Currently all incoming emails which matches a RBL are blocked. Can this be changed to accept but warn using the SPAM marker?

If you check your spam settings under Email Protection > SMTP > Antispam, if you have Reject at SMTP time set to anything other than "Off" then it will just drop the messages it marks as spam. Confirmed spam are the RBLs, Spam is both confirmed and the emails the UTM decides as spam when it does it's own checks.

In the Spam Filter, set both settings to Warn and create your Spam marker, or use default.

I advise keeping at least HELO, Greylisting and BATV turned on in the advanced antispam features. Strict RDNS and SPF check can false positive often because of setup on the senders side.

Reject at SMTP time is Off. Both actions are set to WARN. RBL still get rejected at SMTP time.

How much spam do you get with the recommended RBLs turned off? Is it like a nuclear spam missile?

lol, I would be scared to test that.

SMTP last 24 hours [ 2231 messages delivered. 2619 messages blocked (54%) ]
Malware quarantined/rejected: 3 SPF rejects: 1
Spam quarantined/rejected: 0 RBL rejects: 1570
Blacklist rejects: 0 BATV rejects: 0
Address verification rejects: 35 RDNS/HELO rejects: 1010

Phwoar, that's a fair bit of spam, definitely don't turn that off!

Only thing I can think of is to add the email domains your workforce mainly deal with (if you can find out/know) as an exception to the RBL checks. Unless you use other RBLs than the recommended, there's not much you can do to prevent the legitimate companies sending you emails getting rejected if they get added to an RBL.

A possible test, which would increase load on your system, is to turn off the RBLs and dial up the Reject at SMTP time to Spam. Then you're relying on the UTM to detect and identify the spam within those 2619 emails. Could be a worthy test for 15 minutes?

Confirmed spam doesn't seem to be the RBLs it seems.

Any idea on a command or script I could run to gather a list of domains that are frequently received or sent to? I could use something like that to build exceptions for RBL.

The logs you see are based inside the SQL database and I'm not even sure you can access it for exportation.

What you can do, you can set the amount of entries to 1000 in the mail manager and then highlight the tables text, copy it and paste it into an excel workbook. Do that however many times necessary to get all the data. Then doing some crafty sorting after removal of the data preceding the @domain.blah you might be able to structure a reasonable evaluation of your commonly contacted domains and create an explicit exception for them from the rbl.

Once you've removed the preceding data, sort by a-z then you can do an =countif(A:A,A1) on the column with domains. A:A would be the column your domains are stored in and A1 would be the current cell being Count-IFed. I use this a lot so I can manipulate marketing data manually to see what poor soul would be high on a call list because every action they take, every move they make, Google is watching them...

Hope that helps!

wow, thanks! very helpful!

Emile, I like to use the 'Search Log Files' tab to get the data to work on with your spreadsheet technique.  For example, to get just the lines with email addresses that have sent mail to our organization, I search on:

"email passed".*mediasoftusa.com" subject

To see the emails we have sent, I search on:

@mediasoftusa.com> R=<.* > Accepted: from relay

If you’re comfortable at the command line, you don’t need the spreadsheet for much. For example, the following will give a list of all sending domains from whom we received mail this December (thanks to AlanT for the last grep trick):

cd /home

zgrep '"email passed".*mediasoftusa.com" subject' /var/log/smtp/2019/*/*.gz >receivedlines

grep -oP '@.*?" to="' receivedlines|sort -n|uniq -c >senders

 Cheers - Bob

Bob, that is so cool and so swift, writing that down, much better than my horrifically manual procedure!

Fantastic as always!

Bob, that is so cool and so swift, writing that down, much better than my horrifically manual procedure!

Fantastic as always!