Richweb Mail Content Filter: MailScanner FAQ

What is MailScanner and how does it work? MailScanner examines each incoming message and will prevent viruses and spam from making it into your Inbox. MailScanner has several more powerful content analysis features and dangerous content blocklists that make it more effective at catching both spam and dangerous phishing emails than any other mail filtering solution on the market. Phishing emails are very troublesome as they can trick even technically adept computer users into giving away financial, corporate, and personal information to attackers which will use and abuse this information.   How does MailScanner compare with the MailFoundry Appliance? MailFoundry excels at catching computer generated spam from templates, where the basic message is the same, with only a name or weblink within the email being different. Spammers and Phishers have caught up to this technique and are generating ever shorter messages, sometimes with just a single link. Its very hard for the MailFoundry to block these emails without also blocking legitimate email. MailScanner is smarter as it has blacklists/blocklists of Spam and Phishing domains in its databases that are updated regularly. If an email contains a link to a known phishing domain, it is blocked, regardless of whether the message or message template as been seen before. MailScanner can also disarm or make safe an email and send it along to your Inbox. See below for more details.   What is this {Cleaned} tag in the subject line of some messages ? MailScanner disarms or cleans dangerous HTML tags and commands that can cause your computer to become infected with spyware or trojanware that can steal your personal information. MailScanner can find html that is unsafe (where the CLAIMED web link destination does not match the ACTUAL weblink destination). MailScanner removes the links, but if the rest of the message is deemed safe, and not spam, it will send it on to your Inbox with the {Cleaned} header in the subject to let you know that the message has been made much safer. This is a good thing. Disarming or Cleaning a message is important because every day new vulnerabilities and bugs are discovered in web browsers and email clients, typically Microsoft Outlook and IE. As attackers attempt to create more and more clever ways of tricking you AND your computer, MailScanner puts a stop to the basic tactic of bait and switch web links RIGHT AT THE SOURCE - the html. If you have an email that comes from a mailing list or company that is {Cleaned} you can forward the email back to the owner of the list or company that sent the email and ask that they fix the emails so that they are safer. In particular, email messages that have hidden IFRAMEs are not a good idea, as attackers use these techniques to trick you and your browser.   Does the MailScanner have a delay in getting an email like with MailFoundry? No, it does not. Since the MailFoundry needed time to detect spam signatures from new spams that are constantly generated, the MailFoundry box likes to hold all incoming email from a new source (sender) for up to 15 minutes while it waits to see if that sender or that message template appears is identified as spam by the MailFoundry team. This is of course irritating AND it does not always work! If you happen to have a directed attack of nasty spam messages at a certain user or few users, of if your domain happens to be at the TOP of a spammer list of thousands of domains that are about to get hit, then you may be out of luck with the MailFoundry! If the spammer is able to configure dns settings and buy IP transit from a legitimate host that is not currently blacklisted, then the spam will make it through to your Inbox. MailScanner is smarter about being able to actually look at the content of the message (words AND links, picture, etc) and not just the structure or template. Thus MailScanner is a stronger defense in some of these hard to handle situations like a targeted attack or a large domain that gets a lot of spam from many different sources.   Why are some domains hit so much harder than others with spam? Domains that get a lot more spam have usually been around longer, and in almost all cases one (or more) users on that domain has clicked one or more link(s) in spam mails, or bought stuff advertised in spam. Spammers track EVERY single message that they send, and they know who you are when you click a spam-vertised link. Your domain is then marked as having willing recipients that WANT spam, and spammers spend a lot more effort spamming your domain; they figure they have more to gain looking for repeat business than going after brand new domains!   Is there a quarantine report for MailScanner? MailScanner does not provide a report. MailScanner makes every attempt to disarm or fix messages and send them on to you in a safe state. If MailScanner blocks a message, it is very certain that the message is spam and it takes a system admin (at Richweb) to release the email. Most messages that are spam are detected as high scoring spam (what people tend to describe as "obvious" spam). These high scoring spams are discarded. What we discovered is that most users dont even look at the MailFoundry reports, and for busy mailboxes the reports are so long anyway that its a waste of time having to wade through the reports. MailScanner supports whitelisting of email senders and email domains. If you have a sender that you think is being rejected, send the email address to noc At richweb dot-com and we will take a look and whitelist the sender if it appears that the message is not making it through.   MailScanner info (intended for system admins)
  • The MailScanner system (like MailFoundry) rejects messages from sending computers that do not have a valid hostname, and working reverse DNS. So if you are getting complaints about a remote system that cannot send email to a domain that is on the MailScanner, then the first thing to check for is forward and reverse dns. A site like mxtoolbox.com can be used for this.
  • MailScanner uses the exact same RBL checking system as MailFoundry. So if a sending computer is on the SpamHaus Zen blocklist (XBL) then smtp connections from that sending computer will be dropped.
  • MailScanner can be setup to NOT Disarm html emails from senders on a domain by domain basis. Contact NOC at richweb dot-com if you need a domain exempted. Remember that this increases the chances that your computers AND data will be infected or compromised by attackers.
  • Domains that get a lot of messages (10 or more users, or a lot of dictionary attack spam) should have each valid recipient configured in MailScanner. Domains that use Richweb as a backup MX, or have low mail volumes can simply have a domain record that handles all users @thedomain.com for example.
  • If you are able to get the SENDING IP ADDRESS of the remote mail server in question for troubleshooting any outbound from remote (inbound to your domain) delivery problems this is very helpful. Remember, MX records are used for INBOUND email, and many times the MX of a given domain is NOT the machine that sends outbound email. You can get the ip address or hostname by looking at the headers of a message that did make it through (for example to your test gmail or yahoo account.
I can't seem to get an email from a certain sender and it's not in the quarantine report! What is likely happening is that the person that is sending you the message is sending from a computer system or network or company that has gotten blacklisted. This happens when an internet address (IP address) is either not setup to be able to originate (send email properly), or an infected PC has sent so much spam from that internet network address that the system is considered to no longer be a legitimate source of valid business or personal email. What you need to do is get the email administrator of the sending email domain involved. Richweb can in some cases whitelist (permanently allow) the domain to send email. In other cases the administrator of the sending domain simply needs to correct the technical problems with their configuration and policy. In all cases to dig into the problem Richweb needs the exact information below: A. Sending email domain B. Sending IP address (if possible) of the mail server that transmits the emails (i..e. the mail server public IP or NAT - NOT the ip address of the laptop sending the email). If the ip address you are given starts with 192.168, 10.x, or 172.16 thru 172.31, then you have been given the internal ip address, which of course is NOT useful in researching the problem. We need the public (routable) IP address. You should also check the ip address yourself first in a DNS black or blocklist tool such as: http://www.dnsbl.info/ If your (or the organization of the person trying to send you email) mail server domain name OR ip address is on this list as blocked, then you can expect moderate to severe mail delivery problems with most if not all email domains. Step one in solving this problem is addressing the underlying cause of getting blocked - someone is stealing your network resources to send spam. Richweb is happy to assist; of course we have to charge a consultation fee with sending domains that are not properly setup. Typical problems we see are: missing reverse DNS, bad SMTP HELO name, using a dynamic ip, shared host on a site with a poor reputation (i.e. a hoster that hosts spammers). Refer to this page for additional Richweb helpful information about DNS and email troubleshooting: http://www.richweb.com/mail_blocked