antispam filtering question

I think the "Block at SMTP Time" checkbox is related to the sequence of events when processing an incoming message:

1. remote system sends helo and is acknowledged

2. remote system sends mailfrom SMTP Address and is acknowledged or rejected

3. remote system sends recipient list, and each recipient is accepted or rejected

4. remote system sends the message (data section)

5. at end of data, local system accepts or rejects the message

There are two primary places to reject messages:   After the "MailFrom" (step 2) and after end of data (step 5).

Some filtering rules (based on MailFrom address or source IP) can block at step 2.

Content filters can only block at step 5, after the content is received. 

My reading of the documentation:

"Block at SMTP time" means:

- if enabled, block at step 2 when sufficient information is available to make a decision.

- if disabled, never block at step 2, only block at step 5

Blocking at step 2 can save a little bandwidth, which was more important 20 years ago than it is now.   

Given the capabilities within UTM filtering, I don't think a step 2 reject will ever be altered if the decision is delayed until additional information  becomes available at step 5.   So I don't think the setting matters very much, but I would favor leaving it enabled.

Many spam decisions will require content analysis after the data section is received.   So a spam or confirmed spam attribution can occur at step 2 based on the sender alone, or at step 5 after the sender and content are evaluated.   I do not believe that the spam and confirmed spam actions have any dependency on the "block at smtp time" checkbox.

Happy to have a more knowledgeable person clarify this point and correct me if I misunderstand the documentation (which as I remember is not terribly clear.)

I think the "Block at SMTP Time" checkbox is related to the sequence of events when processing an incoming message:

1. remote system sends helo and is acknowledged

2. remote system sends mailfrom SMTP Address and is acknowledged or rejected

3. remote system sends recipient list, and each recipient is accepted or rejected

4. remote system sends the message (data section)

5. at end of data, local system accepts or rejects the message

There are two primary places to reject messages:   After the "MailFrom" (step 2) and after end of data (step 5).

Some filtering rules (based on MailFrom address or source IP) can block at step 2.

Content filters can only block at step 5, after the content is received. 

My reading of the documentation:

"Block at SMTP time" means:

- if enabled, block at step 2 when sufficient information is available to make a decision.

- if disabled, never block at step 2, only block at step 5

Blocking at step 2 can save a little bandwidth, which was more important 20 years ago than it is now.   

Given the capabilities within UTM filtering, I don't think a step 2 reject will ever be altered if the decision is delayed until additional information  becomes available at step 5.   So I don't think the setting matters very much, but I would favor leaving it enabled.

Many spam decisions will require content analysis after the data section is received.   So a spam or confirmed spam attribution can occur at step 2 based on the sender alone, or at step 5 after the sender and content are evaluated.   I do not believe that the spam and confirmed spam actions have any dependency on the "block at smtp time" checkbox.

Happy to have a more knowledgeable person clarify this point and correct me if I misunderstand the documentation (which as I remember is not terribly clear.)

That's how I understand it, Doug.  I saw too many false positive rejects so that's why I recommend the above.

Cheers - Bob