Transmission

XMission's Company Journal

How XMission spam and virus filtering works.

Today I would like to go a little deeper than the typical “4 reasons” type articles I commonly post.

XMission SMTP & Spam FilteringAs a pioneer of Internet services, XMission has been providing particularly amazing email services for 20 years. We are very good at it and dedicate a tremendous amount of resources to keeping our customers’ in-boxes free of junk mail and providing quality SMTP feeds for many mail servers on the Internet. As the Product Manager for our Zimbra Unified Email & Collaboration Suite I am commonly asked what methodologies are implemented by XMission to protect customers from junk mail. This post will answer those questions.

Let’s dig in.

XMission uses a combination of internal and external RBLs (IP and URI), a cluster of SpamAssassin servers running a large custom ruleset, and the ClamAV virus scanner. This combination filters all mail service provisioned by XMission which include SMTP Spamcatcher feed for mail servers, traditional @xmission.com email accounts, and our hosted Zimbra Unified Email & Collaboration service.

Spamhaus RBLS: Real-time Blackhole List

Any IP address in Spamhaus’s SBL, XBL or PBL blocklists gets rejected on connection. These IPs are essentially foolproof–we’ve been aware of only two false positive attempts to send mail to XMission since 2006. These blocklists reject over two million spam messages a day.

You can see our real-time postmaster stats here: http://postmaster.xmission.com/

We operate two internal IP RBLs as well. One is to reject IP addresses that appear to belong exclusively to spammers, and the other is to reject IPs that have made known attempts to compromise users (phishers, IPs attempting to authenticate via brute force, etc.).

There are a number of other RBLs (both with IPs and URIs) that do not cause rejections, but will affect the spam score of the associated message.

SpamAssassin:

SpamAssassin is a popular Open Source spam scanning package. It uses a wide variety of tests to identify spam signatures ultimately making the filters very difficult for spammers to bypass. XMission operates a cluster of SpamAssassin servers. SpamAssassin uses “rules” made up primarily of regular expressions (“meta” combinations of rules and rules determined by the output of custom perl plugins are also used) and a heuristic Bayes database of tokens from messages previously scanned as spam or non-spam to assign each scanned message a score measuring it’s “spamminess”. External RBLs, DCC (a service to identify bulk mail), and Botnet (a plugin identifying characteristics comment to compromised client machines) are also used as input to determine the spam score.

SpamAssassin itself simply adds some headers to the message, identifying the message’s spam score and the rules that were hit. Email interfaces such as Outlook, Zimbra webmail, Thunderbird or Mac Mail then use those headers to determine the ultimate fate of the message in a fashion that users have some control over. Within our systems the default spam score is 8, meaning that any message that has a score of 8 automatically gets filtered to the Junk folder. The score can be raised or lowered as our user desires, and additionally, Zimbra (or other email application) filters can be created to respond to specific SpamAssassin rules. For example, if a user receives a lot of stock spam, rules that indicate stock spam could be identified and used to filter those specific messages into Junk, regardless of whether the numeral score was high enough to filter the spam.

ClamAV:

Finally, ClamAV, a popular open source antivirus engine designed for detecting viruses, malware, Trojans, and other malicious threats, is used on our incoming mail servers. It has an excellent detection rate and allows us to create custom signatures for new viruses.

Running your own server?

Filter emails through XMission before they hit your own mail server using our Spamcatcher service. For only $15 per domain per month, you benefit from all of XMission’s spam-blocking tools, and reduce strain on your own servers.

XMission’s privacy pledge applies to email, SMTP feeds, hosted Zimbra Unified Email & Collaboration, and all products we offer. http://xmission.com/privacy-pledge

XMission Spam filtering and SMTP wiki documents:

External Links:

Thank you for your time today. If you have questions on any of this please leave them in the comments. I look forward to hearing from you.

John

facebooktwittergoogle_plusredditpinterestlinkedinmail

, , , , , , , ,

Comments are currently closed.

5 thoughts on “How XMission spam and virus filtering works.

  • Peter says:

    Thank you for all you do to filter out spam and keep us safe. I have been with Xmission for many years and appreciate the effort you make in protecting us.

  • Don says:

    Do any of your block lists include IP addresses belonging to any US law enforcement, national security agencies and DoD?
    Are these ID’d in any way? And what’s done with them?
    How do your users ensure these are blocked if you’re not doing it?

  • John says:

    Hello Don,
    The simple answer to your question is, “No”. XMission provides email service to a very wide range of customers, including law enforcement. What we do block are viruses, malware, phishing attempts, and a huge volume of spam.
    All backed by our Privacy Pledge. (http://xmission.com/privacy-pledge)
    Let me know if you have any further questions.
    — John

  • Susan Sandack says:

    I appreciate the new spam quarantine feature which allows me to evaluate and restore messages that Xmission filters. The service indicates Xmission will clear that folder after approx. 3 weeks. Will I receive a warning or will it just happen when the folder is cleared?

  • John W. says:

    Susan,

    Thank you for the kind words.

    In Zimbra, the mail messages in both your “Trash” and “Junk” folders will stay for 30 days before they are automatically removed.

    It is important to note that the entire folder is not cleared out.