Gateway Spam Filters

Gateway Introduction

Solo gateway spam filters are similar to servers in that they accept email on behalf of the domain served, then filter the email filtering for spam or viruses. The difference between gateways and servers is that gateways have no notion of individual email accounts or mailboxes. It accepts all email destine for the domain served and forwards filtered email onto a non-filtering server such as MS-Exchange. Such abuse can tend to overload a gateway filter.

A gateway sits in front of a non-filtering mail server such as MS-Exchange and performs the filtering. Any email determined to be legitimate ham are forwarded onto the mailbox aware server. This is a common setup because Exchange offers group collaboration which many organizations find valuable. But Exchange does not offer much in the way of spam and virus filtering. A gateway sitting in front of Exchange provides the spam filtering missing in Exchange, while still providing group collaboration.

A gateway accepts all emails for a given domain regardless of whether or not the final recipient is a valid address. This presents several side effects that must be noted.

Gateway Load

Because a gateways accept email destine for invalid mailboxes, the traffic load and abuse tends to be much higher than with a server. Spammers will run a dictionary of names against a domain, hoping that a they guess valid mailboxes on at least a few accounts. These attempts can last for hundreds or thousands of attempts to slip a few emails in. A server will reject email destine for non-existing mailboxes. Since the rejection occurs at the outset, the load on the server is relatively low.

But a gateway will have to accept all of those spams - every single one of them will be accepted, filtered, and the remaining hams forwarded onto Exchange. This represents a significant amount of load on a gateway, that a server would not have to deal with.

Fortunately, there is away to alleviate a great deal of this load. Windows ActiveDirectory, which is an integral component of Exchange provides an LDAP interface. A full featured gateway will include functionality to query an LDAP server to verify valid recipients. A gateway configured to query an Windows ActiveDirectory server will be able to reject email destine for invalid recipients without accepting and filtering the email - just like a server does. More details on LDAP in the next section.

Handling Rejections

This is not a self-esteem section, it's a practical problem with gateways filters. When a gateway accepts an email for an invalid recipient, filters it and then forwards it onto Exchange, it will be rejected by Exchange. How this rejection is handled is important because badly configured, it could increase load on the gateway even more. Or worse, give spammers valuable information.

Rejected emails should never be routed back to the sender. This only eats up bandwidth, and 99% of which will never be delivered because spammers spoof the sending address. Many bosses will want rejections routed back so that the sender is alerted in the event of a typo in the To field. This must not be allowed. Instead, configure rejections be routed to a separate folder for an administrator to scan for typos. Or better still, just have them deleted. 

Note that rejection handling configurations are to be done on the server, not the gateway.

Common typos: filtre, filer, fliter, severs, philter, filtr, ladp, selver, firer, fiter, filte, fitler, ateway, gatewa, ilter, flter, dlap