GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from

Home » GFI User Forums » Kerio Connect » Major increases in spam in recent months
Re: Major increases in spam in recent months [message #108355 is a reply to message #108335] Tue, 19 November 2013 14:40 Go to previous messageGo to next message
gbalbach is currently offline  gbalbach
Messages: 18
Registered: September 2006
Location: West Chester ,PA
invaluement wrote on Mon, 18 November 2013 23:40
Hi. This is Rob McEwen from ...someone here asked about getting Kerio to work with rsync as a means to access invaluement data. well... ACTUALLY... that isn't needed because there IS an option to do direct queries with and I'm very sorry about the confusion on our web site regarding that.

First, direct queries were not an option for invaluement until about 20 months ago (from the time I type this). But we didn't want to widely publicize that fact for two reasons (1) we wanted to continue to discourage DOS attacks from spammers, making them think that there is no DNS server to attack--and actually, for our protection, those direct queries are answered from a secret IP not advertised via DNS. (2) we wanted to discourage misunderstandings where a subscriber would accidentally publicly post our zone names and then other non-subscribers would mistakenly think that those zones would work if added to the DNSBLs for their spam filter. Even though such queries would be denied, this still could add up to lots of wasted resources over time. Therefore, it really is true that "direct queries don't work"--they just don't work for non-subscribers! But, again, we're trying to figure out how to re-word our website to avoid this confusion, yet without attracting the undesirable attention I described!

There is, however, one critical requirement for direct queries--the subscriber MUST have their own DNS resolver. Specifically, the DNS servers pointed to in the IPv4 TCP/IP settings of the NIC card for the computer running Kerio... must point to a locally hosted DNS caching server... and ONLY point to that server. (not to that org's ISP's or datacenter's or hoster's DNS server). Why? Because we delegate permissions for the queries on an IP by IP basis.

At the same time, Kerio has this very cool feature where you can tell it to use the DNSBL's DNS server directly for any DNSBL you add. That is a GREAT idea and theoretically takes care of the need to point to one's own DNS resolver. However, unfortunately that particular solution is not compatible with invaluement. Why? Because... (1) our queries are served by a DNS server that is NOT "advertised" via DNS, giving that particular server more protection, (2) this solution from Kerio only even tries to help with sender-IP blacklists and doesn't cover URI/domain blacklists such as our ivmURI list.

But the "local resolver" requirement isn't rocket science and about 1/2 of our potential subscribers are ALREADY doing this anyways! The other 1/2 usually find that setting up a local resolver is a great idea and is a request that isn't that difficult or time consuming. On occasion, the subscriber will find that for SOME strange reason their DNS resolver is overloading (not having anything to do with our lists) and they want to go back to using their ISP's resolver... but they can have the best of both by simply programming their resolver to go to their hoster's DNS servers for answers (instead of the root servers and authoritative servers). That setting is also a common situation. Again, nothing exotic or tricky here.

THEN... for testing/using invaluement, the potential subscriber simply adds a few "conditional forwarders" to their local DNS resolver telling it to go to a particular IP when resolving the invaluement queries. (i.e., for queries ending in particular host names). Next, the setup is finished by adding two DNSBL host names to Kerio's list of DNSBLs, and copying a rule file to a folder in Kerio, then restarting Kerio. That is it!

Ironically, as complicated as this all SOUNDS (at first glance)... for those who already have SOME caching DNS server running locally, the time it takes for the entire setup is usually FASTER than the time it took me to even type this post. I've talked people through the ENTIRE setup on the phone in less than 10 minutes!

At this point in time, invaluement is still relatively small and unknown. But we do have a top-5 US ISP as a subscriber, as well as two fortune 100 technology companies... not bad considering we've never spent a dime on advertising and this was all from "word of mouth" and/or people impressed by seeing what we caught that all the other lists missed, as they did lookups at MXToolbox, etc. So far, (at the time I type this), of all of our hundreds of customers, only a grand total of 5 Kerio users have EVER tried out our product. But the amazing news is that ALL 5 were very pleased with the results of the testing and decided to subscribe, and CONTINUE to be active subscribers as of my typing this sentence! (That is an amazing 100% tester-to-subscriber conversion rate--actually, our overall conversion rate is quite high). So there is a high percentage chance than anyone reading this would find the cost-benefit ratio of subscribing to our lists to be fantastic! (NOTE: we only started tracking our subscribers' software/hardware setup starting about 2 years ago.)

Finally, after filling out a questionnaire, we respond back with very specific step-by-step instructions for those who desire to implement our free 15-day trial.

Hope this helps. Thanks for the interest!

Thanks for the great info! I'll go and request a 15 day trial!
Re: Major increases in spam in recent months [message #108373 is a reply to message #108336] Tue, 19 November 2013 21:42 Go to previous messageGo to next message
j.a.duke is currently offline  j.a.duke
Messages: 239
Registered: October 2006
sascha.feider wrote on Tue, 19 November 2013 03:54
1 month after reconfiguring our spam filters:

- we're only kerio's builtin features

spam is down to nearly 10 messages per day, for 100 users. that means 1 message per 10 users.
one message ist filtered through several dns request, spam assassin and some custom rules, adding score by subject filters

the subject filters took about one week, by daily adjusting and manually checking already tagged mails

What was your spam count prior to the changes?


Re: Major increases in spam in recent months [message #108374 is a reply to message #107268] Tue, 19 November 2013 22:14 Go to previous messageGo to next message
freakinvibe is currently offline  freakinvibe
Messages: 589
Registered: April 2004
My Kerio installs are still doing a good job related to Spam. Spam Repellent catches 50% already at the gates and Spamhaus ZEN rejects another 40%.

SpamAssissin catches the most of the rest of it.

Still, one of the problems with Kerio is that the SpamAssassin Rules (the .cf files) are not updated dynamically. They are only updated with new KC versions (and not even with every version).

Dexion Services AG - IT Support Services in Basel, Switzerland
Re: Major increases in spam in recent months [message #108375 is a reply to message #107268] Tue, 19 November 2013 22:21 Go to previous messageGo to next message
MarkK is currently offline  MarkK
Messages: 342
Registered: April 2007
I know that after spending time creating my own scoring, our delivered spam count has dropped at least 95% or more. It does take time to get setup, but it is possible using just what you already have. The other services that have been noted here can be a good additional add-in. Part of what makes them good is that they have people spending time on tweaking them to be better.
Re: Major increases in spam in recent months [message #108384 is a reply to message #108373] Wed, 20 November 2013 09:02 Go to previous messageGo to next message
sascha.feider is currently offline  sascha.feider
Messages: 12
Registered: March 2013
Location: Leverkusen
j.a.duke wrote on Tue, 19 November 2013 21:42

What was your spam count prior to the changes?



Minimum 10 spam mails per user and day.
Re: Major increases in spam in recent months [message #108435 is a reply to message #108384] Wed, 20 November 2013 21:39 Go to previous messageGo to next message
camisy is currently offline  camisy
Messages: 119
Registered: August 2012
when reading this (or at least most of it Wink ) I'm not sure if any contributor or reader is aware of the real power of Connects anti spam features.

There are 2 ways to set up a mailserver and it's important to know that a lot of features don't work if you are downloading messages via pop only. The advantage of having your server set up with MX record is that spam repellent, Greylisting and blacklisting makes sense. pop won't be using these methods. Also, not everyone receives the same spam. As for this it makes perfect sense to check the spammers IP on eg and then decide for an appropriate blacklist and try different scores. Just my 2 cents.
Re: Major increases in spam in recent months [message #108440 is a reply to message #107268] Wed, 20 November 2013 22:16 Go to previous messageGo to next message
MarkK is currently offline  MarkK
Messages: 342
Registered: April 2007
Some good points about server setup.

Spam Assassin is a good spam program, some commercial products are based on it. But out of the box the program needs tweaking, at least the version that is distributed with Connect. If you look through the scoring files, you will see default scores for rule matches as low as .001. It takes a LOT of .001 hits to reach a 5.0 threshold.

This is why I suggest creating your own custom scores based on the spam you are receiving, especially since the spam I get may be different from what you receive. And commercial products based on it will have people basically doing the same thing.

In the rules folder, create a new file named something like I believe that the .cf files are processed in alpha order, Z being last. Then in that file you list the rule name and the new score values to use for it. Tailoring this can get your spam handling to a very good point.
Re: Major increases in spam in recent months [message #121070 is a reply to message #108373] Mon, 04 May 2015 03:17 Go to previous message
invaluement is currently offline  invaluement
Messages: 4
Registered: August 2008

(1) there IS a direct query option for invaluement, as I had mentioned... AND... NEW INFO...

(2) now there isn't a need to add conditional forwarders to use invaluement (if using our latest instructions)

(3) queries to our two IP-based blacklists (ivmSIP and ivmSIP/24) are 100% compatible with Kerio's "use DNSBL's server directly" feature--so that past compatibility issue is fixed

(4) And we published a new web site in late April 2015 that is MUCH easier to understand! Sorry for all the "growing pains" and past confusion!

Previous Topic: Kerio Service Not Starting
Next Topic: kmsrestore returning Error Code 12
Goto Forum:

Current Time: Sun Apr 02 11:30:49 CEST 2023

Total time taken to generate the page: 0.03505 seconds