each stream can have its own settings Quarantine settings can be inherited If you click on Show Setting Inheritance CanIt Domain PRO will put a little tag near the setting ID showing where the setting comes from This tag will either be Global meaning the setting is inherited from global settings or the name of a stream If the setting is defined in the current stream the tag will additionally have a link that reads Revert to Inherited Value If you click on this link then the setting will be removed from the current stream the stream will once again inherit the setting from its parent stream or the global settings You can clear all quarantine settings by clicking Forget My Settings Revert to Inherited Settings This removes all settin
149. stics are unique for each stream each stream therefore has its own training set and own notion of what is and isn t spam The set of messages on which CanIt Domain PRO is trained is called the training corpus 3 When size of the training corpus is large enough see the Global Settings list below Canlt Domain PRO applies statistical analysis to incoming messages Each token in the message is looked up to see how many times it appeared in a spam message and how many times in a non spam message The 15 most interesting tokens are collected and a combined probability is computed based on the individual token probability A token is considered interesting if it is either very likely to appear in a spam message or very likely to appear in a non spam message Tokens that can appear in both spam and non spam messages are not considered interesting 4 After CanIt Domain PRO computes the combined probability it consults a table to add points to or subtract points from the spam score CanIt Domain PRO Roaring Penguin Software Inc 91 92 CHAPTER 9 BAYESIAN FILTERING 9 2 Quarantine Settings Associated with Bayesian Filtering The following quarantine settings under Preferences Quarantine Settings affect the Bayesian filter S 2300 Enable Bayesian analysis If you set this to Yes then CanIt Domain PRO s Bayesian Analysis module is enabled S 2310 Enable Bayesian training If you set this to No then although CanIt
150. sts such as internal hosts is effective and recommended Use the host report to determine which hosts are persistent spam relays 13 4 Custom Rules 13 41 General Recommendations There are a couple of custom rules that are sometimes quite effective 99 66 1 Custom rules which specify Sender contains offer bounce return and noresponse can often detect spam You should use only moderate scores on these rules because some legitimate mail comes from such senders However adding a rule which scores 3 or so for these patterns can help catch a lot of spam which might otherwise sneak under the scoring threshold 2 Subject matching rules for the most obnoxious spams are very effective For example Sub ject regexp match rules against v Sagra and increase enlarge penis are very effective 13 4 2 Things to avoid Be very careful when writing custom rules especially rules that can match on the message body For example a straightforward rule that contains cum in the body will match mail containing mail containing document cumulative modicum and at least 64 other common English words Sim ilarly sex will match sexton Essex and others If you want to match words in a message body we recommend that you use a regular expression match and use Perl s word boundary operators For example the Perl regular expression bcum b 39 66 matches the word cum but not
151. t Domain PRO Roaring Penguin Software Inc 133 134 APPENDIX B THE CANIT DOMAIN PRO LICENSE File License src Module Pluggable Tiny s tar Perl License src Net CIDR Lite x tar Perl License src Net DNS x tar Perl License src Net 1P x tar Perl License src Time HiRes x tar Perl License src TimeDate x tar Perl License src URI x tar Perl License src YAML Syck x tar Perl License src clamav tar GPLv2 src p0f x tar GPLv2 src libwww perl x tar Perl License src mimedefang tar GPLv2 ALL REMAINING FILES IN THIS ARCHIVE referred to as CanIt Domain PRO ARE DIS TRIBUTED UNDER THE TERMS OF THE CANIT LICENSE WHICH FOLLOWS THE CANIT LICENSE 1 CanIt Domain PRO is the property of Roaring Penguin Software Inc Roaring Penguin This license gives you the right to use CanIt Domain PRO but does not transfer ownership of the intellectual property to you 2 CanIt Domain PRO is licensed with a limit on the number of allowable protected domains or mailboxes This limit is called the Usage Limit CanIt Domain PRO usage may be purchased on a yearly basis or you may purchase a perpetual license 3 You may use Canlt Domain PRO up to the Usage Limit you have purchased If you have purchased yearly usage you may continue to use CanIt Domain PRO until your purchased usage time expires unless you purchase additional time If you have purchased a perpetual license you may continue to use CanIt Domain PRO indefinit
152. t is retransmitted during which you can change your mind Sometimes it is desirable to reopen an incident If you mistakenly rejected a message and would like the sender to re send it you must first mark the message as acceptable before asking the sender to re send it Otherwise if it comes in again CanIt Domain PRO will automatically reject it because it has been marked as spam Normally only the system administrator has the ability to reopen incidents If you require an incident to be reopened you may need to ask your administrator to do it for you or to grant you permission to reopen incidents To reopen an incident open the incident page Section 4 4 and click on Click to Re Open This will reopen the incident and let you change its disposition 4 9 Whois Queries Clicking on the W or a host name in the Message Summary Display or Incident Details pages fires off a WHOIS query These queries may help you discover who is responsible for spam relays and may let you direct complaints appropriately Figure 4 6 illustrates a WHOIS query CanIt Domain PRO Roaring Penguin Software Inc 4 9 WHOIS QUERIES 31 WHOIS Lookup for 66 18 69 6 Domain Name or IP Address 66 18 69 6 WHOIS Server to Use Blank Auto Iwhois arin net Do WHOIS Lookup Send Abuse Complaint OrgName African Network Information Center OrgID AFRINIC Address CSIR icomtek Address 43A Address PO Box 395 City Pretoria S
153. tateProv Gauteng PostalCode 0001 Country ZA Figure 4 6 Whois Query CanIt Domain PRO can handle WHOIS queries on domain names and IP addresses In most cases it can figure out the correct WHOIS server to use and can handle referrals for the com net and org domains However you may have to help it out sometimes by supplying a WHOIS server name and clicking Do Whois Lookup CanIt Domain PRO performs simple minded parsing of the WHOIS output e Any string beginning with http is converted into a hyperlink e Any string with an sign is converted toa mailto hyperlink You should be able to click on e mail addresses to fire up your mail client e Any string in parentheses is assumed to be a NIC Handle Click on it to perform a WHOIS search on the handle In the example we see that NETBLK CAIS CIDR7 and CAIS NOC ARIN are correctly identified as NIC handles Unfortunately the 703 area code is incorrectly identified you ll have to use your judgement 4 9 1 Sending Abuse Complaints If you opened a WHOIS search based on the IP address of an SMTP relay there may be a button at the bottom of the WHOIS page that reads Send abuse complaint This link is present only if e You clicked on the IP address of an SMTP relay e The IP address you clicked on is part of a CanIt Domain PRO incident If you click on the Send Abuse Complaint button the Spam Complaint page appears Figure 4 7 CanIt Domain PRO Roaring
154. tes about the incident Hover over the icon to display the notes Status and Action shows the current status of the message and lets you determine the fate of pending messages This will be described more fully in Section 4 2 CanIt Domain PRO Roaring Penguin Software Inc 4 2 MESSAGE DISPOSITION 23 4 1 2 Sort Order Normally CanIt Domain PRO sorts messages in order of date received with most recent messages first You can click on the arrow near the Score column for example to sort by score Click on the little up arrow in a column to sort by that column in ascending order Click on the down arrow to sort in descending order CanIt Domain PRO colors the little arrow corresponding to the current sort order red You can change the default sort order on your preferences page described in Section 6 1 4 1 3 Message Body Display To view the body of a particular message click on the message subject The first 8kB of the message body will be displayed 4 1 4 Summary of Links The Message Summary Display contains many hyperlinks These links are as follows e Click on the Date to display incident details see Section 4 4 e Click on the Subject to display the message body e The Sender entry is split over two lines Click on the first line user to open the Sender Action page Section 5 1 Click on the second line domain com to open the Domain Ac tion page Section 5 2 Finally click on the W to perf
155. tests each body line and if one matches the rule matches Note therefore that you cannot match phrases that span multiple lines A Body rule reads the decoded MIME body parts while a RawBody rule uses the complete undecoded MIME message including headers For example if you want to add 20 to all messages containing horny in the body create a rule like this If Body Contains horny then score 20 5 9 Passive OS Fingerprinting On some platforms CanIt Domain PRO attempts to fingerprint the connecting SMTP server and determine what operating system is running CanIt Domain PRO does this using the pOf fingerprint ing tool by Michal Zalewski Passive OS Fingerprinting is available on our Hosted Canlt service on our Debian based appliances and on RPM Canlt Domain PRO distributions The results of Passive OS Fingerprinting are tokenized as Bayes tokens Additionally they can be used in Compound Filter Rules described next CanIt Domain PRO Roaring Penguin Software Inc Note 48 CHAPTER 5 BLACKLISTS WHITELISTS AND RULES 5 10 Compound Filter Rules While Custom Rules are quite powerful sometimes you need to combine conditions with logical operators like AND or OR to achieve a desired result CanIt Domain PRO lets you create compound filter rules to achieve this Normally only a realm administrator can create compound rules However administrators can grant the ability to create compound rules to normal us
156. the original email the recipients receive a notification that a secure message awaits The recipients can then read the secure message via the CanIt Domain PRO web interface Secure Messaging is configured by creating secure messaging rules which are similar to Compound Rules to intercept messages that match the criteria encrypt them and keep them until the recipients log in to view the message The recipients of these messages will receive a notification letting them know that they have a message waiting for them on Canlt Domain PRO If they don t have an account they can create one upon receiving the first notification email Secure Messaging is an extra cost add on and may not be available in your installation of Canlt Domain PRO If you would like to purchase Secure Messaging please contact your sales representa tive See the CanIt Domain PRO Installation Guide for details about installing Secure Messaging 11 2 Configuring Secure Messaging Only users who have the user permission Configure Secure Messaging can access the Secure Mes saging configuration pages Secure Messaging may be enabled or disabled on a per stream basis To enable or disable Secure Messaging click on Secure Messaging and then Configure The Secure Messaging Configuration Screen appears CanIt Domain PRO Roaring Penguin Software Inc 113 114 CHAPTER 11 SECURE MESSAGING Configure Secure Messaging Secure Messaging is currently enabled fo
157. the first time an e mail arrives from an unknown sender and IP address Legitimate SMTP servers will retry allowing the message to be delivered Some spam sending software does not retry and messages sent by such software will be blocked without any content scanning if greylisting is enabled Joe Job A technique in which spammers fake the sending address to be that of an innocent victim who often receives DSNs see DSN and complaints Malware is software designed with a malicious purpose in mind Examples of malware are viruses trojans and keyloggers MIMEDefang is a free GPL d e mail scanning program that integrates with Sendmail s Milter API It forms the basis for Canlt MIME Multipurpose Internet Mail Extensions A set of rules for encoding different types of at tachments as plain text messages for transmission over SMTP Milter is a Sendmail interface that allows external programs to listen in on the SMTP dialog and potentially modify Sendmail s actions and SMTP responses Permanent Failure Code Also called reject this is a code sent to a relay host telling it that e mail transmission has failed and will not succeed For example this code is sent if someone tries to send e mail to a nonexistent user The relay host typically e mails a failure notification to the original sender and discards the message CanIt Domain PRO Roaring Penguin Software Inc 14 CHAPTER 1 INTRODUCTION Phishing An
158. the indicator to see the Envelope Sender Subject is the message subject Click on the subject to see the message body Decoded Subject is a decoded version of the message subject Sometimes e mail programs encode the subject making it unreadable If this is the case CanIt Domain PRO will decode the subject and display it Score is the spam scanning score Status and Action is the incident status It is one of the following e New incident only one transmission so far e This incident is still open e Message was not spam CanIt Domain PRO Roaring Penguin Software Inc 44 VIEWING INCIDENT DETAILS 27 Message was spam Bayes Training tells you how the incident was trained in the Bayes database and give you an option to change the training Note that this line will not appear if the Bayes signature has expired from the database CanIt Domain PRO retains Bayes training information for only a short time typically three days Open Status tells you whether or not the incident is open See Section 4 8 on page 30 for details Resolution is the action that was taken to dispose of the incident If the incident is still pending you will have an opportunity to dispose of it here Resolved By is the user who resolved the incident The special system user x is used for unresolved incidents expired messages and automatically rejected messages 4 4 2 Address Information The host information table is a table with a row f
159. tion Table Just as it can make decisions based on the sender s address CanIt Domain PRO can make decisions based just on the domain part of the address The domain part is everything after the sign For example the domain part of info roaringpenguin comis roaringpenguin com To see the domain list click on Rules and then Domains The domain list appears Domains 1 to 2 of 2 Show Changes Page 1 Filter Domain Action All Alter Enter a specific Domain Add Rule Domain Who Action Expiry Comment good customer net admin Always Allow We like this domain spammer net admin Always Reject v We don t like this one Submit Changes Reset Figure 5 2 Domain Action Table The columns and actions in the table have similar meanings to those the Sender Action Table Sec tion 5 1 You can filter the list of domains by typing part of a domain in the Filter box and optionally selecting an action from the Action menu Then click Filter CanIt Domain PRO Roaring Penguin Software Inc Note 38 CHAPTER 5 BLACKLISTS WHITELISTS AND RULES CanIt Domain PRO will ignore a domain whitelist rule if the domain of the sender is the same as or a subdomain of the domain of the recipient This is to prevent problems if you whitelist your own domain spammers often fake spam so it appears to come from the domain of its victims Additionally by default CanIt Domain PRO will ignore a domain whitelist on the env
160. to import the rules Note CanIt Domain PRO expects the CSV file to follow precisely the format described in Section 5 17 2 Any lines in the file that deviate from the format are silently ignored During rule importing CanIt Domain PRO ignores the stream field in the CSV file All rules are imported into the current stream CanIt Domain PRO Roaring Penguin Software Inc 5 18 REVIEWING THE CHANGE HISTORY 65 5 18 Reviewing the Change History Many rule pages feature a Show Changes link near the top of the page Click on the link to see the Change History for the page Change History for Domains 1 to 3 of 3 Entry Contains From To Filter Page 1 Date a y Details Domain Action Expiry Comment 2010 11 22 16 55 51 admin deleted example com reject NULL Turns out to be really bad 2010 11 22 16 55 45 admin changed example com Old hold always Old Received some spam from this domain New reject New Turns out to be really bad 2010 11 22 16 55 34 admin created example com hold always NULL Received some spam from this domain Figure 5 17 Change History Figure 5 17 shows a sample change history for the Rules Domains page By default the change history is sorted from newest change to oldest change so it should be read from bottom to top Here s how to read the example in Figure 5 17 e At 16 55 34 the user admin created a domin rule for example com The rule was to always hold mail for that domain
161. to the target if one of these conditions holds e The other message s Message ID appears in the target message s References header e The target message s Message ID appears in the other message s References header CanIt Domain PRO Roaring Penguin Software Inc 10 9 SEEING ACCESS HISTORY 109 In most cases the Related Messages link will pull up all the messages in a given thread allowing you to follow the history of a conversation 10 9 Seeing Access History CanIt Domain PRO records all accesses to archived mail If you are viewing an archived message click on Access History to see all accesses for that message You can also search the entire access history by clicking Archived Mail and then See Access History Enter query parameters to narrow down which accesses you are interested in and then click Submit 10 10 Seeing Search History CanIt Domain PRO records all archive searches To see the search history click Archived Mail and then See Search History Enter query parameters to narrow down which searches you are interested in and then click Submit 10 11 Creating Zip Files CanIt Domain PRO can take any archive query and generate a zip file containing all messages that match the query Your administrator may have placed limits on the number of messages per zip file and total size of a zip file To create a zip file create a query using the query builder described in Section 10 5 Then click Add and C
162. twork Address Add Rule Network Who Action Expiry Comment 127 0 0 1 admin Always Allow v Always allow localhost 192 168 10 0 24 admin Always Reject y Very bad network Submit Changes Reset Figure 5 3 Network Action Table The columns and actions in the network table have similar meanings to those in the sender and domain tables except that they are keyed on the IP address of the sending host In addition the network blacklist has an additional option Skip RBL Checks This option is almost the same as Hold Tag if looks like spam except that DNS based blacklist lookups are disabled This is useful for example if you receive legitimate mail from a host that ended up in a blacklist You might not want to whitelist the host entirely but you need a way to turn off the real time blacklist lookup If you choose to hold mail from a network whether you hold it always or only if it looks like spam then domain and sender checks are performed and may override the host check For exam ple if you tell CanIt Domain PRO to always hold mail from 172 20 201 32 but always accept mail from friend mycompany com then mail from friend mycompany com relayed through 172 20 201 32 is accepted A network is specified in CIDR notation as a b c d bits The bits component can range from 8 to 32 and specifies how many left most bits are significant All of the right most bits that are not significant must be zero Here are some examples of CIDR netw
163. ueries 30 wildcard 36 saved searches 107 score 26 zip files 109 score override 61 search quarantine 28 searching archived email 102 secure messaging 113 configuring 113 secure messaging rules 114 selective archiving 111 sender action 35 Sender Policy Framework see SPF Sender Rewriting Scheme see SRS show changes 65 Simple Mail Transfer Protocol see SMTP skip RBL checks 39 SMTP 14 spam analysis report 27 spam disposal quick 24 spam scanning opting out 79 specific incident 28 SPF 14 55 SRS 14 statistics 73 status 26 stopwords 96 stream 15 settings 79 switching 89 viewing all streams 89 tag only mode configuring 82 X Spam Flag header 129 tempfail 15 temporary failure see tempfail valid recipients 60 VBR 57 viewing all streams 89 voting 94 Vouch by Reference 57 whitelist domain 24 whitelist network 24 whitelist sender 23 CanIt Domain PRO Roaring Penguin Software Inc
164. uin Software Inc Index abuse complaints 31 accept message 23 action lock violation 117 Addresses Locked 117 advanced query 28 aliases 70 archive rules 111 archiving 99 configuring 99 internal mail 101 outbound 101 related messages 108 saved searches 107 searching 102 selective 111 zip files 109 Bayesian filtering 91 quarantine settings 92 score settings 95 stopwords 96 training 94 voting 94 best practices 125 blacklist domain 24 blacklist network 24 blacklist sender 24 blacklisting recipients 59 bulk entry 40 change history 65 changing password 70 closed 30 complaints abuse 31 configuring archiving 99 configuring secure messaging 113 custom rule 44 fields 45 relations 45 custom stopwords 96 data license 136 details incident 25 DKIM 57 documentation online 20 domain action 37 domain matching rules 38 email archiving 99 exporting rules 62 extension 42 file name 43 filename extension 42 greylisting 13 greylisting report 77 headers 127 history incident 27 hold unlisted senders 37 HoldDomain 22 HoldExt 22 HoldMIME 22 HoldRBL 22 HoldRelay 22 HoldSender 22 HoldVirus 22 host action see network action importing rules 64 incident closed 30 details 25 history 27 hosts 27 ID 26 CanIt Domain PRO Roaring Penguin Software Inc 137 138 INDEX open status 27 recipients 27 reopen 30 resolut
165. uin Software Inc Note 30 CHAPTER 4 THE CANIT DOMAIN PRO QUARANTINE e Select appropriate dates in the Not Before and Not After fields to restrict the search to a date range e Press Submit Query to run the query If you do not wish to restrict a query by a particular field merely leave the corresponding entry box blank Note that sender queries use both the Header From and Envelope Sender address However recipient queries use the SMTP recipients only not the contents of the To or Cc e mail headers Also sender and recipient queries may be slower than subject queries 4 8 Closed Incidents When an incident is first created as a pending incident you can change the disposition of the incident For example you can accept it mark it as spam whitelist the sender etc Some time after you dispose of an incident it becomes closed A closed incident is one whose disposition cannot be changed because the message has already been handled by CanIt Domain PRO The rules for closing an incident are as follows e If the message was stored locally then it is closed as soon as you either accept or reject the message No further changes are possible e If the message was kept on the sending relay using temporary failure codes then the incident is closed on the first retransmission after you have marked the message for acceptance or rejection Thus there is a small and unpredictable window after you mark the message but before i
166. ure 10 2 Archive Search Page Figure 10 2 shows the page with a search query built Initially the search query will be empty The Archive Search Page permits you to build up a complex search query and then execute it Here s how search queries work e A query is a list of zero or more groups Each group is evaluated as a unit before evaluating the next group e Each group consists of one or more expressions Each expression is evaluated as a unit e An expression consists of a field a relation and some data These will all be explained soon CanIt Domain PRO Roaring Penguin Software Inc 10 5 SEARCHING THE ARCHIVES 103 e Within a group expressions are joined with AND OR AND NOT or OR NOT The AND operator is evaluated with higher precedence than OR If you include NOT the NOT negates the next expression Thus for example a query like X 1 AND Y 2 OR A 3 AND NOT B 4 is evaluated as X 1 AND Y 2 OR A 3 AND NOT B 4 e Within a query groups are joined with AND OR AND NOT or OR NOT Again the AND operators have higher precedence than OR 10 51 Fields The possible fields for searching the message archive are Subject The message subject Body The full text of the message body plain text and HTML parts only Envelope Sender The SMTP envelope sender email address Header From the email address in the From header Envelope Recipient
167. ure 7 1 Statistics There are five basic types of statistical reports 1 Classification of Recent Mail reports These reports classify recently received e mail and present the classifications as HTML tables and pie charts 2 Hourly reports These reports show a breakdown of recently received e mail by hour CanIt Domain PRO Roaring Penguin Software Inc 73 74 CHAPTER 7 REPORTS 3 Classification of Long Term Mail reports These reports are similar to the Classification of Recent Mail reports but operate over longer time spans There are also fewer reports available because some of the data in the recent mail tables is summarized in the long term mail tables causing some details to be lost 4 Daily reports These reports break down e mail by day Daily reports cover a longer period of time than hourly reports 5 Usage reports These reports track the number of valid e mail addresses seen in the last 30 days broken down by domain or realm if you are the system administrator Most of the reports can take parameters which allow you to select which mail to report on Some parameters are particular to a given report but one that is common to most reports is the Domain parameter To restrict queries by domain e Enter a comma separated list to only see mail to the given domains For example entering example com example net will only show mail for those two domains e If you precede the list with an exclamatio
168. valuated as a unit with respect to other groups Example 1 e Subject Contains test OR Subject Contains foo AND e Header Sender is not bob example com AND Header sender is not jane example com Is intepreted as Subject contains test OR Subject contains foo AND Header Sender is not bob example com AND Header sender is not jane example com CanIt Domain PRO Roaring Penguin Software Inc 50 CHAPTER 5 BLACKLISTS WHITELISTS AND RULES Example 1 e Subject Contains test OR Subject Contains foo AND Size 1024 Is intepreted as Subject Contains test OR Subject Contains foo AND Size 1024 because AND takes precedence over OR Conditions Within a compound rule a condition consists of a field a relation and data Note that some rela tions such as Contains Credit Card Number Contains Canadian Social Insurance Number and Contains US Social Security Number do not require a data field selecting such a relation clears and disables the data box These are similar to the corresponding items in Custom Rules see Section 5 8 for details Within the Compound Filter Rule editor you can take the following actions If the rule already contains a condition select a logical operator to combine a new condition with the previous one Select a field Subject Sender etc to begin creating a new condition Select a relation Contains Matches etc to continue creating a
169. values Queue ID The Sendmail Queue ID Archive Host The hostname of the CanIt Domain PRO machine that archived the message Size The size of the message in bytes 10 5 2 Relations The following relations are available for comparing fields to data All relations that compare strings are case insensitive That is EXAMPLE and example are considered the same Note that not all fields permit all relations CanIt Domain PRO automatically restricts the relation pulldown based on the field name The relations are matches Perform a full text match Note that only complete words are matched A subject of Invoice would not match the word voice is The field must exactly match the data contains The field must contain the data as a substring The substring does not have to be a complete word For example a subject of Invoice would contain the substring voice gt The field must be lexically or numerically greater than the data lt The field must be lexically or numerically less than the data gt The field must be lexically or numerically greater than or equal to the data lt The field must be lexically or numerically less than or equal to the data The relations permitted by the various fields are Subject and Body Only matches Envelope Recipient Attachment Filename and References Only is and contains All other fields permit all possible relations e
170. ve on a monthly basis It may keep data in the archive for almost a month longer than the expiry date For example if you specify an expiry time of 12 months then on July 1st 2012 CanIt Domain PRO will expire all archived mail up to and including June 30th 2011 The July 2011 mail will remain in the archive until August Ist 2012 If you have requested automatic zip file creation for about to expire mail then the zip file contains the mail that would be expired next month Continuing the example if your expiry time is 12 months then on July Ist 2012 CanIt Domain PRO would generate a zip file containing mail from July Ist through July 31st 2011 10 13 Selective Archiving CanIt Domain PRO allows you to create rules to selectively archive mail This allows you for exam ple to avoid archiving automated messages or other routine messages that have no archiving value Before you create any archiving rules consult with your organization s legal department to ensure that any rules you create comply with your archiving policy To manipulate archive rules click on Archived Mail and then Archive Rules 10 13 1 Creating an Archiving Rule To create an archive rule click on Add a New Rule The Archive Rule editor appears This presents an interface very similar to the Archive Search page Section 10 5 You create expressions and groups just as you would for querying the archive Once the query has been created set the rule s action to
171. xample com 2 If such a record is found and matches the specification in RFC 5518 then CanIt Domain PRO applies the scores associated with the VBR entry Note that an exact match overrides a VBR lookup Also note that VBR lookups are relatively expen sive and should be used sparingly 5 12 4 SPF and Effects on Whitelisting Note that even if you don t make any SPF rules by default CanIt Domain PRO will ignore a domain or sender whitelist for any message that returns an SPF fail or softfail code This policy can be changed for all domains by modifying settings under Preferences Quarantine Settings Alterna tively if you make an SPF rule for a specific domain such as example com and set the fail and softfail scores to zero then CanIt Domain PRO will respect domain and sender whitelists for that domain 5 13 DKIM Rules DKIM stands for DomainKeys Identified Mail DKIM has a similar goal to SPF it allows organi zations to declare in a secure way that they are responsible for a particular email message but uses a very different mechanism A sender using DKIM signs outgoing messages with a private key The signature covers certain mes sage headers and usually the message body The sender also publishes the public key corresponding to the private key using a special DNS record A recipient verifies the DKIM signature and takes action based on the verification result If a DKIM signature verifies corre
172. xcept for matches CanIt Domain PRO Roaring Penguin Software Inc 10 5 SEARCHING THE ARCHIVES 105 10 5 3 Hits If you have the Log Indexer add on component installed the Archive Rules page includes a Hits column This column shows the number of times a given rule has fired in the last 30 days Note that the statistics may be a few hours behind real time so newly added rules may not immediately show any hits 10 5 4 Creating a Query Expression To create a query expression follow these steps 1 Select a field from the pull down list of fields 2 Select a relation from the pull down list of relations 3 Enter the data to match against in the entry box 4 If you already have a partial query built select one of AND OR AND NOT or OR NOT from the pulldown That operator will be used to join the new expression onto the end of the current expression The NOT variants negate the sense of the new expression That is NOT converts is to is not contains to does not contain etc 5 Click Add to add the expression to the current query If you make a mistake you can delete the most recently created expression by clicking Delete 10 5 5 Creating a Query Group To create a new query group follow the same steps as for creating an expression but click on Add as New Group instead of Add This makes the new expression the start of a new group the new group is joined to the previous group with A
173. your aliases by clicking on Preferences and then Aliases The Alias Page appears Aliases 1 to 2 of 2 This page lists aliases the addresses on the left are rewritten to the addresses on the right prior to processing and delivery Use this if you have a number of addresses that you want rewritten so they all get delivered to the same mailbox Show Changes Page 1 Filter Entry Contains Filter Alias Primary Email Owner Delete tC E admin bobby example org robert example org admin O bob example org robert example org admin O Submit Changes Figure 6 2 Aliases Page CanIt Domain PRO Roaring Penguin Software Inc 6 5 QUICK LINKS 71 If you are a CanIt Domain PRO administrator you can also access this page under Setup Aliases Note that when you create an alias CanIt Domain PRO completely replaces the alias with the primary address before doing any other processing and before delivery This is illustrated in Figure 6 3 Figure 6 3 Alias Processing primary example org alias example org 6 4 1 Creating an Alias To create a new alias 1 Enter the alias in the Alias box If you are not a CanIt Domain PRO administrator the value you enter here must be a valid email address that you control and that can receive email 2 Enter the primary email that is the address that the alias should be changed to during process ing in the Primary Email box 3 Click Submit Changes If you are a CanIt Domain
Download Pdf Manuals
Related Search