CommuniGate Pro


 

Kaspersky Anti-Spam Plugin for CommuniGate Pro

Kaspersky Anti-Spam Plugin Overview

The KAS Plugin runs as an External Filter and calculates a spam "score" for each message being processed. Unlike tools with statically defined patterns for spam messages, the KAS Plugin dynamically retrieves new patterns from KasperskyLabs Network thus roviding greater accuracy for new spam messages.

The score ranges from 0 to 100; the higher the message score the more likely the message is spam. The score info is added to message headers so it can be processed by Server-Wide, Domain-Wide and Account Rules.

By default the added header lines look like this:

X-Junk-Score:  92 [XXXX]
X-KAS-Score:  92 [XXXX]
X-Alert: possible spam!
X-Color: red
Besides the digital score value, the header field contains a "bar score" to simplify automated message processing: the more 'X' characters the higher the score. The following ratios between the digital and bar scores are used by default:

Digital score rangeBar score
0[]
1-39[X]
40-80[XX]
81-90[XXX]
91-95[XXXX]
96-99[XXXXX]
100[XXXXXX]

Every day at midnight the Plugin generates a report message about the number of mails processed and their spam scores. By default the report message is mailed to postmaster address from the CommuniGate main domain.

Note: The Kaspersky Anti-Spam Plugin is available only for some platforms supported with the CommuniGate Pro server software. Before you order the Kaspersky Anti-Spam Plugin License, make sure the plugin is available for your CommuniGate Pro Server platform.

Note:The plugin requires two license keys to run:

  • Internal Kaspersky license Key file
  • CommuniGate Key
The Internal Kaspersky Key is required by is required for the Kaspersky Engine to work. The key has limited validity period. The new keys are given by us for free of charge, please contat <sales@communigate.ru>
Without the CommuniGate Key the plugin will run in demo mode with limited scan rate.

Note: The Kaspersky Anti-Spam Plugin requires CommuniGatePro version 6.2.4 or later.

Download the Plugins

Kaspersky Anti-Spam plugins are available for certain platforms only..


Operating System CPU Download
via
HTTP		 via
FTP
Linux
(RedHat, SuSE, Debian)		 x86_64
FreeBSD
10.x		 x86_64
Microsoft Windows
7/8/10		 x86_64

The current version of the Plugin is 1.2

Installing on Unix Systems

  • Download the Plugin archive CGPKAS-platform-processor-version.tar.gz.
  • Log in as a super-user (root).
  • Move the archive to /var/CommuniGate/ which is the Base Directory of CommuniGate Pro.
  • Unpack the Plugin archive with the gtar command (or gunzip and tar commands):
      gunzip CGPKAS-*.tar.gz
      tar -xf CGPKAS-*.tar
    . The CGPKAS directory will be created inside the /var/CommuniGate/.
  • Install the Kaspersky Internal license Key file:
      cp 12345ABC.key /var/CommuniGate/CGPKAS/licenses/
  • Proceed with Testing the Plugin.

Installing on MS Windows System

  • Download the Plugin archive CGPKAS-Windows-x86_64.zip.
  • Move the archive to the CommuniGate Pro Base Directory which is the C:\CommuniGate Files\
  • Unpack the Plugin archive with any "unzip" program:
      pkunzip CGPKAS-*.zip
    The CGPKAS directory will be created inside the Base Directory.
  • Install the Kaspersky Internal license Key file:
      copy 12345ABC.key C:\CommuniGate Files\CGPKAS\licenses\
  • Proceed with Testing the Plugin.

Testing the Plugin

On a Unix System:

  • Change the current directory to the CommuniGate Pro base directory:
      cd /var/CommuniGate
  • Launch the CGPKAS application from its directory:
      CGPKAS/CGPKAS
    Important: You need to launch it as written above, not from the CGPKAS directory as ./CGPKAS

    It will report the Plugin version number, the Engine version number, the date of the latest update of the spam database, the internal key expiration date, and some other info.
  • Type:
      1 FILE CGPKAS/test.msg
    The plugin should answer with ADDHEADER followed by a message header line with some score.
  • Quit CGPKAS by pressing Ctrl-D.

On a MS Windows System:

  • Change the current directory to the CommuniGate Pro base directory:
      cd "C:\CommuniGate Files"
  • Launch the CGPKAS.exe application from its directory:
      CGPKAS\CGPKAS.exe
    Important: You need to launch it as written above, not from the CGPKAS directory as CGPKAS.exe

    It will report the Plugin version number, the Engine version number, the date of the latest update of the spam database, the internal key expiration date, and some other info.
  • Type:
      1 FILE CGPKAS\test.msg
    The plugin should answer with ADDHEADER followed by a message header line with some score.
  • Quit CGPKAS.exe by pressing Ctrl-Z.

Note: Without the Internal Kaspersky license Key the plugin will give out an error and exit. However it still makes sence testing the Plugin without the Internal Kaspersky license Key to check the executables for library dependencies.

Integrating the Plugin with CommuniGate Pro.

Step #1: Create the Helper

Please check the External Filters section of the CommuniGate Pro manual.

Open the General page in the Settings section of the WebAdmin Interface and click the Helpers link. Create a Helper for the KAS Plugin:

Content Filtering
Log Level: Program Path:
Time-out: Auto-Restart:

Note: For Linux, if the Plugin fails to start, try to clear sticky-bits with "chmod ug-s /opt/CommmuniGate/CGServer" command and restart CommuniGate.

Note: For Windows, if the Plugin fails to start, try to specify full Program Path, e.g. "C:\CommuniGate Files\CGPKAS\CGPKAS.exe"

Step #2: Create the Scanning Rule

To invoke the KAS Helper you should create a Server-Wide Rule with "ExternalFilter KAS" action. The Scanning Rule will apply KAS to the message and the spam score will be added to the message header.
Note: It must be a Server-Wide Rule, not Domain-Wide or Account-level.

The recommended Scanning Rule is as follows:

Data Operation Parameter
Action Parameter

This rule skips messages from the MAILER-DAEMON address (such as non-delivery reports, return-receipts, etc.), skips messages from Client IP Addresses and from authenticated senders, and includes only messages for local accounts and mailing lists.

Note: The unlicensed installation of Kaspersky Anti-Spam Plugin is limited to 5 messages per hour. If the E-mail traffic exceeds the limit, the Plugin will let the messages go through unrated.

Step #3: Dealing with the Rated Messages

The plugin by itself doesn't block spam, it only assigns a spam score to the messages. To actually block spam you need to create yet another Rule which blocks messages according to their spam score. There are many scenarios possible:

Scenario #1: suitable for small companies where you can assign one person (e.g. postmaster) to look through the spam messages daily to check for false positives, and if any false positives found - redirect them to the appropriate persons.

Create a Server-Wide Rule with the following contents:

Data Operation Parameter
Action Parameter

This Rule moves the incoming messages with score 96 and greater to the "spam_box" mailbox of the postmaster@domain.com account. The "Discard" action is required to prevent the message from going to the initially intended destination (INBOX mailbox). Note in the example above, the "*" in [XXXXX* is necessary to filter all messages scored above 5 X's. Without it, the rule will only filter out messages with 5 X's.
Note: The priority of this Server-Wide Rule must be lower than the priority of the Scanning Rule.

Scenario #2: suitable for large companies and ISPs. Let users to deal with spam on their own.

Create one Domain-Wide rule or many Account-level rules for each account with the following contents:

Data Operation Parameter
Action Parameter

This Rule moves the incoming messages with score 96 and greater to the "Junk" mailbox of the original recipeint account. The users should regularly check their "Junk" mailboxes and purge them. The "Discard" action is required to prevent the message from going to the initially intended destination (INBOX mailbox). Note in the example above, the "*" in [XXXXX* is necessary to filter all messages scored above 5 X's. Without it, the rule will only filter out messages with 5 X's.

Alternatively, you can use "Junk Mail Control" simplified Rule on domain or account level:

Junk Mail Control
High probability: Medium probability: Low probability:

Scenario #3: suitable for large companies and ISPs for users who don't have access to mailboxes other than INBOX, e.g. POP3 users.

Create one Domain-Wide rule or many Account-level rules for each account with the following contents:

Data Operation Parameter
Action Parameter

This Rule marks subjects of spam messages with [SPAM] prefix.

Scenario #4:suitable for companies with relatively small input traffic, available from CommuniGate Pro version 5.1 and greater.

In CommuniGate Pro version 5.1 and greater you can enqueue messages synchronously. Use the WebAdmin Interface to configure the Enqueuer component. Open the Queue page in the Settings->Mail realm. Clear off the checkbox of the "Enqueue Asynchronously" option:
Message Enqueuer
Log Level: Processors:
Hop Counter Limit:   Enqueue Asynchronously

Please see the details in CommuniGate Manual.

Create a Server-Wide Rule with the following contents:

Data Operation Parameter
Action Parameter

When enqueueing synchronously, when a message is rejected with a Server-Wide Rule it is rejected on SMTP level with 5xx error code, rather than accepted and bounced.

In any scenario it's not recommend to discard spam messages blindly without saving them because of the possible false positives. It's either highly not recommended to automatically reject spam (unless you're in synchronous mode using scenario#4) because usually the return addresses are forged and the rejection notice message will go to an innocent person or a spamtrap, which may result in your server to become blacklisted. When rejecting in syncronous mode, the sending host will get an error during SMTP transaction and there will be no bounce message generated by your server.

The recommended threshold (the score you start treating messages as spam) is 96. If not enough spam is caught then lower the threshold to 90; if there too many false positives, raise the threshold to 100.

The Plugin Configuration File

On startup the KAS Plugin reads the contents of the CGPKAS.cfg file from the current directory. The format of the file data elements is described in http://www.communigate.ru/CommuniGatePro/Data.html. The description of the data elements you may find in the CGPKAS.cfg file. The default CGPKAS.cfg is available here.

The default CGPKAS.cfg has the following contents:

Header="X-Junk-Score: ^1 [^2]";
This line defines the header to be added to the rated messages.
The ^1 combination is replaced with the digital message score.
The ^2 combination is replaced with the bar score.
To create a multi-line header use the \e combination as a line breaker. Make sure each line is a RFC-compliant header, it would be best if you start each with the "X-" prefix. Example: Header="X-Score: ^1\eX-Bar-Score: ^2"

AlertLevel=96;
This line defines the score which triggers the AlertHeader to be inserted into the message, and the messages whose source and destination addresses will be listed in the daily reports as Spam Sources and Targets.

AlertHeader="X-Alert: possible spam!\eX-Color: red";
This line defines the header to be added to the rated messages if its score is equal or greater than the value of AlertLevel. The "X-Color: red" combination changes the message color when viewed via CommuniGate Pro WebMail interface.
Note: To dispatch spam via Rules you may check for the AlertHeader presence instead of checking the message scores, but this method is not flexible because different users may want to use different scores as a threshold.

SubmittedDirectory = "Submitted";
This line defines the CommuniGatePro Submitted directory required for submitting the reports via PIPE module. There can be relative or absolute path, e.g. "/var/CommuniGate/Submitted"

OnLicenseLimitReached=Pass;
This line defines the behaviour of the Plugin when the number of messages exceeds the licensed limit. When it is set to "Delay" the Plugin suspends the CommuniGate Pro Queue processing module until next window, when it is set to "Pass" the Plugin lets extra messages to go through unrated. Messages not scored will not have any X-KAS-Score headers. You will also be notified in CommuniGate log when your license has reached its limit.

Reporting misclassified messages to the Kaspersky Labs

The technical requirements when submitting misclassified messages to Kaspersky:

  • The message being reported must be attached to the email (as an message/rfc822 MIME attachment). This allows Kaspersky Labs to get the message in its original form, as it was when Kaspersky Labs scanned the message at the gateway.
  • Only messages received within 48 hours are suitable for analysis.

The feedback messages should be mailed to one of the following addresses:

notspam@kaspersky.com - for false positives
spam@kaspersky.com - for false negatives

To use Microsoft Outlook to submit feedback:

  1. Launch Outlook
  2. Open a new message window by clicking on the New button on the Outlook toolbar or choose File > New > Message from the menu options.
  3. Drag the misclassified message(s) onto the new message window to attach them.
  4. Send the new message containing the attachments to one of the above listed feedback addresses.

To use CommuniGate WebMail interface to submit feedback:

  1. Open the misclassified message from list to a separate window
  2. Click "Forward" link (or icon, depending on the skin you use) to compose a feedback message
  3. Enter one of the above listed feedback addresses into "To:" input field
  4. Click "Send" button (or icon).
CommuniGate Pro Guide. Copyright © 2020, AO StalkerSoft