Xwall configuration suggestions
Xwall Spam filter offers a wide variety of filters
and blocks. Understanding these options is important
for success. This page will show you the initial
setup we use at our local client sites. It can help
you to get your Xwall up and running in a short
time. Of course, Xwall has many more filters and
options.These are described in detail in the Xwall
online manual. We strongly recommend to read
the manual in order to setup Xwall tailored to your
situation. The Online manual always reflects the
latest enhancements and changes
Most Xwall filters allow you to set different actions.
Depending on the enviromant your enviromant you may
choos the option best fit. Here are a few examples
if you have ESATInformer you want to set all filters
to DISCARD. That keeps the spam out of your mail server
but blocked messages are still retrievable with ESATInformer.
If you want to route the mail in the users outlook
to should choose "Mark subject" and you may
want to set all markings to the same mark ea [SPAM]
You can do that under XWallAdmin->View->Advanced
If you have also purchased the XWall addon Xwallfilter
you can set the action to Move to the Junkmail folder.
However you will need Exchange 2003 for that and you
will carry all the spam into your exchange.
Blocking on SMTP level will cause Xwall to refuse the
message. This action will save bandwidth but the messages
are not retrievable since the message was never received.
Encapsucated message are typicall forwarded as an attachment.
This methode maybe used if the admin wants ro review
all spam and may choose to forward some with the original
2. Automatic Filters
Spam RBL relay list implementation: Keeping
Spam out of your company's email system is an effort
utilizing many different approaches. Spam relays known
as RBLs are one of the tools available to you. These
RBL lists are updated in real time and can make a dent
in the Spam flood. RBL lists are compiled of open SMTP
relays found all over the Internet. An open SMTP relay
can be used by the Spamers to send out their Spam messages
by the millions. Xwall takes the IP and/or domain name
of the sender and compares it to the RBL lists you have
implemented. Xwall is equipped with an exclude table
(white list) to allow specified domains or IP addresses
to pass even if they are caught by the RBL list. This
Xwall feature makes the implementation of the RBL services
much more useful.
To setup this filter start the Xwall Admin. Go to OPTIONS
-> Spam. Check the first flag and click on
ADD COMMON. This will add 3popular relay services.
If you have a proxy in front of Xwall you may need to
check position #3 since your proxy is the sender rather
then the other SMTP server. Xwall operates more effective
if is communicates directly with the sending SMTP server.
SMTP level blocking: Xwall allows you
to block messages on SMTP level. Here are a few
things to consider.
SMTP block is conserving your bandwidth.
Xwall blocks if the connecting server is on a
RBL list. It never allows the message to be sent
Since Xwall does not receive the message it's
more difficult to exclude senders. You need to
exclude the host or ip address rather than an
Position #4 allows you to choose the action for this
filter if is finds a spam message. If you use ESATInformer
you should set the action to discard.
This is a very effective filter. It's easy to activate
but you need to know your email enviromant. The idea
is simple. The greylisting filter loos at each triplet
received. A triplet is the From, To address and the
host. The first time Xwall sees the triplet it temporarely
refuses it. The secon time is lets it pass. However
most spamers will not resend email. In order to implement
greylisting you need to make sure that all mail will
go through XWall and there is no unprotected backup
mail server. If ther is a backup server the mail will
simply go around Xwall to the backyp server.Read more
This is a different type SLS service. Xwall is scanning
your message for links. It get's the ip address of the
desination and submits this address to the SUBL service.
That hurts the spammers pocket book.
The Bayesian filter is another module in the
fight of Spam. While not as effective as it once was
the Bayes filter still catches spam. It's success depends
totally on you understanding the filter and on the principle
"garbage in garbage out!" if it gets fed with
Spam it filters out Spam. If you feed it with false
positives, it will filter out good mail. To avoid this
problem, just follow the guide lines above. Do not
start this filter when you first setup Xwall. Wait
until you have a good handle on things. You don't need
to catch all the Spam but you do not want a lot of good
mail identified as Spam. Once you're at this point you
can enable the Bayes filter learn mode = Enable
The learn mode will read all the messages declared
Spam and automatically builds it's own database. The
default settings are fine in almost all situations.
I usually let it learn for 5-10 days before I start
the full filter. The active Bayes filter now reads every
message and grades the message in regard of probability
to be Spam. The scale is 1-100. You simply set the break
point. Usually 70-80 works well. If you don't like to
will show you exactly where your braking point is.
XWallAdmin->Options-> Global Exclude->Automatic
Exclude known senders: Automatic whitelisting
automatically adds the email addess of every outgoing
message to the exclude list. The reasoning behind this
ides is that if you send email to someone it's likely
that you want them to be able to reply. You do not have
to implement this feature to receive email from your
contacts. But if you find many of them listed with RBLs
you're using it will allow them to send you mail.
You can use a company wide whitelist or keep a seperate
list for each user. The seperate whitelist will prevent
an out of control user to negatively effect the filtering
for the entire company.
In order for the automatic Whitelist to work the outgoing
mail MUST be processed by XWall.
3. Manual Blocking and Excludes
Block From Email: All manual blocks are found
under XWallAdmin->Options->Blocking. Xwall looks
at domain and email addresses from right to left. That
means if you type in COM all domains with .COM will
be affected. Yahoo.com will affect all emails from yahoo.com.
Do not use *.com it would only affect *.com ,
that equals nothing since * is not a legal domain character.
To effect an entire domain use @thisdomain.com. The
block or exclude will be specific to that domain only.
BLocking Text and Words: I usually set a few
text and header blocks to start with. The text block
it located under Admin ->option ->blocking->text.
You will find familiar options. You need to be aware
of the fact that you are dealing with strings. Please
consider the string SOME will apply to words like AWESOME,
SOMEONE, SOMETIMES and so on. If you want to block just
the word SOME you must enter (space)some(space).
This will eliminate the inclusion of AWESOME and so
Be careful with
wildcards. The ? works often better than a badly
Wildcards have to be implemented with caution too.
While there is no problem with them it's us who will
get it wrong. I added v*i*a*g*r*a to my strings just
to find out it blocked many messages with no sign of
viagra. Instead it looked for any instance of these
characters - as it should. I just did not think. The
way to get rid of these spaces or filler characters
some of these Spamers use I needed to type in v?a?g?r?a.
TEXT EXCLUDE: Xwall can exclude email addresses, ips,
Hosts, Subjects amd text. I like the text option and
typically add a "password". It can be anything
unusual. So when a user comes to you claming Joe is
sending him mail all morning and he does not get it
advice him to have Joe add the "password"
to the text. The text exlude is also useful to make
sure you get that "purchase order"
Verify Email: Two things you need to consider
when useing VERIFY blocks. These are SMTP blocks. No
retrieval of messages is possible since they were never
received. I personally stay away from PTR and verifing
the senders IP. These blocks are powerful but will result
in a few false positives.
The VERIFY the SENDER uses an ADRRESS is an acceptable
risk these days. It will stop the everese NDR attacks
and all other ndrs for that matter. Fewer and fewer
mailserver will actively send out NDRs these days. Instead
most of them refuse messages for unknown users on SMPT
level therefor the sending server takes care of the
The VERIFY USER is a block you should consider.
It refuses messages to unknown users on SMPT level.
That means the sender server will notify the sender
that the message was not delivered. In addition it will
keep out all the spam ranomly generated by some spammers.
To implement the block you need to export your exchange
userlist. You can use Exchimp.exe or LDAPimp.exe. You
find both utilities in the
Dataenter dowwnload section. If you do not have
an exchange server you can try this
script. The imported file needs to be in the XWall
folder. I recommend placing the script in the Xwall
folder. Once you ran it check in XWallAdmin
Instead of importing the user data base you can use
the external program LDAPQuerry. It checks the active
directory for the user. If you use special routing addresses
make sure they are part of your active directory or
us the manual option.
In a few cases, the MX A record lookup can causes problems
too. In general, I recommend to start out with just
a few filters and blocks, concentrate on eliminating
false positives and then go from there.
4. Things to consider
Do not end up on a RBL list
Please realize Xwall takes the place of Exchange server
or your SMTP mail server when talking to the outside
world. Therefore, the SMTP relay is now handled by Xwall.
By default this relay is disabled. If there is a need
to open the relay, Xwall can accommodate several options.
I use authentication (NTML) in most cases. You also
can set range of IP addresses to allow to relay. Specially
if the relay is only needed inside your LAN. To allow
a range of addresses to relay the syntax for the range
"192.168.1.1 -192.168.1.255" would be "192.168.1."
(Without the quotes.) Several addresses or ranges can
be entered. In addition, you can limit the relay to
a domain (host).
Keep an eye on things
The Xwall screen shows the latest
few lines of the current log. The last line, however,
shows statistical information. While installing
and tweaking the Xwall operation you should keep
an eye on the "bottom line". A buildup
in the message queues can announce troubles to
come. Of course if you serve 2000 users 200 messages,
the queue would not be much of a concern. However,
if you only serve 50 users you want to look into
it. These are some of settings and situations
which will cause problems
server not resolving external addresses properly
request gets stopped at your firewall
did open the SMTP relay to everybody and Spamer
can't find the exchange server
send back all the Spam messages (not recommended)
and have not adjusted the retry time-outs
The stats codes on the bottom of the Xwall screen show
the following values:
Sent = Sent messages
Recv = Received messages
S-O = SMTP outbound queue
S-I = SMTP inbound queue
E-O = Exchnage outbound queue
E-I = Exchange inbound queue
Con = Connection count
If you run XWall as a service you will notice the apsents
of the blue log window. Do not run the Admin program
to view the activities. Instead download LOGview from
If you run Logvies you will notice that the queue information
is missing. Since that is important information for
many users we developed a program Ccalled
ESATSatus. It will display the queue status on the
server or any remote system of your choice.
designed for XWall virtually eliminates the "false
positive" problem. Daily reports are sent to the
email system administrator and all selected users. These
reports summarize the spam problem and list each users
blocked messages. Using these reports, users can request
delivery of any false positives. The request is handled
automatically with a summary report sent to the email
administrator. With the "false positive" problem
out of the way, the XWall spam filters can be tightened
to all but completely eliminate spam.
ESATInformer ANALYSIS: You can get a daily report with
bar graphs showing you how effective XWall is. Did you
ever consider that the percentage of Spam on the weekend
sometimes hits 100%. ESATInformer will show you every
Monday how well your filters are doing.