XWall - Administer

Administer XWall for Microsoft Exchange

Block with an Action

XWall accepts the message, performs all the selected checks on the message and then triggers the action that is associated with a method that has a positive result.

An example is the Attachment method. If you block all .exe files and the incoming message has a .exe attached, then the selected action action is triggered.

You can select one of the following actions:

Discard message

The message is discarded. This means the message goes into a virtual wastebasket
and no notification is sent to the sender or the recipient.
Encapsulate and forward to Postmaster

A new message is sent to Postmaster with information what method caused the blocking.
Further the original messages is added as an attachment.
Forward to Postmaster

The original message is unchanged forwarded to Postmaster.
Forward to recipient

The original message is unchanged sent to the recipient.
Basically this action does nothing and can be used in the ISP Edition
to prevent blocking for a recipient.
Encapsulate and send to recipient

A new message is sent to the recipient with information what method caused the blocking.
Further the original messages is added as an attachment.
Encapsulate and send to recipient without attachments

A new message is sent to the recipient with information what method caused the blocking. Further the original messages is added as an attachment, but the attachments of the original message are removed.
Send a non-delivery report to the sender

A non-delivery report is sent to the sender with information what method caused the blocking.
Mark subject

The subject is tagged with a short string identify the method that caused the blocking.

Here is a sample of the new subject line:

Drive yourself wild with a motor home... [surbl][heur][sls][bayes]

In this example [surbl] means SURBL, [heur] the heuristic method, [sls] means SLS/RBL and [bayes] means Bayes
Mark subject and move to Junk-E-Mail folder

The same as Mark subject but additionally the line X-XWALL-Spam: is added to the header of the message and can be used to trigger a rule in Outlook and move the messages to the Junk-E-Mail folder.

If you have an Exchange 2003 then you need to install XWALLFilter , which is an add-on to XWall, to automatically move the messages into the Junk-E-Mail folder or the recipient. See http://www.lakecomm.com/xwallfilter.html for more information on XWALLFilter.

Reject the message during the SMTP session

XWall performs the selected checks based on the information that is available during the SMTP session. Basically this is the IP address and host name of the sending server and the envelope of the message.

If one of the checks fail, then the message is rejected during the SMTP session. This means that XWall does not accept the message. As a result the sending server is responsible for sending back a non-delivery report to the sender.

Because the message itself is not accepted, not every method can be used to reject during the SMTP session. For example, there is no reject because of a blocked subject, simply because the message with the subject never reaches XWall. And for the same reason it is not possible to exclude messages my such methods that require the message.

If the senders IP address is a internal IP address (127.0.0.1, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 169.254.0.0/16, 224.0.0.0/8) or the sender is allowed to relay or the sender is the Exchange or the sender is authenticated then XWall does not perform the selected checks.

Exclusions

XWall consist of a global exclude section, which is for all methods, a white list for known senders and a local exclusion for each method.

To let a message from michael@dataenter.co.at bypass all spam blockings add michael@dataenter.co.at to the to the list at Options->Exclude->E-Mail Address->Inbound MAIL FROM

To exclude someuser@aol.com from SLS/RBL only, you add someuser@aol.com
to the list at Options->Spam->SLS->Exclude->MAIL FROM

General syntax

XWall use the following syntax when blocking or excluding elements

E-mail address

XWall compares an e-mail address case insensitive from right to left until a match is found.

This allows you to block a whole domain by typing @domain.com and as a result, bit@domain.com blocks rabbit@domain.com

If you add a space at the beginning, XWall interprets this as a full address and so bit@domain.com does not block rabbit@domain.com
File Name

XWall compares a file name case insensitive from right to left until a match is found.

This allows you to block all .exe by typing .exe and this will block notepad.exe

If you add a space at the beginning, XWall interprets this as a full name and so pad.exe does not block notepad.exe
Host Name

The host name is the name of the sending machine. Or more technically the name of the sending IP address
( the DNS PTR ). The host name has nothing to do with the senders domain.

For example if the sender is a customer of EarthLink, then the sending server may be something
like asmtp-a063f35.pas.sa.earthlink.net, regardless of the domain of the sender.

XWall compares a host name case insensitive from right to left until a match is found.

To block all message originated from one of the may SMTP servers of EarthLink you type .earthlink.net

To block only this specify EarthLink server you type asmtp-a063f35.pas.sa.earthlink.net and add a space in front to make it an absolute name.
IP Address

XWall expects IP addresses in CIDR notation.

A single address is then either 10.0.0.1 or 10.0.0.1/32
For a range from 10.10.10.0 to 10.10.10.255 you need to use 10.10.10.0/24
Word/String

XWall scans for strings and not words.
To scan for words you need to add a space in front and at the end of the string.

If the string is cum (without the spaces that make it a word), then it would find the authors name which is Michael Kocum. Or if the string is sex then this would also find MSExchange.

However sex (with a space in front and at the end) find only sex and not MSExchange.
Wildcards

XWall support the following wildcards:

? matches one character

* matches one or more characters

# matches one or more digits

Note: Make sure the star * wildcard does not match more than you want. For example s*x would match sex, but also match the phrase See how exiting this is

How to get the e-mail address, IP address and host name

The senders e-mail address ( the MAIL FROM e-mail address ) is may or ma not, be the same as the e-mail address that Outlook shows you. So if your blocking or exclusion does not work, then the sender uses a different address than Outlook shows you.

The only way to find it out is to open the logfile of XWall (mb.log),
search for the subject of the message and then you will find
the e-mail address that you need to exclude or block.

Here is a sample from the logfile:

Processing inbound message from server.isp.com [62.116.14.14]
From: user@sender.com
To: user@recipient.com
Subj: Some subject
Prio: 3 / 2
Size: 3 K

Explanation:
server.isp.com	= host name of the sending host
62.116.14.14	= IP address of the sending host
user@sender.com	= the MAIL FROM: address ( the senders address )
user@recipient.com	= the RCPT TO: address ( the recipients address )

If you have Exchange 2000/2003 then you can get most of the information from the Internet header lines in Outlook. Open the message in Outlook and then select View->Options and here you find Internet header lines. Locate the line called ReturnPath: and this is the e-mail address that you need to block or exclude.

A sample looks like:

Microsoft Mail Internet Headers Version 2.0
Received:from server.isp.com ([62.116.14.14]) by yourserver.yourdomain.com;
Tue, 4 Mar 2003 18:59:37 +0100
From: "Some Unknown" <user@sender.com>
To: user@recipient.com
Subject: Some subject
Date: Tue, 4 Mar 2003 18:54:17 +0100
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-Path: user@sender.com

Explanation:
server.isp.com	= host name of the sending host
62.116.14.14	= IP address of the sending host
user@sender.com	= the MAIL FROM: address ( the senders address )

top

Exchange

Postmaster's e-mail address

E-mail address of the person who is responsible for maintaining XWall.
XWall will send error messages to this address.

Notify postmaster when a new program version is available

XWall will periodically perform an online check for a program update and will send a notification to postmaster in the case a new program version is available.

Name or IP address of the Exchange server

Host name or IP address of the Exchange server. The default is localhost, which means that the Exchange server is on the same machine as XWall.

Exchange listens on port

This is the port that XWall uses when connecting to the Exchange server. If XWall and Exchange server are running on the same machine you may need to adjust the port that you have selected for the IMC. For Exchange 5.x you do this by changing the services file.

Refuse inbound connections on problems with outbound connections

If checked and if XWall is unable to establish a connection with the Exchange server, XWall will not accept incoming messages until it can communicate with the Exchange server

Exchange needs authentication

Allows you to enter the user and password if your Exchange needs authentication before accepting an input.

Specify by e-mail-domain

( ISP Edition only )

Allows you to define inbound e-mail domains that are on a different Exchange server.

top

Logfiles

Write Logfile

If checked, XWall will write a logfile called MBYYMMDD.LOG, where YY is the year, MM is the month and DD is the day.

Directory

The directory where XWall will write the logfile.

If the Directory is empty, XWall writes the logfile into the directory 'where MBServer.EXE resides.

Note: This is a directory and not a filename. The filename will always be MBYYMMDD.LOG

Purge logfiles after x days

Purges the logfiles after the set number of days.

Diagnostic Logging

Verbose Logging

If checked, XWall displays and logs everything, whereas if unchecked only a minimal amount of information is logged.

Log Message Transfer

If checked, XWall displays and logs the communication of the message transfer.

Log Message Header

If checked, XWall displays the SMTP header of the message.

top

History

Keep a copy of every message

If checked, XWall keeps a copy of every message in the HIST-IN and HIST-OUT folder.
Make sure you have enough free disk space if you enable this option.

The message files are plain text files and contain exactly what was sent over the wire.

This means you can read the messages files in Notepad. If you want to extract an attachment from the messages then you can either rename the file to .eml and use Outlook Express or your rename the file to .uue and use WinZip to extract the attachment.

If you want to resend the messages then you can use SMTPSend with the -g option or you open them in Outlook Express and resent them from here.

If you want to resend more than one message, then either use CSVToEnv or ESATInformer

Directory

The directory where XWall will write the HIST-IN and HIST-OUT folder.

If the Directory is empty, XWall writes the logfile into the directory where MBServer.EXE resides.

Purge message files after x days

Purges the message files after the set number of days.

top

Statistic

Note: If you are looking for a program to analyze your traffic, then check one of the following:

General

Write Statistics File

If checked, XWall will write a statistics file called SRYYMMDD.CSV, where YY is the year, MM is the month and DD is the day. The files lists all inbound and outbound messages that XWall handled.

You can use Excel or any other program which imports delimited text files to run your statistics.

Directory

The directory where XWall will write the statistics file.

If the directory is empty, XWall writes the statistics file into the directory where MBServer.EXE resides.

Purge logfiles file after x days

Purges the statistics files after the set number of days.

Write SMTP blocking statistics file

If checked, XWall will write a statistics file called SPYYMMDD.CSV, where YY is the year, MM is the month and DD is the day. The file lists all messages that XWall rejected at the SMTP level.

Note: Due that the message are rejected before the sending server tells XWall to whom the messages is addressed, the CSV file does not show the e-mail address of the final recipient.
Write send statistics file

If checked, XWall will write a send file called SSYYMMDD.CSV, where YY is the year, MM is the month and DD is the day. The file lists all messages that are sent by XWall.
Write virus statistics file

If checked, XWall will write a statistics file called SVYYMMDD.CSV, where YY is the year, MM is the month and DD is the day. The file lists all messages that had a virus.

Options

Use long date in statistic file (yyyy-mm-dd vs. yy-mm-dd)

If checked, XWall will use a long date format in the statistic file.
If Excel has troubles showing the correct date, then enable this option.

top

Connections

Outbound Message Routing

Use DNS to send all messages direct to the recipients mail server

In this mode XWall queries the DNS server for the MX record of the recipient, connect to the recipient mail server and sends the message
Relay all messages through the smart host

In this mode XWall relays all messages to the smart host. Usually the smart host is the SMTP server of your ISP or some relay server in your DMZ
Use smart host only if direct connection fails

This is a combination of the two modes above. If XWall can not send direct, it relays to the smart host.
Smart host:

The name or IP address of the smart host where XWall should relay to

DNS server

The IP address of the name server (DNS) which XWall should use to get the MX record(s) for the recipient domain.

Do not use a host name, because XWall can not resolve it to an IP address, because it does not have a name server (chicken-and-egg problem).

Note: If you use the word AutoDetect rather than an IP address, then the name server is read from the registry.

Refuse inbound connections on problems with outbound connections

If checked and if XWall is unable to establish a connection with the Exchange server, XWall will not accept incoming messages until it can communicate with the Exchange server

Specify by e-mail-domain

Allows you to define e-mail domain that need special routing, for example when a target server is behind a firewall or in a private LAN.

Connection Limits

Max concurrent inbound

Defines how many concurrent inbound connections XWall accepts. Setting this to zero allows unlimited connections.

Max concurrent outbound

Defines how many concurrent outbound connections XWall opens. Setting it to zero allows unlimited connections.

Concurrent outbound connections to a single host

Defines how many concurrent connections to a single host XWall opens

As a general rule you should not allow more than 8 connections for a 64kBit bandwidth or else you may have timeouts. If you have a 64K ISDN line, set inbound and outbound to 4.

Max recipients for an inbound message

Define the max amount of recipients in a single inbound message.

If the sending server sends more recipients, then remaining recipients are blocked using a
452 4.5.3 Too many recipients error

top

Dial-up

Enable Dial Up network

Check this if you want to use the dial-up network which comes with Win95/98/NT to connect to your ISP. Do not check it if you have a dial-up router, because a dial-up router is (nearly) the same as a leased-line from XWall's viewpoint.

Dial-up entry to dial

Select the entry which XWall should dial.

User
Password
Domain

This is the user input and password that is needed to connect to your ISP. The domain is an Windows NT® domain and due the fact that most ISP are UNIX or don't use Windows NT® domains you should leave this field blank unless your ISP requires it.

Allow dial-up for SMTP Messages

From
Until
Every
On Sunday, Monday,...

Allows you to define the schedule when XWall will dial out to send SMTP messages.

Note: A high priority message will overwrite the schedule.

top

SOCKS

Enable outbound connections via SOCKS server

Check this if you want to make outbound connections via a SOCKS server. Inbound connections are not supported using SOCKS and so you can't receive your message using Inbound SMTP and SOCKS.

SOCKS server

Name or IP address of the machine running the SOCKS server

Server type

SOCKS server v4
SOCKS server v5

Type of your SOCKS server. In general if your server supports both types, v5 is better, because there is no DNS support provided for v4. When using v4 you must either have a local DNS or only IP addresses may be used.

Optional SOCKS v5 Authentication (RFC 1929)

User
Password

Optional user input and password if your SOCKS v5 server needs authentication based on RFC 1929.

top

ETRN

Enable Remote Message Queue Processing (ETRN - RFC 1985)

Enables Remote Message Queue Processing (ETRN) based on RFC 1985.

Note: You need ETRN only if you have a dial-up connection to your ISP and if you receive your message using Inbound SMTP.

ETRN signals your ISP's SMTP host that it can send its queued messages now. Some ISPs automatically detect if XWall is online and so ETRN is not needed.

From
Until
Every
On Sunday, Monday,...

Allows you to define the schedule when XWall will send an ETRN.

top

Relay

Allow Relay of SMTP Messages

If checked, XWall relays messages for recipients not defined on your Exchange, to the next SMTP host. This is either the relay host of your ISP or the final host, depending on your settings in Connections.

Relaying is only needed if you have POP3 clients in your LAN and you want to use XWall as the relay host for them.

Allow relay of SMTP message from reserved IP addresses
(127.0.0.1, 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 169.254.0.0/16, 224.0.0.0/8)

If checked, XWall allows s relaying for client from your local LAN.

Relaying is only needed if you have POP3 clients in your LAN and you want to use XWall as the relay host for them.

Allow relay only from host
Allow relay only from IP address

If you disable general relaying, then you can define which host (machine) or IP address relaying is allowed.

XWall compares host names from right to left. IP addresses are in CIDR notation.

If you want all the machines in the domain dataenter.com to be allowed, you need to add dataenter.com to the list. To allow all IP addresses from 10.10.10.0 to 10.10.10.255, you need to add 10.10.10.0/24 to the list of IP addresses.

Allow relay for authenticated users

If checked, XWall allows relaying for authenticated users, regardless of their IP address.

Note: You need to define which authentication method XWall should use in Authentication

top

Authentication

Enable inbound SMTP authentication using pass-through NTLM logon
(Windows NT® and Windows® 2000/2003 only)

If checked, XWall performs a network logon using the user and password that the SMTP client provided.

The user need to be in the format Domain\Useror User. If User is selected, then the validation goes against the local machine. If the local machine is a domain controller, Domain\User and User is equal.

Note: If XWall is running as a service using the LocalSystem account ( this is the default ), then Domain\User needs to be used, even when running on a domain controller. Using User alone will result in a logon error. As a workaround use either Domain\User or start the service using the Administrator account.

Note: Make sure the Guest account is locked or the logon of every user with every password will succeed. See KB 251149 Guest Account Allows Relaying Regardless of Routing Restrictions

Enable inbound SMTP Authentication using

User
Password

If checked, validates the SMTP client's user and password against the given user and password.

Enable outbound SMTP authentication using

User
Password

If your ISPs SMTP server needs an authentication before accepting an SMTP message, then you can define the user and password here.

Note: Do not use this unless your ISP requires it!

top

Advanced

Outbound SMTP options

Retry failed connection every xx Seconds

Defines how long XWall should wait until it retries a failed outbound SMTP connection.
The default is 1800 seconds, which is 30 minutes.

Retry for xx Seconds

Defines how long XWall should continue trying a failed outbound SMTP connection.
The default is 432000 seconds, which is 5 days.

Note: Set this to something between 4 - 24 hours, which makes more sense than the default of 5 days.

Retry non-delivery reports for xx Seconds

Defines how long XWall should continue trying a failed non-delivery report.
The default is 14400 seconds, which is 4 hous.

Outbound Exchange options

Retry failed connection every xx Seconds

Defines how long XWall should wait until it retries a failed outbound Exchange connection. The default is 300 seconds, which is 5 minutes.

Retry for xx Seconds

Defines how long XWall should try a failed outbound Exchange connection.
The default is 604800 seconds, which is 7 days.

Check

Check for an Exchange server before sending a message

If checked, XWall checks if the SMTP server announces the XEXCH50 ESMTP verb.
This will prevent XWall from accidentally sending a message to the wrong server.

In Exchange 5.5 / 2000 / 2003 the virtual SMTP server always announces the XEXCH50 ESMTP verb.

In Exchange 2007 the Hub connector announces the XEXCH50 ESMTP verb only if Exchange Server authentication is enabled.

Notes or GroupWise or any other SMTP server do not announce the XEXCH50 ESMTP verb.

Check for on-access virus scanner at startup

If checked, XWall checks for an on-access virus scanner at startup.

XWall does this by writing out the Eicar Antivirus testfile ( http://www.eicar.org ), which is a harmless text file, and watches if some other program deletes or locks the file. If so, then an on-access scanner is running and the XWall directory is not excluded from scanning.

XWall then shows a warning and continues working, but the XWall directory should be excluded from scanning.

When you don't exclude the XWall directory, the scanner will prevent XWall from accessing it's own files. Even worse, when you have enabled some kind of "cleaning" then you get absolute unpredictable results, but not what you might expect.

More technically speaking the scanner can not clean a message, because it is a file scanner and has no idea how to handle a SMTP messages.
Even if it could clean the messages, then it locks the file to do so and XWall does not fight with the scanner for the file.

When a message comes in XWall saves the message in the MSG-IN directory and gives it an unique file name with a .tmp extension ( MSG0117x.TMP for example ).
Once the message download is finished, XWall renames the file from MSG0117x.TMP to MSG0117x.TXT. In the case a scanner is now scanning this file, the operating system does not allow the renaming and XWall considers this as a failure and tells the sending SMTP server about this.

If the renaming could be done the message will be place in the decoding queue and wait until the decoder handles it. If the scanner now scans the file, the decoder can not open it and so the message is lost. More worst, when the scanner deletes the file, then XWall is really happy about that fact, because it always really like it when someone deletes files behind it's back.

This all does not mean that you should not use a virus scanner at all. It only means that you should use the right way to scan your messages. Either enable the virus scanner in XWall, because then XWall has fill control over the scanner or use a SMTP based virus scanner.

Size Limit

Enable outbound message size limit
Enable inbound message size limit

Enables the inbound and/or outbound message size limit.

top

Attachment

Inbound

For inbound messages, XWall compares the list case insensitive with the name of the attachment from right to left, which means that .gif will block all gif files whereas picture.gif will only block a single file.

Action

You can select one of the following what should happen with a inbound message once an attachment is detected:

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

Outbound

Adds the name of the attachment to the list.

For outbound messages XWall compares the list case insensitive with the name of the attachment from right to left, which means that .gif will block all gif files whereas picture.gif will only block a single file.

Action

You can select one of the following what should happen with a outbound message once an attachment is detected:

Discard message

Encapsulate and forward to Postmaster

Send a non-delivery report to the sender

Note: Microsoft defines the following file extensions as unsafe because they may have script or code associated with it.

Extension		FileType
.ade		Microsoft Access project extension
.adp		Microsoft Access project
.bas		Microsoft Visual Basic class module
.bat		Batch file
.chm		Compiled HTML Help file
.cmd		Microsoft Windows NT Command script
.com		Microsoft MS-DOS program
.cpl		Control Panel extension
.crt		Security certificate
.exe		Program
.hlp		Help file
.hta		HTML program
.inf		Setup Information
.ins		Internet Naming Service
.isp		Internet Communication settings
.js		JScript file
.jse		Jscript Encoded Script file
.lnk		Shortcut
.mdb		Microsoft Access program
.mde		Microsoft Access MDE database
.msc		Microsoft Common Console document
.msi		Microsoft Windows Installer package
.msp		Microsoft Windows Installer patch
.mst		Microsoft Visual Test source files
.pcd		Photo CD image, Microsoft Visual compiled script
.pif		Shortcut to MS-DOS program
.reg		Registration entries
.scr		Screen saver
.sct		Windows Script Component
.shb		Shell Scrap object
.shs		Shell Scrap object
.url		Internet shortcut
.vb		VBScript file
.vbe		VBScript Encoded script file
.vbs		VBScript file
.wsc		Windows Script Component
.wsf		Windows Script file
.wsh		Windows Script Host Settings file

top

Exploit

Inbound, Outbound

XWall checks inbound and/or outbound attachments for common exploits that may harm the recipient.

Block all exploits

If enabled, XWall checks for all exploits.
Block attachments with a dot at the end (file.jpg.)

If checked, XWall will block files with a dot at the end like file.jpg.
Block attachments with a double extension (file.exe.jpg)

If checked, XWall will block files with a double extension like file.exe.jpg
Block attachments with a CLSID extension

If checked, XWall will block files with an extension of
.{????????-????-????-????-????????????}
Block password protected zip files

If checked XWall will block password protected zip files
Block partial attachment (message/partial)

If checked, XWall will block files partial MIME attachments.
Block external attachment (message/external-body)

If checked, XWall will block files where the attachment itself is not in the message.
Block Windows® and DOS executables

If checked, XWall blocks files that can be executed in DOS or Windows® executable.
XWall detects such files by checking for the signature and does not care about the extension.
This means that even when the file sample.scr is renamed to sample.txt it will be blocked.
Block Windows® and DOS executables in zip files

If checked XWall blocks DOS and Windows® executable files even when they are in a zip file. XWall detects the zip file and the executable by it's signature and this means that renaming a zip or exe file doesn't help to bypass this check.
Action

You can select one of the following what should happen with a inbound message once an exploit is detected:

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

You can select one of the following what should happen with a outbound message once an attachment is detected:

Discard message

Encapsulate and forward to Postmaster
Send a non-delivery report to the sender

top

Subject

Inbound, Outbound

XWall scans the normalized subject case sensitive for the specific string.

In a normalized subject

all tabs are replaced with a single space
multiply spaces are replaced with a single space
a space is added at the beginning and at the end,
which allows to scan for words by adding a leading and/or trailing space to the string

Keep in mind that XWall scan for strings and not words.
To scan for words you need to add a space in front and at the end of the string.

If the string is cum ( without the spaces that make it a word), then you block the authors name which is Michael Kocum.
Or if the string is sex then this would also block MSExchange.

Allowed wildcards are:

? for one character

* for one or more characters

# for one or more digits

Scan case sensitive

If checked, XWall scans the subject case sensitive

Add Common

Adds strings and words to the list that are commonly used in spam messages

Action

You can select one of the following what should happen with the message once a subject is detected:

Inbound

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

Outbound

Discard message

Encapsulate and forward to Postmaster

Send a non-delivery report to the sender

top

Text

Inbound, Outbound

XWall scans the normalized text and html part of the message case sensitive for the specific string and HTML tags are removed from the html part of the message before the scan.

In a normalized text part of the message:

all tabs are replaced with a single space
multiply spaces are replaced with a single space
a space is added at the beginning and at the end,
which allows to scan for words by adding a leading and/or trailing space to the string

Note: Wildcards like ? and * are allowed.

Scan case sensitive

If checked, XWall scans the text part of the message case sensitive

Add Common

Adds strings and words to the list that are commonly used in spam messages
Exclude

Allows you to exclude a message from this test by e-mail address, IP address or host
Action

You can select one of the following what should happen with the message once a string is detected:

Inbound

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

Outbound

Discard message

Encapsulate and forward to Postmaster

Send a non-delivery report to the sender

top

HTML

Inbound, Outbound

XWall scans the normalized html part of the message case sensitive for the specific string and HTML tags are not removed before the scan.

In a normalized html part of the message:

all tabs are replaced with a single space
multiply spaces are replaced with a single space
a space is added at the beginning and at the end,
which allows to scan for words by adding a leading and/or trailing space to the string

To block messages with embedded scripts you can scan for the string "script".

Note: Wildcards like ? and * are allowed.

Scan case sensitive

If checked, XWall scans the html part of the message case sensitive

Add Common

Adds html tags to the list that are commonly used in spam messages
Exclude

Allows you to exclude a message from this test by e-mail address, IP address or host
Action

You can select one of the following what should happen with the message once a string is detected:

Inbound

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

Outbound

Discard message

Encapsulate and forward to Postmaster

Send a non-delivery report to the sender

top

Header

Inbound

XWall scans the header of the message for the header line and the checks if the data value matches.
XWall compares the data value by ignoring the case and wildcard are allowed.

Note: In the header line no wildcards are allowed.

Example: Assume you want block all messages sent by FoxMail, which is a very common spam mailer in China.

The header line in the message looks something like:

X-Mailer: FoxMail 3.11 Release [cn]

To block this mailer, you would add the following:

x-mailer:foxmail

Add Common

Adds string and words to the list that are commonly used in spam messages
Exclude

Allows you to exclude a message from this test by e-mail address, IP address or host
Action

You can select one of the following what should happen with the message once a matching data value is detected:

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

top

Country

Block messages from the following countries

XWall gets the country from the IP address of the sending host and compares it with the list of blocked countries.

Examine the IP addresses in the message header

If this is checked, XWall will scan the Received: lines of the header of the message for the IP address.
Reject the message during the SMTP session

If checked, XWall will reject the message during the SMTP session and the message will not be accepted.

Action

You can select one of the following what should happen with the message once a matching data value is detected:

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

top

Charset

Block messages with the following charset

XWall compares the charset of the subject, the body text and the HTML text against the list.

Add common for Eastern Europe
Add common for Russia
Add common for China
Add common for Korea

Adds the charset commonly used in this country to the list.

Action

You can select one of the following what should happen with the message once a matching data value is detected:

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

top

IP/Host

Inbound Messages directly sent by a specific IP address or hostname

Examine the IP addresses in the message header

If this is checked, XWall will scan the Received: lines of the header of the message for the IP address
( but not the host name )
Reject the message during the SMTP session

If checked, XWall will reject the message during the SMTP session and the message will not be accepted.
Reject the connection attempt ( reset TCP )

If checked, XWall reject the connection before any data is exchanged. Also XWall does not perform an reverse lookup of the IP address ( PTR ), so no host information is available.

Note: The sending server usually reschedules the message and retries after some time
until the message timeout is expired. In general it takes less CPU to accept the connection
and send back a 5xx error rather than to drop the connection without any notice.

Action

You can select one of the following what should happen with the message once a IP or hostname is detected:

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

top

E-Mail

Inbound MAIL FROM:
Outbound MAIL FROM:
Inbound RCPT TO:
Inbound RCPT TO:

Allows you to block a message by an e-mail address.

The e-mail address is case insensitive compared from right to left until a match is found.
This allows you to block a whole domain by typing @domain.com and as a result, bit@domain.com blocks rabbit@domain.com

If you add a space at the beginning, XWall interprets this as a full address and so bit@domain.com does not block rabbit@domain.com

Reject the message during the SMTP session

If checked, XWall will reject the message during the SMTP session and the message will not be accepted.

Action

You can select one of the following what should happen with the message once a matching data value is detected:

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

top

DSN

Block system messages (Delivery Status Notifications / Non-Delivery Reports)

A system message is a message with either a null return-path (MAIL FROM: <>) or a MIME multipart/report message.

This includes Non-Delivery Reports (NDR), Delivery Status Notifications (DSN) and Message Disposition Notifications (MDN) and read receipts.

Block only for the following e-mail address

You can define for which recipients e-mail address the messages should be blocked.
If no e-mail address is defined, then all system messages are blocked.
Reject the message during the SMTP session

If checked, XWall will reject the message during the SMTP session and the message will not be accepted.

Note: The RFC requires that a mail server accepts system messages and rejecting them during the SMTP session is not allowed. Some mail server check for this and refuse to accept messages from a server that rejects system messages.

Action

You can select one of the following what should happen with the message once a matching data value is detected:

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

top

Auto IP

Automatically block IP addresses that send spam messages

XWall counts the messages from the same IP address that have triggered an action by any other method or are rejected during the SMTP session. Once the count has reached the threshold, the action is triggered on the sending IP address for the given seconds.

Message threshold

Defines after how many spam messages an IP address will be blocked, The default is 3 messages.
Trigger action all messages from the sending IP within the next xx seconds

Define how many seconds XWall should block the IP address. The default is for 8 hours.
Max ip addresses to gather

Defines how many IP addresses XWall should keep
Reject the message during the SMTP session

If checked, XWall will reject the message during the SMTP session and the message will not be accepted.
Reject the connection attempt ( reset TCP )

If checked, XWall reject the connection before any data is exchanged. Also XWall does not perform an reverse lookup of the IP address ( PTR ), so no host information is available.

Note: The sending server usually reschedules the message and retries after some time
until the message timeout is expired. In general it takes less CPU to accept the connection
and send back a 5xx error rather than to drop the connection without any notice.

Action

You can select one of the following what should happen with the message once a IP or hostname is detected:

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

top

Verify

Verify the sender and reject the message during the SMTP session

Verify the senders domain and do not accept invalid domains

If checked, XWall verifies the senders domain and does not accept the message when an invalid domain is detected. To pass this test a MX or A record for the domain must exist.

Note: If there is no name server defined in XWall, XWall will not validate the domain.

Also make sure that your firewall does not block port 53 tcp and udp or else XWall will not be able to connect to the authoritative name server for the domain that should be checked.

Verify the senders reverse lookup of the IP address

If checked, XWall verifies the reverse lookup of the IP address.
To pass this test a PTR record for the IP address must exist.

Verify the senders FQDN (full qualified domain name) in the HELO/EHLO command (must resolve to an A record to pass the test)

If checked, XWall verifies the FQDN (full qualified domain name) in the HELO/EHLO command.
To pass this test the FQDN needs to resolve to an A record.

top

Recipient

Verify the recipient and reject the message during the SMTP session

Verify the recipients e-mail address using a static address list

If checked XWall verifies that the recipient of the message is in the address list.

You must either manually add the e-mail addresses to the address list or use ExchImp or LDAPImp to import the e-mail addresses from the Global Address List ( GAL ) or AD into the address list.

Note: You need to update the address list in XWall every time you add or delete a e-mail address on your Exchange server.

Verify the recipients e-mail address dynamically using an external program

XWall calls the external program to verify the e-mail address. If the program returns an errorlevel of 0 (zero), then XWall assumes the e-mail address is valid. If the errorlevel is 2, XWall assumes the e-mail is not valid. For every other errorlevel XWall assumes the program had an problem getting the information.

Program

The default program, LDAPQuery.vbs queries the Active Directory for the e-mail address.
For communication with Active Directory, the script uses LDAP on port 3268 tcp.

Paramters

The default parameter for the program is <EMAIL>. <EMAIL>acts as a placeholder
and XWall will replace it with the real e-mail address at runtime.

Log detailed description how the program is executed

If checked XWall shows how the program is executed and what return code ( errorlevel ) the process returns

Cache the result of the program

If checked, XWall caches the result of the program for 8 hours

Verify the program by querying an existing e-mail address

If an e-mail address is given, XWall will call the program with that e-mail address at startup. If should-exist e-mail address does not exist, then XWall will disable the whole recipients checking, and will accept mail for any recipient in the domain.

This is to safeguard against a program that does not work or else it would block all your incoming messages.

Using LDAPQuery.vbs

LDAPQuery.vbs queries the AD/GC server for a given e-mail address and shows the CN and all the proxy addresses for that CN. When you run LDAPQuery.vbs on a machine that is not part of your domain ( DMZ ), then you need to specify the GC server ( Global Catalog server ) as a second parameter.

Usage is:
cscript LDAPQuery.vbs e-mail [GCserver|defaultNamingContext] [-uUser] [-pPassword] [-notesdomino]

To test LDAPQuery.vbs open a DOS box on the XWall machine and run it with a known e-mail address and optionally a gc server.

Here is a sample:
cscript LDAPQuery.vbs administrator@yourdomain.com gc.yourdomain.com -uadmin -ppassword

Microsoft (R) Windows Script Host, Version 5.6
Copyright (C) Microsoft Corporation 1996-2001.

E-Mail: administrator@yourdomain.com
   DNC: DC=yourdomain,DC=com
   SQL: Select cn,adspath,ProxyAddresses from
        'GC://DC=yourdomain,DC=com'
        where ProxyAddresses='SMTP:administrator@yourdomain.com'
Result: E-mail exist
    CN: Administrator
Path: LDAP://CN=Administrator,OU=Mitarbeiter,DC=yourdomain,DC=com
Proxy: X400:c=AT;a= ;p=yourdomain;o=Exchange;s=Kocum;g=administrator;
Proxy: SMTP:administrator@yourdomain.com

Note: In the case you have Lotus Notes Domino, you can use the -notesdomino switch so that the script uses the correct query for Notes

top

Absolute

Allows you to block all messages that are not excluded

Action

You can select one of the following what should happen with
the message once it arrives:

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

top

SLS/RBL

Lookup the IP address of the connecting host or the message header in the Spam Lookup Service (SLS/MAPS/RBL)

IP address based Spam Lookup Services

XWall checks if the IP address of the sending host and/or all IP addresses in the header of the messages is on one of the real time spammer lists.

You can create a group of services by separating the services with a comma.
In a group the IP address must be on each list to trigger the action.

The following IP addresses are excluded from the check:

127.0.0.1

10.x.x.x

192.168.x.x

172.16.x.x

224.x.x.x

the same subnet as the machine where MBServer is currently running

Add Common

Adds some common free-of-charge services.
A complete list of free services can be found at http://www.declude.com/junkmail/support/ip4r.htm

Add MAPS

Since 2001-07-31 MAPS is a pay service and you need to subscribe when you use their service.XWall itself does not include the fee or license to use MAPS, it only includes the technical capability to access MAPS.

More information on MAPS can be found at http://mail-abuse.org

Domain based Spam Lookup Services

XWall checks if the e-mail domain of the sender ( the MAIL FROM: e-mail domain ) is on one of the real time spammer lists.

A sample is whois.rfc-ignorant.org at www.rfc-ignorant.org

Examine the IP addresses in the message header

If this is checked, XWall will scan the Received: lines of the header of the message for the IP ( but not the host name )
Reject the message during the SMTP session

If checked, XWall will reject the message during the SMTP session and the message will not be accepted.

Note: This option does not check the IP addresses in the header of the message
Action

You can select one of the following to happen with an inbound message once a spam message is detected:

Block message transfer at the SMTP level (the message is not accepted)
Note: This option is not possible when checking the IP address of the header

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

top

Greylisting

Greylisting spam filter, based on http://www.greylisting.org

The Greylisting method looks at three pieces of information about any particular mail delivery attempt:

The IP address of the host attempting the delivery
The envelope sender address
The envelope recipient address

From this an unique triplet for identifying a message is created and if this triplet was never been seen before, or the sender is not excluded or on the white list, then the message delivery is refused with a temporary failure.

Any normal SMTP server will reschedule the message and will resend it after some time ( usually 10 - 15 minutes ).

Spammers however are sending applications designed specifically for spamming. These applications usually adopt the fire-and-forget methodology. That is, they attempt to send the spam to one or several MX hosts for a domain, but then never attempt a true retry as a real SMTP server would.

If a sending host is found to actually resubmit a mail after a temporary rejection, there's no point in ever using Greylisting with that host again. XWall excludes the host, because the host is queues mail properly and isn't a fire-and-forget spammer. It may be a spammer or an open relay, but Greylisting isn't going to help you deal with it.

There are some misbehaving mail servers that have a problem with Greylisting and XWall automatically excludes them. You will find the list at Greylisting Exclusions

Note: Make sure your backup MX SMTP also runs XWall or any other SMTP server that support Greylisting or else the spammer will bypass XWall by sending to XWall first and then to the backup MX. If your backup MX does not support Greylisting, then you can use our MTA Backup Service

Max triplets to gather

Defines how many triples XWall should remember
Initial delay of a previously unknown triplet
Lifetime of triplets that have allowed mail to pass
Lifetime of triplets that have not yet allowed a mail to pass

Defines the time interval of the triples
Accept all IP addresses from a Class C net

If checked, XWall ignores the rightmost part of the IP address ( 10.0.0.x ) when creating the triplet. This treats all servers in a Class C net the same and prevents infinite blocking when the sender uses a server farm where each connection is coming from a different IP address.
Log detailed triplet description (last seen, time elapsed)

If this is enabled XWall shows a detailed description about the status of the triplet, including the last seen and elapsed time.

top

CCS

Enable Central Checksum Service (CCS) to detect bulk e-mail

The Central Checksum Service (CCS) is designed to detect bulk e-mail on a worldwide level.

To do this, XWall calculates a checksum of every incoming message and reports it to the CCS server. The CCS server cumulates incoming reports and responds how many message with the same checksum were circulating in the past few hours.

Depending on the threshold you selected, XWall decides whether to classify an e-mail as bulk e-mail or not.

XWall communicates with the CCS server using port 53 udp or port 12178 udp.
If you have a Cisco PIX, then you need to make sure port 12178 is open.

For a live statistic of the CCS server click here.

Threshold

Defines above which level XWall should trigger the action
Log detailed triplet description (last seen, time elapsed)

If this is enabled XWall shows a detailed description how the CCS valued a checksum.

Action

You can select one of the following what should happen with
a message which is considered to be spam:

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

Note: The Central Checksum Service (CCS) is an add-on to XWall and requires a yearly subscription.

Click here to request a free 6 month subscription.

top

Bayes

Bayesian spam filter, based on Paul Graham's paper A Plan For Spam

Enable gathering of statistical data for the Bayesian filter ( Learn Mode )

In Learn Mode XWall gathers statistical data about the frequency of the words that appear in the subject, the body text and the html text of the message.

Based on other spam checking functions ( SLS/RBL/MAPS, blocked strings, blocked or excluded addresses ) the words are stored in a good-word list and a bad-word list.

Max words to gather

Defines how large the good-word list and the bad-word list should become.

Note: More words takes up more memory and CPU

Limit gathering to the first KB

Defines how many KB of the subject , the text and the HTML part of the message should be scanned.

Note: More KB take up more CPU. If you have not that many messages ( below 500 per hour ), then you can set this value higher.

Ignore common words when gathering

If enabled XWall ignores common word when calculation the Bayes value.
This results in a more aggressive calculation.
Classify spam spam by sending mail to this e-mail address
Classify good spam by sending mail to this e-mail address

Defines an e-mail address that is NOT in your domain and that is used for manually classification of spam messages.

If you are not sure what e-mail address you should use,
then use spam@bayes.spam and nospam@bayes.spam

To manually classify a spam message forward it to spam@bayes.spam
To manually classify a good message forward it to nospam@bayes.spam

Exchange will forward the message to XWall ( because the address is not local ) and XWall will then capture the message, feed Bayes with it and then discard the message.

Note: Make sure that your outgoing mail goes through XWall or XWall will not be able to get the message and you will get back a non-deliver report from Exchange.

Also make sure you remove your own signature and header lines when you forward a message using Outlook or else your won signature goes into the bad word list.

Enable a statistical approach with the Bayesian filter to filter out spam mails using

Paul Grahams's original method
Gary Robinson's alternative method

The classification algorithm is based on Bayes formula and is comparing the frequencies of words in the message with those found in the good-word list and a bad-word list and calculates the spam value of a message.

Assume spam when the value is more than xx

If the spam value is more than 90 ( Paul Graham's method ) or
more than 60 ( Gary Robinson's method ) the selected action will be triggered.

The main difference between the two methods is that Paul Graham's method tend to generate values that a very low ( somewhere around zero ) or very high ( 90 an above ), but nothing in the middle. So it is hard to adjust the value where a message should be considered as spam.

Gary Robinson's alternative method generates more flat numbers from zero to 100 and you will see a lot of messages with a spam value of 37 or 54 or something like that.

Note: It takes at least 1000 learned e-mails unless the classification algorithm starts working.

Action

You can select one of the following what should happen with a message which is considered to be spam:

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

top

Heuristic

Enable a heuristic approach to filter out spam mails

The classification algorithm is based on rules that use a wide range of heuristic tests on mail headers and body text to identify spam messages.

Each rule has a weight and the sum of all rules it the total spam value of a message.

Log detailed description which rule was triggered

If this is enabled XWall shows a detailed description which heuristic rule was triggered
Assume spam when the value is equal or more than x

A value of 30 or less results in an aggressive spam blocking, a value of 70 or more is a relaxed spam blocking.

Action

You can select one of the following what should happen with a message which is considered to be spam:

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

top

SPF - Sender Permitted From - Sender Policy Framework

Block messages where the SPF results in a FAIL
Block messages where the SPF results in a SOFTFAIL
Block messages where the SPF results in a NEUTRAL

SPF works by domains publishing reverse MX records to tell the world what machines send mail from the domain. When receiving a message from a domain, those records are checked to make sure mail is coming from where it should be coming from. This prevents from spammer that use a valid e-mail domain as the From: address but relay through a completely different mail server.

For example, AOL uses SPF to publish the IP addresses of its e-mail servers. When the message from AOL comes in, the IP address is checked against the published IP addresses and if the IP address is not one of the published, then the SPF results in a FAIL.

More information about the SPF project at http://spf.pobox.com

Note: You should also publish your own TXT records,
a wizard that creates the TXT records can be found at http://spf.pobox.com/wizard.html

Examine the IP addresses in the message header

If checked XWall will examine the IP addresses in the message header against SPF.
If unchecked only the IP address of the sending server is checked.
Use a default TXT record when the domain does not publish it's own TXT record

A lot of domains do no publish their TXT records.
To overcome XWall can use a default TXT record for such domains.

The default TXT record is: v=spf1 ptr a mx -all

This means that SPF results in a PASS when one of the following is true:

The host name of the sending server is from the same domain as the sender

The IP address of the sending server is one of the A records of the senders domain

The IP address of the sending server is one of the MX records of the senders domain

Reject the message during the SMTP session

If checked, XWall will reject the message during the SMTP session and the message will not be accepted.

Action

You can select one of the following what should happen with a message which is considered to be spam:

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

top

SURBL

SURBL - Spam URI Realtime Blocklists - http://www.surbl.org

SURBL is an SLS/RBL that lists domains found in the HTML part of the message, usually meaning the domains of spam-advertised web sites.

The randomized subdomain problem is solved by extracting the base domain on both the SURBL data and message-checking client sides then comparing those base domains. In this way any random stuff added to the base domain is ignored. (The base domain is what would be registered with a name registrar.)

Log detailed description about the URL in the message

If this is enabled XWall shows a detailed description which URL was found in the message
Action

You can select one of the following what should happen with a message which is considered to be spam:

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

top

Backscatter

Detect Backscatter

Backscatter occurs when a spammer uses your e-mail address to send out spam or a virus. For all the messages that can't be delivered, you get back a non-delivery report. Based on the initial message volume you may get back thousands of non-delivery reports.

XWall checks the Received: header lines of the original message and compares the IP address with the IP address of the XWall machine, the SPF record and the IP address of the backup MX and if not match is found, then the system messages is faked.

Action

You can select one of the following what should happen with the message once a matching data value is detected:

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

top

Phishing (beta)

Detect Phishing in HTML messages

Phishing means that the sender is either impersonating a domain that you trust ( e.g. paypal.com or eBay.com ) or they want to redirect your browser to a web site that is different from the site that you may think the browser goes to ( used mostly with bank accounts ).

Note: Phishing does not honor the white list or the global exclusions, because the exclusions usually contains trustworthy senders and due that they are impersonated, the exclusions would open a security whole.

XWall checks the message for

a link in the message appears to belong to one page, but the underlying URL points to a different page

e.g. http://www.citibank.com/logon.asp vs. http://www.badsite.com/bad.php

Ignore when the base domain matches

( http://www.site.com/logon.asp is equal to http://any.site.com/logon.asp )

This prevents from false positive when the URL points to a differetn server on the same domain,
e.g. http://www.adobe.com vs. http://download.adobe.com

detect masquerading as a trustworthy sender using SPF

XWall check the SPF record of the sender and if SPF returns either FAIL, SOFTFAIL or NEUTRAL the message is Phishing.

Note: This SPF has nothing to do with the SPF settings at Options->Spam->SPF

Log detailed description about the URL in the message and the SPF result

If this is enabled XWall shows a detailed description which URL was found in the message and how SPF was performed
Action

You can select one of the following what should happen with a message which is considered to be spam:

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

top

Senderbase

Enable Senderbase (http://www.senderbase.org) to detect message volume spikes

Senderbase collects data for a large amount of the world’s e-mail traffic Based on this data Senderbase calculates a daily and a monthly magnitude for every IP address and domain.

If the daily magnitude is much larger then the monthly magnitude, then the IP address or domain is sending more then on average. Usually such a spike happens because the IP address or domain sends out spam, but a virus outbreak is also possible or even a newsletter.

Log detailed description which rule detected the spike

If this is enabled XWall shows a detailed description which rule was used to detect the message volume spike
Action

You can select one of the following what should happen with a message which is considered to be spam:

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

top

Envelope

Inbound Messages

Check if the message uses BCC (Blind Carbon Copy) addressing

A BCC message is a message where the recipients address is not in the To: or CC: field.

Most SPAM messages are addressed using BCC and this is a way to mark this kind of messages.

Action

You can select one of the following what should happen with the message once a BCC is detected:

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

Check if the message has a faked From: address

A From: is faked when the e-mail address in the From: line of the messages does not match the e-mail address of the message envelope ( the MAIL FROM: e-mail address of the SMTP transfer )

Also if the From: address of the message is the same as the recipients address, then the From: address is faked.

Action

You can select one of the following what should happen with the message once a faked From: is detected:

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

Check if the message has an internal From: address

An internal From: is when the sender uses an e-mail domain that is used on your Exchange server.

Action

You can select one of the following what should happen with the message once an internal From: is detected:

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

Check if the message is coming from a faked MX

A MX is faked when the hostname of the sending host is not the one of the sending domain or the IP address of the sending host is not in the MX records for that domain.

However, there is no RFC that requires that a message is sent by a specific host and so this testing is testing something common, but not something that is required.

Action

You can select one of the following what should happen with the message once a faked MX is detected:

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

top

Image

Image spam

An image spam message is a message where the spam is in an attachment, usually an image, a PDF or an archive.

Detect empty message with a picture

The message must be a HTML message with at least one picture, no text and no other attachment.

The first wave of image spam messages are built using only a picture and no text at all.
Detect message with a picture

The message must be a HTML message with at least one picture, any text, no other attachment and no URL.

The second wave of image spam has still the picture, but some text is added to the message.
Usually the text is English prose or nonsense text.

Note: Enabling this will block basically any HTML message with a picture,
even when the picture is a logo like it is used on top of many messages or inside a signature.
Detect empty message with a PDF

The message must have no text with one PDF attached and the subject is either blank or has the filename in it.
Detect empty message with a RAR-ZIP

The message must have no text with one RAR ile that is renamed to ZIP or a ZIP and the subject is either blank or has the filename in it.
Action

You can select one of the following what should happen with the message once an image spam is detected:

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

top

Session

Inbound SMTP Session

Enable greeting delay

Protects against open proxies and SMTP slammers which send SMTP traffic without waiting for the SMTP greeting.

If enabled, XWall wait 2 seconds before sending the initial 220 SMTP greeting.
If any traffic is received before then, a 554 SMTP response is sent and the session is closed.

Enable tar pitting / honey pot / teergrube to protect
against a directory harvest attack

A directory harvest attack is an attempt to determine the valid e-mail addresses associated with an e-mail server so that they can be added to a spam database.

Tar pitting / honey pot / teergrube is the practice of deliberately inserting a delay into certain SMTP communications. By slowing an SMTP conversation, you can dramatically reduce the rate at which a dictionary attack can be conducted.

top

UDM

Enable an external program

XWall calls the external program or script and if the program returns an error level greater than zero, then XWall triggers the selected action.

A sample script ( UDM.vbs ) is included in Approve-Toolkit.zip, which you may download separately.

Program

The name of the program or script that XWall should run.

Note: It is up to the external program to do anything useful with the message.
Parameters

The parameters ( arguments ) that XWall should pass to the program.

There are two placeholders for built-in data.:

If <DATAFILE> is specified, then this placeholder will be expanded to a full file name which hold the decoded message parts. For a description of the parts and how to access them see the sample UDM.vbs script.

If <RAWMSG> is specified, then this placeholder will be expanded to the full file name of the raw message and it is up to the program to decode the message.
Log detailed description how the program is executed

If checked XWall shows how the program is executed and what return code ( error level ) the process returns
Program needs to be serialized

If checked XWall will only start one instance of the program,
other messages are queued up until the program finishes.
Action

You can select one of the following what should happen with the message once the program returns an error level greater than zero:

Discard message

Encapsulate and forward to Postmaster

Encapsulate and send to recipient

Encapsulate and send to recipient without attachments

Send a non-delivery report to the sender

Mark subject

Mark subject and move to Junk-E-Mail folder
Note: This option requires XWALLFilter installed

Forward to Postmaster

Forward to recipient

top

Approve

Approve the method and action using an external program

XWall passes the message data and the status of all methods to the program for approval. The program can either approve the status or it can return a different method and/or action and XWall will continue using this information.

A sample script ( ApproveAction.vbs ) is included in Approve-Toolkit.zip, which you may download separately.

Run the external program only when spam was detected

If checked, XWall runs the program only when at least one method and action is detect.
If unchecked, XWall runs the program for all messages.
Log detailed description how the program is executed

If checked XWall shows how the program is executed and what return code ( error level ) the process returns
Program needs to be serialized

If checked XWall will only start one instance of the program,
other messages are queued up until the pr