Optimizing UTM Email Filtering

When we buy an all-in-one product like UTM, we should expect that some functions are really good, some are good enough, and some are barely adequate.   UTM Web Filtering is really good.   UTM Remote Access is pretty good.   Unfortunately, UTM Email Filtering is barely adequate.    So my general advice is to buy an appliance or web service that is optimized for email filtering, and use UTM Email Filtering as a second-level filter.   But since buying something new takes time and money, and both are in short supply, what follows are my suggestions for getting the most out of what you have now.

#1 Understand what UTM does not do.

UTM is based on the Exim engine.   Based on complaints in this forum and my reading of the Exim documentation, nothing examines the "From" information that the user sees when the message gets delivered.   For the same reason, the "From" information that you see in the Mail Manager is not the "From" information seen by the user.

Like postal mail, e-mail has an envelope that contains a message.   The "From" and "To" on the envelope can be different from the "From" and "To" information on the letter inside the envelope, and the postal service does not open envelopes to see if the letter contains fraudulent sender information.   UTM looks at the "From" information on the envelope, which is what it reports in the logs.   What the user sees is the "From" information on the message, not the envelope.

Multiple people have complained in this forum about email that claims to be from their own domain, and wonder why UTM does not block it.   It cannot block it because it does not look at the message-level "From".   Given that this is a limitation of the engine used underneath UTM, I do not expect it to change.

 

#2 Use SPF

SPF also looks only at the envelope "From".   If the spammer puts your domain in the envelope From, your SPF entry will ensure that it is blocked.

 

#3 Use RBLs and mxtoolbox.com

UTM allows you to configure additional Reputation Block Lists (RBLs) in the Antispam tab of Email Protection... SMTP.  I recommend adding at least the Barracuda list (b.barracudacentral.org) and zen (zen.spamhaus.org).  Barracuda requires registration at barracudacentral.org and zen has restrictions on commercial use, so check both sites before turning them on.   But all of these sites are based on DNS lookups, so it is difficult to restrict usage.

Additionally, MXtoolbox.com offers a free reputation monitoring service that watches 60 different reputation block lists.  You can sign up for an account, register your own domains and IP addresses, and it will send you reports if any of those entities appear on any of their monitored lists.   Useful for knowing if you have an infection.

But MXtoolbox will also do a blacklist lookup for a single IP address or domain.   So use this approach:

  • You detect a spam message that got through your filter.
  • You examine the message header or the spam logs to determine the source IP and the envelope From.
  • You enter both into the blacklist search on MXtoolbox, and expect that one or both of them will appear on one or more blacklists.
  • You add those blacklists to your configuration.

 

Hopefully each RBL that you add will help cut the volume of spam getting through, until you reach an equilibrium using a small number of RBLs.   I would only add as needed, because each will introduce overhead and some of them will almost certainly cause false positives.   Read each RBLs website to determine that it is appropriate for your situation.

  • Once again, Doug, a valuable contribution.  I've set this thread to appear at the top of the Mail Protection forum forever.

    Cheers - Bob