RBL and DNSBL advanced antispam protection on Mail Security for Exchange

[SLV 0]

Hello

I have some questions regarding Advanced settings under Antispam protection.

1. Not clear what is the difference between "Additional RBL servers" and "Additional DNSBL servers"?  The is no hints in administrative console/ And still not clear from Online help: https://help.eset.com/emsx/10.0/en-US/idh_antispam_engine.html

2. Does it make sense to add in RBL servers well known providers like zen.spamhaus.org, b.barracudacentral.org or bl.spamcop.net? As I see in logs each time an IP is listed in RBL provider it also is found in cloud blacklist 1 or cloud blacklist 2.

[M.K. 17]

Hi,

RBL servers are queried with IP addresses extracted from 'Received:' headers, DNSBL servers are queried with IP's and domains extracted from message body.

Hope that helps.

[SLV 0]

Thank you for fast answer.   You confirmed what I found experimentally. Could you please change Online help to make this topic clearer? It is a bit confusing to understand it because RBL and DNSBL means the same at present.

What about second questions? Does it make sense to use well known DNSBL providers.

And one more question. Where can I find something like wish-list, where I could request to realize some improvements or features in Mail Security for Exchange?

[SLV 0]

Hello again!

To say the truth, we can't use RBL feature with other providers (spamhaus). Because of many false positive. At least one setting doesn't work properly:   "Maximum number of verified addresses from Received: headers"

"You can limit the number of IP addresses that are checked by Antispam. This concerns the IP addresses written in Received: from headers. The default value is 0, which means that only the last identified sender's IP address is checked."

Copied from online help:  https://help.eset.com/emsx/10.0/en-US/idh_antispam_engine.html

For some reason EMSX parse more IP addresses from header (not only last).  Here is the log example:

Antispam scan result:  Spam
IP (X.Y.Z.61) listed on RBL service (zen.spamhaus.org:127.0.0.11)
IP (A.B.C.220) wasn't found on cloud blacklist 2

Actually A.B.C.220 address is last from header, and from it was initiated the SMTP session.

Could you please check is this is an issue? Used EMSX version 9

 

[M.K. 17]

Hi, when there is a limit on number of IP addresses from Received headers set by user, they are counted from the most recent (appears on top). Local IP addresses and addresses on Ignore list are skipped i.e. not counted towards the limit.

Note: besides Received headers, we also acquire the IP address of the connecting server from the SMTP session - this address is always checked against our cloud blacklists/whitelists, independent on whether it is part of Received headers or not.