Header checking

The header checking module analyses the individual fields in a header. This module makes reference to SMTP and MIME fields. SMTP fields are specified by the mail server, whereas the MIME fields are specified by the email client (which encodes the mail to MIME).

The configuration of anti spam identification based on e-mail headers is done from the Anti Spam > Header Checking node. Right-click on this node to bring up the Header checking properties.

Screenshot 36 - Header checking properties (1)

General anti spam header checking options

The General tab in the Header Checking Properties dialog contains the following options:

1. `Checks if the email header contains empty MIME From field': This feature checks if the sender has identified himself in the From: field. If this field is empty it's an almost sure sign that the mail is sent by a spammer.

2. `Checks if the email header contains a malformed MIME from: field'. This feature checks if the MIME from field is a correct notation, i.e. it matches the RFC. Spammers often include a wrong or wrongly specified from address.

3. 'Marks emails with recipient lists of more then X recipients as spam'. This feature marks mails with large recipient lists as spam. Mails with large recipient lists tend to be joke lists, chain e-mails or simply 'junior' or inadvertent spammers.

4. `Marks email with different SMTP to: and MIME to: fields in the email addresses as spam'. Checks whether the SMTP to: and MIME to: fields are the same. The spammers email server always has to include an SMTP to: address. However, the MIME to: email address is often not included or is different. This feature catches a lot of spam, however some list servers don't include the MIME to: either. Therefore to use this feature, you must white list the newsletter sender address if it gets marked as spam by this feature. This can be done from the white list node or by dragging the newsletter in the GFI AntiSpam public folders `I want this newsletter' node.

5. Check if email contains remote images only: To circumvent keyword filters, spammers are now sending out `image only mails'. GFI MailEssentials can flag mails which have only have images and a minimal amount of text as spam.

Screenshot 37 - Header checking continued

6. `Verify if sender domain is valid' This feature will do a DNS lookup on the domain specified in the MIME from field and verify if the domain is valid. If the domain is not valid it's a sure sign of spam.

Note: This feature requires a properly configured DNS server. If the DNS server is not properly configured (and we have seen this many times), a time out will occur and mail will be processed slowly and in addition a lot of valid mail will be tagged as spam.

7. Check if emails contain more then X numbers in the MIME from. Frequently, more then 3 numbers in the mime from means that the sender is a spammer. The reason for this is that spammers often use tools to automatically create reply-to: addresses on hotmail and other free email services. Frequently they use 3 or more numbers in the name to make sure the reply-to: is unique.

8. 'Checks if email subject contains first part of recipient email address' To `personalize' a spam mail, spammers frequently include the first part of the recipient email address in the subject. Be careful using this feature with generic email addresses such as sales@company.com. A customer that replies to an auto-reply with a subject `Your mail to sales', would be marked as spam. To avoid this, you can specify email addresses for which this check should not be done, using the Except button.

Screenshot 38 - Excluding an email address

9. Check if email contains encoded IP addresses - This check looks for a url which has a hex/octal encoded IP (http://0072389472/hello.com) or which has a username/password combination in it (e.g. www.citibank.com@scammer.com).

These practices are often used by spammers as well as hackers. Examples which will be flagged as spam:

http://12312

www.microsoft.com:hello%01@123123

Language detection

Screenshot 39 - Language detection

The languages tab in the Header Checking Properties dialog contains the language detection options. Many spam mails are not even in your language, meaning that you can greatly reduce spam simply be blocking mail written in say Chinese or Vietnamese. Using the Languages tab you can block mail using certain character sets. (GFI MailEssentials can not distinguish between Italian or French for example because they use the same character set) MailEssentials can only detect languages written in different character sets.

Actions

After you have configured the header checking filter, you can configure what you wish to do with mail marked as Spam. Please see the actions paragraph for more information on the actions tab.