• Standardfiltereinstellungen-in-NoSpamProxy-14

Default filter settings in NoSpamProxy 14

Stefan Cink | Director Business and Professional Services
Author: Stefan CinkBusiness Unit Manager NoSpamProxyConnect on LinkedIn

With each new version of NoSpamProxy, improvements are either made to individual filters or actions, or completely new filters and actions are rolled out. The latest example is the metadata-based service 32Guards.

22.03.2023|Last edited:18.08.2023

Especially with new technologies, our recommended default rules then change. In support, we occasionally see filter settings from long-time NoSpamProxy customers that deviate from our current recommendations to a greater or lesser extent. In this article we show you the settings that are made with a fresh NoSpamProxy 14 installation and that we consider to be the recommended minimum security. In addition, we explain some background information on individual filters and actions.

In this table you will first find an overview of the activated filters and actions of the current standard set of rules. The weighting of the filters is indicated in brackets.

FilterActions
32Guards (1)Malware Scanner
Spam URI Realtime Blocklists (2)URL Safeguard
Core Antispam Engine (1)S/MIME and PGP check and decryption
Reputation filter (1)Disclaimer application
Realtime Blocklists (2)CxO Fraud Detection
CSA Certified IP List (2)32Guards
Greylisting
FilterEvent
32Guards (1)Malware Scanner
Spam URI Realtime Blocklists (2)URL Safeguard
Core Antispam Engine (1)S/MIME and PGP check and decryption
Reputation filter (1)Disclaimer application
Realtime Blocklists (2)CxO Fraud Detection
CSA Certified IP List (2)32Guards
Greylisting

Tip for each update

If you want to quickly check what has changed in the standard rules after a successful update to a newer NoSpamProxy version, simply use the wizard to recreate the standard rules. You will find the corresponding button directly under the set of rules:

Default Rules

Clicking on “Generate default rules” opens a dialogue in which you can choose whether the new default rules should completely replace the previous set of rules or whether the new rules should simply be appended at the bottom.

Default Rules Dialog

For a quick comparison of the rules, we recommend the option “Append default rules to existing rules”. Now you have, for example, the rule “All other inbound emails” twice in the overview and can easily compare the configured filters and actions. It is up to you whether you continue to work with the newly created rule or adapt the existing rule.

Notes on individual filters and actions

In this section we explain individual filters and actions and provide important notes.

32Guards

32Guards is a metadata-based service in NoSpamProxy Cloud, which was first released under this name with NoSpamProxy V14. Until then, it was known as “Project Heimdall”. As an action, it was already present in version 13.0 from February 2019. Today, 32Guards is on the one hand a filter that influences the evaluation of the spam confidence level, and on the other hand an action that can directly reject threats temporarily or permanently. You can also find more information about 32Guards here. In the default ruleset, both are always activated.

Spam URI Realtime Blocklists

The Spam URI Realtime Blocklists filter has been modified slightly in recent years. By default, only the “UriBL” list is activated. Since the introduction of 32Guards, this filter has become less and less important because the URL recognition has been taken over from 32Guards and the filter results there are much better.

Spam URI Realtime Blocklists EN

The “SURBL” and “Spamhaus” lists are chargeable above a certain query volume and are therefore deactivated by default. Further information on the offers can be found on the website of the respective providers.

Core Antispam Engine

This filter has been included since version 14.0.5. Based on defined criteria, it creates a fingerprint of the email to be checked and compares it with the already known fingerprints. If this is known, NoSpamProxy awards 4 SCL points. NoSpamProxy will thus already reject the email with the default settings. The filter itself has no further configuration options. The administrator can only influence the filter result by weighting with multipliers.

Reputation filter

The reputation filter performs various checks on the email envelope, the content of the email and the headers. Some of the checks also analyse DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework). Depending on the results of the individual checks, SCL points can be awarded, which are individually configurable. In this way, you can adapt the ratings to the requirements of your company. In total, the reputation filter contains 26 individual checks, each of which can be switched on and off, as well as configured. In our online documentation you will find descriptions of the reputation filter checks.

Malware Scanner

This action includes three different scan engines that can be used individually or in combination with each other. As the name suggests, the focus is on the detection of malware.

  • Integrated Malware Scanner

    The integrated malware scanner checks the attachments of incoming emails and is activated by default.

  • File-based virus scanner

    The file-based virus scanner stores attachments of incoming emails in a specific directory. If any on-access virus scanner is already installed, this scanner will deny read access to possibly contaminated attachments. NoSpamProxy Protection checks immediately after the attachments have been placed in the directory whether access is possible or not. Attachments that can be accessed are considered virus-free. NoSpamProxy Protection can work with any virus scanner that monitors file accesses in real time. This scanning method is already installed on very many file servers, very performant and reliable.

  • ICAP Antivirus Server

    The Internet Content Adaptation Protocol (ICAP) is a protocol for forwarding content for HTTP, HTTPS and FTP-based services. An ICAP server receives data that is then processed by a server-based virus scanner, for example. If you select the action ICAP Antivirus Server, NoSpamProxy acts as an ICAP client. The data is then sent from NoSpamProxy to your ICAP server and checked by it. After the check process is completed, the ICAP server sends the check result to NoSpamProxy. Depending on this check result, the configured action is executed.

URL Safeguard

URL Safeguard was first introduced with version 13.0 and ensures that URLs in incoming emails are rewritten. This allows the gateway to re-check the original URL as soon as the recipient has clicked on it, thus significantly increasing security. However, the URL Safeguard action is only part of the system and only takes care of the actual rewriting. The configuration of the rewrite properties and conditions is described in detail here.

CxO Fraud Detection

The CxO Fraud Detection is used to detect phishing attacks where the attacker uses the name of company decision makers in the sender of the email. It compares the sender name of incoming emails with the names of company users. Fake e-mails sent to you in the name of superiors or employees are intercepted in this way.

Different variants of the sender name are included in the comparison:

Jane Doe
Doe Jane
JaneDoe
DoeJane

All company users that you want to use for CxO fraud detection must be activated for the respective company user beforehand.

Not yet updated to NoSpamProxy 14?

With the new version 14.0.5, you can benefit from improved detection quality that protects your mailboxes even better.

Download now
Global Rollout NoSpamProxy Version 14.0.5NoSpamProxy UpdateInfo IconChanged reporting procedure for false positives and false negatives