Below you will find information on using the Sandbox Service in NoSpamProxy. For general information on how a cloud sandbox works, licensing or data protection, see Informationen zum NoSpamProxy Sandbox-Service (German only).


Since 2018, we strongly recommend NoSpamProxy customers to take a whitelisting approach to content filtering (see our article on email firewalls). This recommendation applies in particular to the use of the NoSpamProxy Sandbox service.

An example: Even if an “executable file for Windows” is supported by the sandbox, the question arises whether one wants to allow this potentially dangerous file type for one’s own company at all. In this case, it makes more sense to generally reject this file type and thus also save the upload to the sandbox.

If a file is classified as unsuspicious by the sandbox service, the respective email will be delivered.


Sandbox hash query

The retrieval of the hash values from the sandbox database can be carried out without restriction and without deduction of purchased licences. For this purpose, the corresponding check mark Query the sandbox if the attachments of inbound emails are known to be malicious must be ticked.

NoSpamProxy Sandbox Service - Hash Check
This check can be applied to all file types.

Sandbox upload

File uploads are limited to 20 files per user and month.

This value is the total value of permitted uploads; there is no strict user check. This means, for example, for a 50-user licence that the respective NoSpamProxy installation may upload 1000 files to the sandbox in one month. Costs may be incurred if the limit is exceeded.

To limit the sandbox check to individual file types, an additional content filter action should be created that is only applied to certain file types.
To enable uploading, the option Upload unknown files to the sandbox for analysis must be activated.
NoSpamProxy Sandbox Service - Hash Check an Upload

Supported file types

  • Executable files
    • Executable files for Windows
  • Office – Word
    • <all>
  • Office – Excel
    • <all>
  • Office – PowerPoint
    • <all>
  • Video
    • Adobe Flash (SWF)
    • Adobe Flash Video (FLV)
  • Text
    • Rich Text Format
    • Rich Text Format with OLE objects
    • PDF
    • PDF with URLs
  • Archives and compressed files
    • ZIP-compressed file
    • GZIP-compressed file
    • TAR archive
    • GZIP-compressed TAR archive
    • 7Zip-compressed file
  • Scripts (Configuration via file names)
    • .js
    • .vbs
    • .wsf
    • .ps
    • .py
    • .hta
    • .perl
    • .php
    • .sh

Delivery delay

If a file has to be uploaded to the sandbox (sandbox upload), the email will not be accepted initially and temporarily rejected so that the sending email server delivers it again.

The temporary rejection is applied here because the analysis on the sandbox array takes a certain amount of time, but should be completed after a regular 5 minutes when a new delivery attempt is made.

This will result in a delivery delay for the respective emails which must be taken into account accordingly. We therefore recommend that you check exactly which files should really be sent to the sandbox. Note the following option if time-critical processes or mailboxes exist in your company:

  • Is a sandbox hash query sufficient instead of a complete analysis (sandbox upload)?
  • It is possible to create different actions in the content filter to configure different actions for a content filter entry for “Trusted emails” and “Untrusted emails” between a sandbox upload and a sandbox hash query.
  • Office documents can be converted into a secure PDF document by NoSpamProxy Content Disarming if necessary.
Info Icon

It is possible that the Cyren engines used generate error messages that are not traceable to the engines themselves, but to communication problems with Cyren data centers. This article shows you ways to test the communication and function.

Details about the three Cyren engines in NoSpamProxy

NoSpamProxy currently has three Cyren engines that are active, depending on the configuration and licensed modules.

Cyren AntiSpam and Cyren Premium AntiVirus (ctasd)

  • Program folder: C:\Program Files\Net at Work Mail Gateway\Cyren Integration Service
  • Program file: ctasd.exe
  • Configuration folder: C:\ProgramData\Net at Work Mail Gateway\Cyren
  • Configuration file: ctasd.conf
  • Service name: NetatworkMailGatewayCyrenService
  • Service display name: NoSpamProxy – CYREN Service
  • Definitions folder: C:\ProgramData\Net at Work Mail Gateway\Cyren\Definitions
  • Definitions files: aivsecon-v2.def, antivir-v2.def, antivir-v2.ini, antivir-v2-hit.ini
    • these four files should always be in the directory
    • The file “antivir-v2-hit.ini” should never be older than 2 hours
    • To re-update,restart the service
  • External access:, resolver [2…5]
  • Licensed Module: NoSpamProxy Server Protection, NoSpamProxy Server Suite

Cyren IP Reputation (ctipd)

  • Program folder: C:\Program Files\Net at Work Mail Gateway\Cyren Integration Service
  • Program file: ctipd.exe
  • Configuration folder: C:\ProgramData\Net at Work Mail Gateway\Cyren
  • Configuration file: ctipd.conf
  • Service Name: NetatworkMailGatewayCyrenIpReputationService
  • Service Display Name: NoSpamProxy – CYREN IP Reputation Service
  • External access:,Iprep[2… 5].
  • Licensed Module: NoSpamProxy Server Protection, NoSpamProxy Server Suite

Cyren URL Categorization (ctwsd)

  • Program folder: C:\Program Files\Net at Work Mail Gateway\Cyren Integration Service
  • Program file: ctwsd.exe
  • Configuration folder: C:\ProgramData\Net at Work Mail Gateway\Cyren
  • Configuration file: ctwsd.conf
  • Service Name: NetatworkMailGatewayCyrenUrlService
  • Service Display Name: NoSpamProxy – CYREN URL Categorization Service
  • External access:,webres[2… 5].
  • Licensed Module: NoSpamProxy Server Protection, NoSpamProxy Server Suite

Note: All paths are the default paths and may differ from your installation.


In the following section you will find a small checklist, which you should always check before the first request to the support

  • Is the necessary module licensed in NoSpamProxy? If not, you don’t need the services and can disable them on the system in the Windows services.
  • Has the Knowledge Base article How to configure on-access virus scanners been applied to all systems with the appropriate services?
  • Is a web proxy required for Internet communication in your company and is it registered according to the knowledge base article How to configure CYREN services?
    • This must be checked and re-entered after each NoSpamProxy Update/Upgrade.
    • Always edit the newly created file, never overwrite it with an old version of the file.
  • Is it possible to communicate with and/or without web proxy to all mentioned external systems of Cyren?
  • Are there any exceptions on the firewall to access all sub-domains from These connections must not be used for virus scanning, content filtering, or other checks!
  • Are there any error messages when the services are running interactively via the command prompt (CMD)? To run interactively, please follow these steps aus and attach a screenshot of the request’s communication to support.
    1. Stop each service from Microsoft Windows services.
    2. Open a prompt with administrator privileges.
    3. Run the command for the service, to be tested. Use the path to the corresponding executable if you do not have NoSpamProxy installed in the default directory
      • Ctasd
        CMD > “C:\Program Files\Net at Work Mail Gateway\Cyren Integration Service\ctasd.exe” -c “C:\ProgramData\Net at Work Mail Gateway\Cyren-ctasd.conf” -i
      • Ctipd
        CMD > “C:\Program Files\Net at Work Mail Gateway\Cyren Integration Service\ctipd.exe” -c “C:\ProgramData\Net at Work Mail Gateway\Cyren-ctipd.conf” -i
      • Ctwsd
        CMD > “C:\Program Files”Net at Work Mail Gateway\Cyren Integration Service\ctwsd.exe” -c “C:\ProgramData\Net at Work Mail Gateway\Cyren-ctwsd.conf” -i
    4. Copy the output or take a screenshot of the output.

If you have checked all these points, please open a support ticket with the information attached so that more logs can be created for analysis.

information thumbnail social media

Configuring the CYREN Services for use with a Web Proxy

This article describes how to configure a proxy server for the CYREN services with the Protection module in all NoSpamProxy versions from version 9.2 onwards. To do this you have to download the files

  • ctasd.conf
  • ctipd.conf (additionally available from version 12.x)
  • ctwsd.conf (additionally available as of version 13.x)

from the directory “C:\ProgramData\Net at Work Mail Gateway\CYREN\”.

The following section is responsible for this:

#   If you connect to the Internet through a proxy server, you
#   should uncomment the following parameters and assign appropriate
#   values.
#ProxyPort = 80
#ProxyServerAddress = myproxy
#ProxyAuth = NoAuth
#ProxyUserName = user@proxy
#ProxyPassword = 1234
#ProxyAccess = 1

If you are using a proxy server without authentication, remove the # character before the lines “ProxyPort”, “ProxyServerAddress”, “ProxyAuth” and “ProxyAccess”. Enter the corresponding port of your proxy server in ” ProxyPort”. Behind the entry “ProxyServerAddress” you configure either the IP address or the FQDN of your proxy server. For “ProxyAuth” leave the entry at “NoAuth”.

If you are using a proxy server with authentication, you must additionally configure the options “ProxyUserName” and “ProxyPassword”. Enter the corresponding logon information for “ProxyUserName” and “ProxyPassword”. Additionally, you must change the value “ProxyAuth” to “Basic”.

After you have saved the file, you must restart the services NoSpamProxy – CYREN Service (ctasd.conf), NoSpamProxy – CYREN IP Reputation Service (ctipd.conf) and NoSpamProxy – CYREN URL Categorization Service (ctwsd.conf) in order for the changes to take effect.


In order for all Cyren services to function properly, unrestricted access to * must be given. Also a virus scan on these connections must not be done, because the definitions for the Cyren Premium AntiVirus are downloaded there as well!


PDF conversion as part of Content Disarm and Reconstruction (CDR), converts Microsoft Word, Microsoft Excel and PDF documents into secure PDF files by removing any active content. The PDF file can then be opened without any concerns, with the original file either left attached to the email or removed. CDR is a feature in NoSpamProxy Protection and in conjunction with NoSpamProxy Large Files provides an optimal way to disarm unsafe documents and retain the original files.

CDR is configured in the “Content filter actions” and then applied to the corresponding emails via the “Content filters”. A training video on the content filters can be found at (German only).

This conversion process is very time-consuming and not all documents can be converted. We have built in a protection mechanism so that the unsafe attachments are not delivered, even if the conversion fails.

  • If only Protection, but not Large Files, is licensed, the email for which the conversion did not work is first stored under “Monitoring > Emails on hold” and the configured administrator is informed. The administrator then has the task of checking the email and can then either download it as an EML file and forward it via Outlook or deactivate/change the content filter for this email for a limited time and force delivery again.
  • If Protection and Large Files are licensed, the original file will be uploaded to the Web Portal if the conversion fails (if desired even if the conversion was successful), but it will be locked there, so that it must also be released by the administrator, deviating from the settings for the successful conversion. The prerequisite for this is the setting “Upload the original document to the Web Portal” in the Content Filter action.
    The email itself is delivered to the recipient, with the corresponding information for downloading, but without the converted PDF file, as this was not possible.

This protective mechanism cannot be changed or influenced.


Since the conversion component is provided by a third-party provider, we have only very limited influence on it. If the conversion cannot be performed to your satisfaction, please send us the file to be converted, if possible. Make sure that the file does not contain any personal data. We will then make this file available to the third party provider for analysis. We would like to point out that a feedback on our part is not possible, as the adaptation process can be very lengthy.


This article describes how you can use the debugging tools to create log files for the analysis of high processor loads, which can then be evaluated by NoSpamProxy Support.

First install the Windows debugging tools on the server under high processor load. You can download them at

Then, enter the following command into the command line:

cdb.exe -pv -pn NetatWorkMailGatewayGatewayRole.exe -c ".load C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SOS.dll;!EEStack -ee;qd" > NoSpamProxyStack_%date:~-4.4%%date:~-7.2%%date:~-10.2%_%time:~0.2%%time:~3.2%%time:~6.2%.log

If necessary, replace the NetatWorkMailGatewayGatewayRole.exe process with the process that causes the high processor load. Execute the command several times and then send the resulting log files in zipped form to NoSpamProxy Support.


When integrating the WebPortal into the configuration, the following settings must be observed for various scenarios. These settings are outside the NoSpamProxy but are mandatory for integration.


  • NoSpamProxy WebPortal is operated parallel to the gateway role and/or intranet role on the same system
    The Microsoft KB926642 article must be applied. Method 1 (recommended): Create the Local Security Authority host names that can be referenced in an NTLM authentication request is recommended, especially for production environments. Method 2: Disable the authentication loopback check should only be applied to test environments!
    Note: The articles at Microsoft swap the methods in the English and German versions. Always check the exact description!
  • NoSpamProxy WebPortal is operated on a system in the DMZ / on computer(s) outside the domain
    The Microsoft KB951016 article must be applied


How to set the number of concurrent connections manually

This article describes how to change the number of outbound connections of the Gateway role.

The corresponding settings are specified in the file “Gateway Role.config” in “C:\ProgramData\Net at Work Mail Gateway\Configuration\” on the respective gateway role. To edit the file, first stop the gateway role.

Below the tag

<netatwork.nospamproxy.proxyconfiguration ... >

find the tag <queueConfiguration> and add the attributes maxConcurrentConnections="xx" and maxConcurrentConnectionsPerDomain="xx" to it. It should look like this:
<queueConfiguration maxConcurrentConnections="100" maxConcurrentConnectionsPerDomain="10" />

This limits the number of concurrent connections to 100, with a maximum of 10 concurrent connections allowed per domain.


This article describes how to manually set the number of concurrent connections. Since version 7.0, NoSpamProxy determines this number dynamically by itself. The basis for the decision is the CPU and memory usage. To prevent this behavior, proceed as follows:

First stop the Gateway Role. The corresponding setting is made in the “Gateway Role.config”. This file can be found in “C:\ProgramData\Net at Work Mail Gateway\Configuration\” on the respective Gateway Role.

Look for the line beginning with the following characters:


Insert the following value directly below:
<connectionLimits hardUpperConnectionLimit="" minimumNumberOfConcurrentSessions="" />

If the values are not specified as in this example, the dynamic limit applies (depending on the CPU utilisation).

The values are both integer values.

The value hardUpperConnectionLimit setermines the maximum number of connections.
The value minimumNumberOfConcurrentSessions determines the maximum number of concurrent connections.

<connectionLimits hardUpperConnectionLimit="100" minimumNumberOfConcurrentSessions="50" />

Finally, save the configuration file and restart the Gateway Role.