Plans regarding spam filter or how to enhance filtering

Well, after some reading I found a solution for blacklisting and whitelisting which seems to be new in v17

https://community.sophos.com/kb/en-us/128049

This definitely helps in some cases.

Still I'd like to hear your thoughts about advanced email processing regarding spam.

I don't use XG for mail filtering but there are a a few things that I always use in SG which are also available in XG

1. General Setting > advanced smtp settings. Enable RDNS checking. This will cut your spam down drastically. If I had only one spam control, I would enable RDNS. Matching the sender to their claimed domain name cuts out all the fake email addresses relaying through different hosts. 

2. Add more RBLs under email > address group. I have never been a fan of spamcop (too many false positives but sophos seems to be pushing it). Use zen.spamhaus.org or any others that you like. Quarantine your spam if you are using spamcop as I haven't had good experience with it. SG has other RBLs that sophos has sadly dropped from XG for some reason.

3. Enable File protection to scan by mime type. This will intercept most of the attachments like exe files and other office documents etc. that you don't want in your LAN. Be careful that you don't block any legitimate attachments that users need to get their work done. This is how I used to block all the pdf files when I was getting multiple pdf attachments a day with viruses.

Hope this gives you a starting point.

Forgot to add, Use country blocking to block main offenders like china, russia, japan, india etc in your smtp firewall rule. Country blocking was broken in XG and I think they recently fixed it but I am not sure. We don't do any business with foreign countries so its easy to block spam emails coming from those countries without worrying about scanning such emails. This is almost like blocking TLDs so be careful that you don't block legitimate emails.

People try to use country blocking for other purposes but to me the only legitimate reason for country blocking is if you are running smtp or maybe web servers.

Thanks for your suggestions.

Do you mean strict RDNS checks or only missing RDNS checks?

Yes, I wondered about the two RBLs as I have more in GFI MailEssentials. But I'm unsure wether to put them into 'premium' or 'standard' RBL adress list as I don't know how reliable they are. Sophos put spamcop into the premium list.

Missing RDNS will only check if the sending IP has a PTR record and if it does, it will let it pass. It also checks for invalid HELO.

Strict RDNS will match the PTR to the IP and make sure that they match. So you want to use both RDNS and Strict RDNS.

SG has commtouch (cyren.org) and cbl.abuseat.org plus you can add whatever else you want. XG is being cheap by not offering commtouch or similar.

It doesn't matter where you put the RBLs (in premium or standard). The smtp policy that you create will have the option of using whatever you want

I'm afraid that strict RDNS drops mails from poor configured domains or if this is not the case under "normal" circumstances.

I will give commtouch (cyren.org) and cbl.abuseat.org a try and see what happens.

I'm afraid that strict RDNS drops mails from poor configured domains or if this is not the case under "normal" circumstances.

I will give commtouch (cyren.org) and cbl.abuseat.org a try and see what happens.

I have always used strict RDNS. Depends on if you are deploying it for someone or if you will be monitoring the system closely. If you are concerned with strict RDNS, let RBLs do the job but strict RDNS will get rid of a lot of spam. 

I don't think commtouch is free, the website is cyren.com (sorry). It is part of SG email filtering. I always use spamhaus regardless