Overview
When the Kerio Connect server is receiving large number of emails, it might be an indication of traffic coming from blacklisted IP addresses or domain senders. As a result, user mailboxes are becoming occupied with dozens of Spam messages. As a side effect, the Kerio Connect public IP address may become blacklisted affecting business productivity.
In order to detect and block spam emails, Kerio Connect uses different built-in methods like Blacklists, Whitelists, and Caller-ID protection.
Solution
IP Black/White Lists
This method uses the IP address groups to block automatically, increase the spam score, or allow all messages originating from the IP on the list. This is configured under Spam Filter > Blacklists.
The predefined Internet Blacklists include SpamCop, SpamHaus, SORBS, and WPBL.
New custom blacklists can be added or the existing one can be modified. Also, it's possible to assign Block or Increase score by actions for specific blacklists.
Once the suspicious IP address is detected, Kerio Connect generates an entry in Security logs.
[01/Jun/2020 11:11:39] IP address 193.142.59.27 found in DNS blacklist SpamHaus SBL-XBL, mail from <spameri@spamer.com> to <spameri@spamer.com> rejected
[01/Jun/2020 11:18:42] IP address 209.85.167.42 found in DNS blacklist SORBS DNSBL, mail from <username@external_domain.com> to <username@connect_domain.com> rejected
To double-check the valid status of Spam IP address detection, many of blacklist providers are offering online services to achieve that:
If the detection is incorrect, it's advisable to contact the Blacklist authority to confirm the possible false-positive alert.
IP Address Groups help easily define who has access to, for example, remote administration, services, and are used in additional settings in Kerio Connect like Blacklist/Whitelist.
Caller ID
"Caller ID for e-mails: The Next Step to Deterring Spam" is the Microsoft's draft specification to address the widespread problem of domain spoofing. Domain spoofing refers specifically to the use of someone else's domain name when sending a message, and it is part of the larger spoofing problem, the practice of forging the sender's address on e-mail messages.
Caller ID for e-mails would verify that each email message originates from the internet domain it claims to come from. Eliminating domain spoofing will help legitimate senders protect their domain names and reputations, and help recipients more effectively identify and filter junk email. Caller ID requires the authorized IP address to be defined in the DNS configuration called a TXT record.
Below is a Caller ID record for the teamaviola.com domain as our example:
<ep xmlns='http://ms.net/1'><out><m> <r>45.76.50.17</r> </m></out></ep>
This means that only the IP 45.76.50.17 is authorized for the domain. If a Kerio Connect server, with Caller ID enabled, receives an email from this domain, Kerio Connect will verify if the originating IP is authorized by checking the DNS records of teamaviola.com. Depending on the settings, it can block the message, increase the Spam score, or just log it in the Security log.
Note: IP Address Groups can also be excluded from the Caller ID check.
You can check which IP is authorized for a certain domain by going to Caller ID.
Priyanka Bhotika
Comments