Anti-spam filters

NOTE: For detailed information on anti-spam actions refer to the Spam Actions – What to do with spam email section starting on page 70 in this manual.

SpamRazer is GFI’s primary anti-spam engine and is enabled by default on installation. Frequent updates are released for SpamRazer that will further increase the response time to new trends of spam.

NOTE: SpamRazer is also the anti-spam engine that blocks NDR spam. For more information on GFI MailEssentials and NDR spam refer to:

http://kbase.gfi.com/showarticle.asp?id=KBID003322

NOTE 1: Disabling SpamRazer is NOT recommended.

NOTE 2: GFI MailEssentials downloads SpamRazer updates from: http://sn92.mailshell.net

1. Select Anti-Spam ► Anti-Spam Filters ► SpamRazer ► Properties.

2. From the SpamRazer tab perform any of the following actions:

•	Select/unselect Enable SpamRazer engine checkbox to enable or disable SpamRazer.

3. From the Updates tab perform any of the following actions:

•	Select/unselect Automatically check for updates checkbox to configure GFI MailEssentials to automatically check for and download any SpamRazer updates. Specify the time interval in minutes when to check for updates.

NOTE: It is recommended to leave this option enabled for SpamRazer to be more effective in detecting the latest spam trends.

•	Select/unselect Send a notification email when an update succeeds checkbox to be informed via email when new updates are downloaded.

•	Select/unselect Send a notification email when an update fails to be informed when a download or installation fails.

NOTE: To download updates using a proxy server, refer to Configuring automatic updates in page 86 of this manual.

4. Click Actions or Other tab to select the actions to perform on messages identified as spam. For more information refer to the Spam Actions – What to do with spam email section starting on page 70 in this manual. Click OK to finalize your configuration.

Phishing is an email based social engineering technique aimed at having email users disclose personal details to spammers. A phishing email is most likely crafted to resemble an official email originating from a reputable business, for example a bank. Phishing emails will usually contain instructions typically requiring users to reconfirm sensitive information such as online banking details or credit card information. Phishing emails usually include a phishing Uniform Resource Identifier (URI) that the user is supposed to follow to key in some sensitive information on a phishing site. The site pointed to by the phishing URI might be a replica of an official site, but in reality it is controlled by whoever sent the phishing emails. When the user enters the sensitive information on the phishing site, the data is collected and used, for example, to withdraw money from bank accounts.

The Phishing feature detects phishing emails by comparing URIs present in the email to a database of URIs known to be used in phishing attacks. Phishing also looks for typical phishing keywords in the URIs.

The Phishing filter is enabled by default on installation.

NOTE 1: Disabling Phishing is NOT recommended.

1. Select Anti-Spam ► Anti-Spam Filters ► Phishing ► Properties.

2. From the Phishing tab perform the following actions:

•	Select/unselect Check mail messages for URI’s to known phishing sites option to enable/disable Phishing.

3. From the Keywords tab perform the following actions:

•	Select/unselect the Check URIs in mail messages for typical phishing keywords option to enable/disable checks for typical phishing keywords.

•	Click Keyword button and enter keywords in the Enter a keyword dialog to add keywords to the Phishing filter.

•	Select a keyword and click Edit or Remove to edit or remove a keyword previously keyed in the Phishing filter.

4. From the Updates tab perform any of the following actions:

•	Select/unselect Automatically check for updates checkbox to enable or disable the automatic check for and download of any anti-phishing updates.

NOTE: It is highly recommended to enable this option so that frequent updates enable Phishing to be more effective in detecting the latest phishing emails.

•	Select/unselect Send a notification email when an update succeeds checkbox to be informed via email when new updates are downloaded.

•	Select/unselect Send a notification email when an update fails to be informed when a download or installation fails.

NOTE: To download updates using a proxy server, refer to Configuring automatic updates in page 86 of this manual.

5. Click Actions or Other tab to select the actions to perform on messages identified as phishing emails. For more information refer to the Spam Actions – What to do with spam email section starting on page 70 in this manual. Click OK to finalize your configuration.

The Sender Policy Framework filter is based on a community-based effort, which requires that the senders publish their mail server in an SPF record. This filter detects forged senders.

•

Example: If an email is sent from xyz@CompanyABC.com then companyABC.com must publish an SPF record in order for SPF to be able to determine if the email was really sent from the companyABC.com network or whether it was forged. If an SPF record is not published by CompanyABC.com, the SPF result will be ‘unknown’.

For more information on SPF and how it works, visit the Sender Policy Framework website at: http://www.openspf.org.

The SPF filter is NOT enabled by default and should only be enabled in cases where you think that the threat of forged senders is high.

GFI MailEssentials does not make it a requirement to publish any SPF records. To publish SPF records use the SPF wizard at:

http://www.openspf.org/wizard.html.

Before enabling the Sender Policy Framework filter on a non-gateway server installation:

1. Right click Anti-spam ► Anti-Spam Settings ► Properties and select Perimeter SMTP Servers tab.

2. Click Auto Discovery button in the Perimeter SMTP setup option to perform a DNS MX lookup and automatically define the IP address of your perimeter SMTP server.

1. Select Anti-Spam ► Anti-Spam Filters ► Sender Policy Framework ► Properties.

2. Define the sensitivity of the SPF test using the slider and click Apply. Choose between four levels:

•	Low: Only block messages that are determined to have a forged sender. This option treats any message with forged senders as spam.

•	Medium: Block messages which appear to have a forged sender. This option treats all messages that appear to have a forged sender as spam.

NOTE: This is the default and recommended setting.

•	High: Block all messages that are not proven to be from a sender. This option treats all email as spam, unless it could be proven that the sender is not forged.

NOTE: Since the majority of mail servers do not yet have an SPF record, this option is not recommended.

3. If this computer is NOT your perimeter SMTP server, a dialog showing the perimeter SMTP server settings previously configured is displayed. (I.e. the IPs specified for your perimeter SMTP server).

4. If GFI MailEssentials is installed on your perimeter SMTP server, or if you have not yet specified that the mail server running GFI MailEssentials is NOT a perimeter SMTP server, then a dialog box is displayed. Configure the Perimeter SMTP Servers option in the Anti-spam node properties (right click on the Anti-Spam ► Anti-Spam Settings ► Properties ► Perimeter SMTP Servers tab).

5. Test the DNS settings/services, by clicking on Test.

6. Select the Exceptions tab to configure IP addresses and recipients to exclude from SPF checks:

Select Add to add a new IP address or select entries from the list and click Remove button to remove entries. To disable the IP exception list unselect the IP exception list checkbox.

•	Recipient exception list: This option ensures that certain recipients always receive emails, even if the messages are rejected. A recipient exception can be entered in any of three ways:

To disable the recipient exception list unselect the Recipient exception list checkbox.

•	Trusted Forwarder SPF Global Whitelist: This whitelist (www.trusted-forwarder.org) provides a global whitelist for SPF users. It is a way of allowing legitimate email that is sent through known, trusted email forwarders.

NOTE: By default, this setting is enabled. It is highly recommended to leave this option always enabled.

7. Click Actions or Other tab to select the actions to perform on messages identified as phishing emails. For more information refer to the Spam Actions – What to do with spam email section starting on page 70 in this manual. Click OK to finalize your configuration.

The Whitelist is a list of email addresses and domains from which to always receive emails. Emails sent from these email addresses or domains will never be marked as spam. Keywords can also be configured, which if found in the body or subject will automatically whitelist the email.

GFI MailEssentials also features an automatic autowhitelist option that automatically whitelists email addresses to whom emails are sent. This enables the receipt of emails from anyone to whom an email is sent to.

The whitelist and autowhitelist features are enabled by default on installing GFI MailEssentials.

1. It is highly recommended to leave the auto whitelist feature enabled since this eliminates a high percentage of false positives.

2. Entering too many keywords increases the possibility of spam getting though the spam filters.

1. Select Anti-Spam ► Whitelist ► Properties.

2. From the Whitelist tab add a whitelisted domain or email address by clicking Add.

3. In the Enter Email Address/Domain dialog specify:

NOTE: When configuring entire domain suffices ensure that, for example, emails sent from military or educational domains are never marked as spam.

Also specify which email header field must be matched for the emails to be whitelisted by clicking Check….

•	Example: To whitelist all inbound email sent by a specific user, select the Check MIME FROM: option.

NOTE 1: Some newsletters use mailers that do not address the sender in the MIME TO field causing the GFI MailEssentials header checking feature to mark it as spam. These should be whitelisted with the Check MIME TO: option.

NOTE 2: To exclude a local user from spam filtering, simply enter the email address of the user, and select the Check MIME TO: option.

Click OK to finalize email/domain entry.

4. To search in the list of whitelisted email addresses and domains, type any search criteria in the Search text box. Matching entries are automatically displayed underneath.

5. Select the Auto Whitelist tab to configure the following auto whitelist options:

•	Populate Auto Whitelist automatically: If this option is selected, the destination email addresses of outbound emails are automatically added to the whitelist

•	Maximum entries allowed in Auto Whitelist: Specify the number entries allowed in Auto Whitelist. When the limit specified is exceeded, the oldest entries are automatically replaced by the new entries.

•	Enable Email Auto Whitelist: If this option is selected, incoming emails are scanned emails and the senders are matched against the auto whitelist. If the sender is present in the list, the email is forwarded directly to the recipient’s Inbox.

NOTE: Auto whitelist entries can be viewed in the Whitelist tab by selecting the Show automatically entered option from the Filter whitelist entries dropdown.

6. Select the Keyword Whitelist (Subject) or Keyword Whitelist (Body) tabs to specify keywords that flag emails as ham (valid email) and automatically allows the email to skip all the anti-spam filters. Specify new keywords by clicking Add button or use the Remove, Edit, Import and Export buttons to modify existing keywords.

7. Select the IP Whitelist tab to automatically allow emails received from specific IP addresses. Enable this feature by selecting the Enable IP Whitelist option and click Add button to key in a single IP address or subnet/mask to bypass SPAM checks.

8. Click Actions tab to enable / disable logging of whitelist occurrence to a file. Click Browse to specify a folder where to save logs.

9. Click OK to finalize your configuration.

Directory harvesting attacks occur when spammers use known email addresses as a template to create other email addresses addressed to corporate or ISP email servers. Spammers send emails to randomly generated email addresses and while some email addresses may match real users, the majority of these messages is invalid and consequently floods the victim’s email server.

GFI MailEssentials stops these attacks by blocking emails addressed to users not in the organizations’ Active Directory or email server.

Directory harvesting can either be configured to execute when the full email is received (Transport sink) or at SMTP level i.e. on receiving the sending IP, email and recipients (SMTP protocol sink). SMTP level filtering terminates the email’s connection and therefore stops the download of the full email, economizing on bandwidth and processing. In this case the connection is terminated immediately and emails are not required to go through any other anti-spam filters.

This filter is NOT enabled by default on installing GFI MailEssentials.

Directory Harvesting is set up in two stages:

Stage 1 - Configuring Directory Harvesting properties

Stage 2 – Selecting the Directory Harvesting method

1. Select Anti-Spam ► Anti-Spam Filters ► Directory Harvesting ► Properties and click on Enable directory harvesting protection option.

2. Select the lookups method to use:

•	Use native Active Directory lookups option if GFI MailEssentials is installed in Active Directory user mode.

NOTE 1: Where GFI MailEssentials is installed in Active Directory user mode on a DMZ, the AD of a DMZ usually will not include all the network users (email recipients). In this case perform directory harvesting using LDAP lookups .

NOTE 2: When GFI MailEssentials is behind a firewall, the Directory Harvesting feature might not be able to connect directly to the internal Active Directory because of Firewall settings. Use LDAP lookups to connect to the internal Active Directory of your network and ensure to enable default port 389 on your Firewall.

•

Use LDAP lookups to configure your LDAP settings if GFI MailEssentials is installed in SMTP mode. If your LDAP server requires authentication, unmark the Anonymous bind option and enter the authentication details that will be used by this feature. Click on Test button to test your LDAP configuration settings.

NOTE 1: Specify authentication credentials using Domain\User format (for example master-domain\administrator).

NOTE 2: In an Active Directory, the LDAP server is typically the Domain Controller.

3. In the Block if non-existent recipients equal or exceed option specify the amount of non-existent recipients that will qualify the email as SPAM. If the total amount of recipients is less than the number specified, the action configured is triggered only if ALL the recipients do not exist, otherwise the email is not marked as SPAM.

NOTE: Avoid false positives by configuring a reasonable amount in the Block if non-existent recipients equal or exceed edit box. This value should account for users who send legitimate emails with mistyped email addresses or to users no longer employed with the company.

4. Click Actions or Other tab to select the actions to perform on messages identified as spam. For information on the actions to perform refer to the Spam Actions – What to do with spam email section starting on page 70 in this manual.

NOTE: If Directory Harvesting is set at SMTP protocol sink level, only the Log Occurrence option will be available in the Actions tab.

1. Navigate to Anti-spam ► Filter Priority ► Properties, and click the SMTP Transmission Filtering node.

2. Click the button to switch between:

•	Switch to full email filtering – Filtering is done when the whole email is received.

•	Switch to SMTP transmission filtering – Filtering is done during SMTP transmission by checking if the email recipients exist before the email body and attachment are received.

NOTE: If this option is chosen, Directory Harvesting will always run before the other spam filters.

3. Click OK to finalize your configuration.

The Blacklist is a custom database of email addresses and domains from which you never want to receive emails.

This filter is enabled by default on installing GFI MailEssentials.

Select Anti-Spam ► Anti-Spam Filters ► Email Blacklist ► Properties.

2. Click Add to add a blacklisted domain or email address.

3. In the Enter Email Address/Domain dialog specify a full email address; or an entire domain (for example: *@spammer.com); or an entire domain suffix (for example: *@*.tv). Also, specify which email header field is to be matched for the emails to blacklist by clicking Check MIME TO: or Check MIME FROM:

4. To search in the list of blacklisted email addresses and domains, type any search criteria in the Search text box. Matching entries are automatically displayed underneath.

5. Select Actions or Other tab to select the actions to perform on spam. For a more information refer to the Spam Actions – What to do with spam email section starting on page 70 in this manual.

6. Click OK to finalize your configuration.

The Bayesian filtering is an anti-spam technology in use within GFI MailEssentials that employs adaptive techniques based on artificial intelligence algorithms, hardened to withstand the widest range of spamming techniques available today.

For more information on how the Bayesian filter works, how it can be configured and how it can be trained refer to Appendix 2 – Bayesian Filtering on page 86 in this manual.

NOTE: The Bayesian anti-spam filter is disabled by default.

IMPORTANT: Allow at least a week for the Bayesian filter to achieve its maximum performance after enabling it. This is required because the Bayesian filter acquires its highest detection rate when it adapts to your email patterns.

Configuring the Bayesian filter requires 2 stages:

Stage 1: Training the Bayesian filter

Stage 2: Enabling the Bayesian filter

The Bayesian filter can be trained in two ways:

1. Automatically, through outbound emails.

GFI MailEssentials collects legitimate email (ham) by scanning outbound email. The Bayesian filter can be enabled after it has collected at least 500 outbound emails (If you send out mainly English email) or 1000 outbound mails (If you send out non-English email).

2. Manually, through existing email.

Copying between 500-1000 mails from your sent items to the This is legitimate email sub folder in the GFI AntiSpam Folders public folders trains the Bayesian filter in the same way as live outbound email sending.

1. From the GFI MailEssentials configuration console, select Anti-Spam ► Anti-Spam Filters ► Bayesian Analysis ► Properties. From the General tab select Enable Bayesian Analysis checkbox.

2. Ensure that Automatically learn from outbound emails option is enabled. This continuously updates the legitimate email database with data from outbound emails.

3. In the Updates tab, configure the frequency of updates to the spam database by enabling Automatically check for updates and configuring an hourly interval.

NOTE 1: Click the Download updates now button to immediately download any updates.

NOTE 2: For more information on how to select preferred servers, and how to download updates using a proxy server, refer to Configuring automatic updates in page 86 of this manual.

5. Click OK to finalize your configuration.

GFI MailEssentials supports a number of DNS blacklists. These SMTP server databases list servers that have been used for spamming. There are a number of third party DNS blacklists available, ranging from reliable lists that have clearly outlined procedures for getting on or off the DNS blacklist to less reliable lists.

When an email is in transit from the sender to the recipient, it goes through a number of SMTP servers until it reaches the final destination. The IP address of each SMTP server is recorded in the email header. This filter enables GFI MailEssentials to check all the public IP addresses found in the message header with the DNSBL database configured.

GFI MailEssentials checks all the public IP addresses found in the message header with the DNSBL database configured. GFI MailEssentials records all the IP addresses checked in an internal database and will not perform further checks with the DNSBL for the same IPs. The IP addresses are kept in the database for 4 days, or until the Simple Mail Transport Protocol (SMTP) service is restarted.

This filter is enabled by default on installing GFI MailEssentials.

1. The DNS server must be properly configured for this feature to work. If this is not the case, time outs will occur and email traffic will be slowed down. Refer to http://kbase.gfi.com/showarticle.asp?id=KBID001770 for more information.

2. Querying a DNS blacklist can be slow (depending on your connection), so email can be slowed down a little bit, especially if multiple DNS blacklists are queried.

1. Select Anti-Spam ► Anti-Spam Filters ► DNS Blacklists ► Properties.

2. Check the Check whether the sending mail server is on one of the following DNS Blacklists: checkbox.

3. Select the appropriate DNS blacklists to check incoming email against and click the Test button to check if the selected blacklists are available.

4. If required, add more DNS Blacklists to the ones already listed by clicking Add button and keying in the domain containing the DNSBL.

NOTE: The order of reference for an enabled DNS blacklist can be changed by selecting a blacklist and clicking on the Up or Down buttons.

5. Select the Block emails sent from dynamic IP addresses listed on SORBS.net to enable GFI MailEssentials to detect spam sent from botnet/zombies by looking up the incoming connection IP with known Botnet/Zombie IP addresses in the Sorbs.net database.

6. Click Apply to save the configuration.

7. If this computer is NOT your SMTP server a dialog box showing the perimeter SMTP server settings that you have configured in GFI MailEssentials (i.e. the IPs specified for your perimeter SMTP server) is displayed.

7. If this installation is on the SMTP server or if the mail server where GFI MailEssentials is installed is not yet specified, a dialog box will remind that this computer is not a perimeter server.

8. Click Actions or Other tab to select the actions to perform on messages identified as spam. For information on the actions to perform refer to the Spam Actions – What to do with spam email section starting on page 70 in this manual.

9. Click OK to finalize your configuration.

A Universal Resource Identifier (URI) is a standard means of addressing resources on the Web. Common URIs such as Uniform Resource Locators (URLs) and Uniform Resource Names (URNs) are used to identify the destination of hypertext links as well as the sources of images, information and other objects in a Web Page. URLs are most generally used in websites but can also be included as part of an email message body.

SURBLs differ from most other RBLs in that they are used to detect spam based on message body URIs. Unlike most other RBLs, SURBLs are not used to block spam senders. Instead, they enable blocking of messages that have spam hosts (for example web servers, domains, websites) which are mentioned in message bodies.

This filter is enabled by default on installing GFI MailEssentials.

1. Select Anti-Spam ► Anti-Spam Filters ► Spam URI Realtime Blocklists ► Properties.

2. From the Spam URI Realtime Blacklist tab:

•	Check/Uncheck the Check if mail message contains URIs with domains that are in these blacklists: option to enable/disable this feature.

Test the connection to by clicking Test button and click Apply to save settings.

NOTE 1: Specify the full name of the domain (for example URIBL.com) containing the blacklist.

NOTE 2: Multi.surbl.org combines the following lists in a unique list:

Disable all other SURBL lists when enabling multi.surbl.org as this might increase email processing time.

In case a high rate of false positives is experienced, it is suggested that multi.surbl.org is disabled and the other SURBL lists are enabled.

For more information on SURBL lists, refer to http://www.surbl.org/lists.html.

5. Click Actions or Other tab to select the actions to perform on messages identified as spam. For information on the actions to perform refer to the Spam Actions – What to do with spam email section starting on page 70 in this manual.

6. Click OK to finalize your configuration.

The header checking filter analyses the individual fields in a header. This method references SMTP and MIME fields where SMTP fields are specified by the mail server and the MIME fields are specified by the email client (which encodes the email to MIME).

1. Select Anti-Spam ► Anti-Spam Filters ► Header Checking ► Properties.

2. In the General and General Contd. tabs, enable, disable or configure the following parameters:

•	Checks if the email header contains an empty MIME FROM field: Checks if the sender has identified himself in the From: field. If this field is empty, the message is marked as spam.

•	Checks if the email header contains a malformed MIME FROM: field: Checks if the MIME from field is a correct notation (if the header matches the RFC).

•	Maximum number of recipients allowed in email: Identifies emails with large amounts of recipients and flags them as SPAM.

•	Marks email with different SMTP TO: and MIME TO: fields in the email addresses as spam: Checks whether the SMTP to: and MIME to: fields are the same. The spammers email server always has to include an SMTP to: address. However, the MIME to: email address is often not included or is different.

NOTE: This feature identifies a lot of spam, however some list servers do not include the MIME to: either. It is therefore recommended to whitelist newsletter sender address to use this feature.

•	Check if email contains remote images only: Flag emails that only have remote images and a minimal amount of text as spam. Assists in identifying ‘image only email’ spam.

•	Verify if sender domain is valid: Performs a DNS lookup on the domain in the MIME from field and verifies the domain validity.

NOTE: Ensure that the DNS server is properly configured to avoid timeouts and slow email flow. In addition, a lot of valid email can be tagged as spam. Test your DNS server/services by clicking Test button.

•	Maximum numbers allowed in MIME FROM: Identifies the presence of more than 3 numbers in the MIME from as a spam message. Spammers often use tools that automatically create reply-to: addresses. Frequently they use 3 or more numbers in the name to make sure the reply-to: is unique.

•	Checks if the email subject contains the first part of the recipient email address: Identifies the personalized spam email, where spammers frequently include the first part of the recipient email address in the subject.

NOTE: Ensure that email addresses for which this check should not be done is configured by clicking on the Except… button. This enables generic email addresses to which customers reply with, for example emails from sales@company.com with a subject ‘Your email to sales’, not to be marked as spam

•	Check if email contains encoded IP addresses: Checks the message header and body for URLs which have a hex/octal encoded IP (http://0072389472/hello.com) or which have a username/password combination (for example www.citibank.com@scammer.com).

•	Check if email contains embedded GIF images: Checks if the email contains one or more embedded GIF images. Embedded GIF images are often used to circumvent spam filters.

IMPORTANT: Since some legitimate emails contain embedded GIF images, this option is prone to false positives.

•	Check if email contains attachment spam: Checks email attachments for properties that are common to attachments sent in spam email. This helps in keeping up with the latest techniques used by spammers in using attachments to send spam.

3. In the Languages tab, select the Block mails that use these languages (character sets) option to block emails sent using character sets which are not typical of the emails received (for example Chinese or Vietnamese).

NOTE: This feature does not distinguish between languages with the same character set (for example Italian and French).

5. Click OK to finalize your configuration.

Keyword checking enables the identification of spam messages based on keywords in the email being received.

This filter is NOT enabled by default.

1. Select Anti-Spam ► Anti-Spam Filters ► Keyword Checking ► Properties.

2. Choose Scan e-mail body for the following keywords or combinations of keywords: checkbox to enable this feature.

3. Click Keyword button to enter keywords. If multiple words are keyed in, then GFI MailEssentials will search for that phrase.

•	Example: For ‘Basketball sports’, GFI MailEssentials will check for the phrase 'Basketball sports'. Only this phrase would activate the rule, not the word basketball OR sports separated by some other words.

4. Add logical operators by clicking the Condition… button.

NOTE: Conditions are combinations of keywords using the operands IF, AND, AND NOT, OR, OR NOT. Using conditions specify combinations of words that must appear in the email.

•	Example: A condition ‘If Word1 AND Word2’ will check for Word1 and Word2. Both words would have to be present in the email to activate the rule.

To add a condition, click the Condition… button.

5. Choose the Subject tab and check the Scan e-mail subject for the following keywords or combinations of keywords checkbox. Configure the words to check for in the subject of the message.

6. Click Actions or Other tab to select the actions to perform on messages identified as spam. For information on the actions to perform refer to the Spam Actions – What to do with spam email section starting on page 70 in this manual.

7. Click OK to finalize your configuration.

The New Senders filter enables GFI MailEssentials to automatically identify emails sent from senders to whom emails have never been sent before. Such senders are identified by referencing the data collected in the Whitelist.

Only emails in which no spam was detected and whose senders are not present in any Whitelist are delivered in the New Senders folder.

Since such emails could also be sent from legitimate users, these are collected in a dedicated folder. This makes these emails easily identifiable. Subsequently, these can be reviewed emails and any undetected spam added to the email blacklist.

1. Enable at least one of the available Whitelist to use the New Senders function. In the absence of the Whitelist functions (should no spam be detected by the other filters) received messages will be delivered to the recipient’s Inbox. ONLY emails in which no spam was detected and whose senders are not present in the Whitelist are delivered in the New Senders folder.

1. Select Anti-Spam ► New Senders ► Properties.

2. In the New Senders Properties tab, check the Enable New Senders checkbox to enable the check for new senders on all inbound messages and click on Apply button.

3. Select Exceptions tab and check the MIME TO exception list: checkbox to configure local recipients whose emails are excluded from the New Senders check.

4. Click on Add… button and key in the email address of the sender.

Repeat for each address to add, and click Apply button to save.

NOTE: To temporarily disable your exception list, do not delete all address entries made, but uncheck the MIME TO exception list: checkbox.

5. Click Actions tab to select the actions to perform on messages identified as spam. For information on the actions to perform refer to the Spam Actions – What to do with spam email section in this manual.

6. Click OK to finalize setup

The Actions tab in the Anti-Spam filter dialogs define what should be done with emails marked as spam. Different actions can be defined for each of the spam filters. This feature conveniently enables the use of separate folders for storing spam detected by each filter. This enables you to immediately identify why email was marked as spam as well as make it easier to perform operations on emails blocked by a particular filter.

•	Example: Delete emails marked by the blacklist spam filter, but do not delete emails marked as spam by the keyword checking filter.

NOTE: The options in the actions tab are identical for each spam filter except for Whitelist (spam filters bypass) and New Senders (cannot move spam to Junk E-mail folder).

1. In the Actions tab, select an option that defines which action to take on emails marked as spam:

•	Delete the email – Delete an email which is blocked by that particular spam filter. Other spam actions are disabled if the email is deleted.

o	In Exchange junk email folder – Use this option to route all spam to the user’s default Junk E-mail folder

o	In Exchange mailbox sub-folder – Use this option to route all spam to a specific folder in the user’s mailbox. Click Configure to launch the Move to Exchange folder dialog and type the folder where to move spam email.

	Example 1: Type Suspected Spam for a custom folder to be created in the same level of the Inbox folder.

	Example 2: Type Inbox\Suspected Spam for a custom folder to be created in the Inbox folder.

NOTE: This option requires that:

•	Send to email address – Send email tagged as spam to a specific email address.

o	Example: An email address of a public folder. This way someone can be assigned to periodically check email marked as spam, and identify email that might have been wrongly marked as spam. This feature can also be used to manually fine tune spam filtering.

The subject of the email will be in the [recipient] [subject] format

•	Save to specified folder on disk – Saves email detected as spam to the path specified,

The file name of the saved email is in the following format:

[Sender_recipient_subject_number_.eml] (for example: C:\Spam\jim@comp.com_bob@comp.com_MailOffers_1_.eml)

•	Tag the email with specific text – Select this option to add a tag to the email subject. Click Configure to modify tagging options. In the Tag Email dialog, key in the text to use for tagging and specify where to place the tag:

o	Prepend to subject – to insert the specified tag at the start (i.e. as a prefix) of the email subject text.

o	Append to subject – to insert the specified tag at the end (i.e. as a suffix) of the email subject text.

o	Add tag in an X-header… - to add the specified tag as a new X-header to the email. In this case, the X-Header will have the following format :

•	Append block reason to email subject – If this option is enabled, the name of the filter which blocked the email and the reason for blocking are appended to the subject of the blocked email.

Select the Other tab, to specify a number of optional actions:

•	Log occurrence to this file - Log the spam email occurrence to a log file of your choice.

•	Generate Non-Delivery Report (NDR) - Create and send a fake Non Delivery Report (NDR). This causes most bulk mailing software to remove your address from their database. This option can also be used to notify sender that email has been considered as spam.

NOTE: To customize the fake NDR edit “ndr.xml” located in MailEssentials\templates directory using notepad or any XML editor.

A lot of spam is sent to email addresses that no longer exist. Generally, these emails are simply deleted however for troubleshooting or evaluation purposes, you might want to move these emails to a folder or forward them to a particular email address.

NOTE: This section applies only for installations on Microsoft Exchange Server 2000/2003/2007 that have the Move to subfolder of user’s mailbox enabled. Refer to the Spam Actions – What to do with spam email section starting on page 70 in this manual for more information on how to enable this feature.

On other servers, the anti-spam global actions tab will not appear.

1. Right click Anti-Spam ► Anti-Spam Settings node and select Properties.

2. Select Global Actions tab and choose whether to:

3. Select the Log occurrence to this file to log spam to a log file.

In GFI MailEssentials, the order in which the anti-spam checks are applied to inbound messages can also be customized.

NOTE: The order of all available filters can be customized except for the New Senders filter, which is always automatically set to the lowest priority. This is due to its dependency on the results of the Whitelist checks and the other anti-spam filters.

1. Right click Anti-Spam ► Filter Priority node and select Properties.

2. Select a filter and click on the

(up) button to assign a higher priority to the selected filter or click on the

(down) button to assign a lower priority to the selected filter.

NOTE: Click on the Default Settings button to restore the filter order to the default order.