User manual KASPERSKY LAB KASPERSKY ANTI-SPAM 3.0 - ADMINISTRATOR GUIDE

KASPERSKY LAB Kaspersky® Anti-Spam 3.0 Administrator's Guide KASPERSKY® ANTI-SPAM 3.0 Administrator's Guide © Kaspersky Lab http://www.kaspersky.com Revision date: November 2006 Contents CHAPTER 1. KASPERSKY ANTI-SPAM 3.0................................................................. 6 1.1. What's new in version 3.0 ..................................................................................... 7 1.2. Licensing policy ..................................................................................................... 8 1.3. Hardware and software requirements .................................................................. 9 1.4. Distribution kit ...................................................................................................... 10 1.5. Help desk for registered users ............................................................................ 10 1.6. Conventions......................................................................................................... 11 CHAPTER 2. ARCHITECTURE OF KASPERSKY ANTI-SPAM AND PRINCIPLES OF SPAM FILTERING........................................................................ 12 2.1. Product structure ................................................................................................. 12 2.2. Recognition technology....................................................................................... 16 2.2.1. Analysis of formal signs................................................................................ 16 2.2.2. Content filtration............................................................................................ 16 2.2.3. Checks using external services.................................................................... 17 2.2.4. Urgent Detection System ............................................................................. 18 2.3. Recognition results and actions over messages................................................ 19 2.4. Content filtration databases................................................................................. 20 2.5. Filtration policies .................................................................................................. 20 2.6. Control Center ..................................................................................................... 21 2.7. Monitoring ............................................................................................................ 21 CHAPTER 3. INSTALLING KASPERSKY ANTI-SPAM.............................................. 23 3.1. Preparing for installation...................................................................................... 23 3.2. Installing Kaspersky Anti-Spam distribution package ........................................ 24 3.3. Configuring access to the Control Center........................................................... 25 3.4. Installing the license key...................................................................................... 26 3.5. Integrating Kaspersky Anti-Spam with your mail server ................................... 27 3.6. Configuring updates of content filtration databases and UDS use.................... 29 CHAPTER 4. MANAGING THE SPAM FILTRATION SERVER................................. 30 4.1. Starting and managing Kaspersky Anti-Spam components.............................. 30 4 Kaspersky Anti-Spam 3.0 4.2. Kaspersky Anti-Spam Control Center................................................................. 31 4.3. Filtration policy management .............................................................................. 32 4.3.1. General filtration policy ................................................................................. 33 4.3.1.1. The General section .............................................................................. 34 4.3.1.2. The DNS & SPF Checks section .......................................................... 36 4.3.1.3. The Headers Checks section ................................................................ 37 4.3.1.4. The Eastern Encodings section ............................................................ 39 4.3.1.5. The Obscene Content section............................................................... 39 4.3.2. Managing the white and black lists .............................................................. 40 4.3.3. Managing the lists of employed DNSBL services ....................................... 42 4.3.4. Managing the list of protected domains ....................................................... 44 4.3.5. Group management ..................................................................................... 45 4.3.6. Managing the group filtration policy ............................................................. 48 4.3.7. Actions over messages ................................................................................ 49 4.4. Updating the content filtration databases ........................................................... 52 4.4.1. Configuring the update parameters ............................................................. 52 4.4.2. Initiating an update........................................................................................ 55 4.5. Configuring the spam filtration server ................................................................. 56 4.5.1. Common filtration server parameters........................................................... 57 4.5.2. Parameters of the filtration master process ................................................. 58 4.5.3. Parameters of the filtering processes .......................................................... 59 4.5.4. Spam recognition parameters...................................................................... 60 4.5.5. Client module settings .................................................................................. 62 4.5.6. Notifications about rejected messages ........................................................ 64 4.6. Control Center settings........................................................................................ 65 4.7. Managing the license keys.................................................................................. 66 4.7.1. Viewing the license information.................................................................... 67 4.7.2. Installing a new license key.......................................................................... 68 4.7.3. License key removal..................................................................................... 68 4.8. Monitoring the filtration server activity................................................................. 69 4.8.1. General product status information.............................................................. 69 4.8.1.1. Detailed information about the Anti-Spam Engine ............................... 70 4.8.1.2. Detailed information about the updater module.................................... 72 4.8.1.3. Detailed information about the licensing module.................................. 73 4.8.2. Monitoring system messages and reports................................................... 74 4.9. Kaspersky Anti-Spam statistics........................................................................... 75 Contents 5 CHAPTER 5. UNISTALLING KASPERSKY ANTI-SPAM ........................................... 77 CHAPTER 6. FREQUENTLY ASKED QUESTIONS................................................... 79 APPENDIX A. ADDITIONAL INFORMATION ON KASPERSKY ANTISPAM 83 A.1. Location of product files in the file system.......................................................... 83 A.2. Client modules for mail servers .......................................................................... 84 A.2.1. Interaction of client modules with the filtering server................................... 84 A.2.2. Global settings of client modules ................................................................. 85 A.2.3. kas-milter ­ a client module for the Sendmail mail server .......................... 86 A.2.4. kas-pipe ­ a client module for the Postfix and Exim mail servers .............. 88 A.2.5. kas-exim ­ a client module for the Exim mail server................................... 94 A.2.6. kas-qmail ­ client module for the Qmail mail server ................................... 97 A.2.7. kas-cgpro ­ a client module for the Communigate Pro mail server ........... 98 A.3. Kaspersky Anti-Spam configuration files.......................................................... 100 A.3.1. Main configuration file filter.conf................................................................. 101 A.3.2. Configuration file kas-thttpd.conf ............................................................... 106 A.4. Kaspersky Anti-Spam utilities ........................................................................... 106 A.4.1. kas-htpasswd ............................................................................................. 106 A.4.2. kas-show-license........................................................................................ 107 A.4.3. install-key.................................................................................................... 107 A.4.4. remove-key................................................................................................. 108 A.4.5. kas-restart................................................................................................... 109 A.4.6. mkprofiles ................................................................................................... 110 A.4.7. sfmonitoring ................................................................................................ 111 A.4.8. sfupdates .................................................................................................... 111 A.5. Special headers of the filtering module ............................................................ 112 A.6. Configuration using cron service ...................................................................... 115 APPENDIX B. HOW TO SEND SPAM MESSAGES TO SPAM ANALYSTS. 118 APPENDIX C. KASPERSKY LAB...................................................................... 120 A.7. Other Kaspersky Lab Products ........................................................................ 121 A.8. Contact Us......................................................................................................... 128 APPENDIX D. APPENDIX E. THIRD PARTY SOFTWARE ..................................................... 129 LICENSE AGREEMENT............................................................ 144 CHAPTER 1. KASPERSKY ANTISPAM 3.0 Kaspersky® Anti-Spam 3.0 (hereinafter also referred to as Kaspersky AntiSpam or the product) is a software suite filtering e-mail in order to protect mail system users from unsolicited mass mail (spam). Kaspersky Anti-Spam uses administrator-defined rules to process received messages accordingly. Namely, it delivers a message without modifications, blocks it, generates a notification informing that a message could not be received, adds or modifies message header and performs other actions specified by the administrator. The application checks every e-mail message for the presence of signs typical for unwanted mass mail (spam). First, it checks various message parameters: the sender's and recipient's addresses (envelope), message size and its various headers (including From and To). In addition, Kaspersky Anti-Spam runs the following checks as a part of its analysis procedure: · · a check of message sender's address (e-mail and / or IP address) using black and white lists; the presence of the sender's IP address in a DNS-based real time black hole list (DNSBL); DNSBL (DNS based black hole list) is a database that lists IP addresses of mail servers used for uncontrolled mass mailing. Such servers receive mail from anyone and deliver it further to arbitrary recipients. Using of DNSBL will allow automatic blocking of mail receipt from that mail server. Various services use different policies for generation of such lists. Please examine carefully the policy of each service before you start using it for mail filtration. · · availability of a DNS record for the sending server (reverse DNS lookup); a check of the sender's IP address for compliance with the list of addresses allowed for a domain based on the Sender Policy Framework (SPF); a check of addresses and links to sites in message text using the Spam URL Realtime Blocklists (SURBL) service. · Kaspersky Anti-Spam 3.0 7 Second, the application employs content filtration, i.e. it analyzes the actual message contents (including the Subject header) and attached files1. The product uses to that effect linguistic algorithms based on comparison with sample messages and search for typical terms (words and word combinations). Kaspersky Anti-Spam also scans attached images comparing them to the signatures of known spam messages. Comparison results are also taken into account when the application decides whether a message should be identified as spam. Messages with certain signs of unsolicited mail will be processed in accordance with the defined filtration policy (see section 2.3 on page 19). The administrator can configure the applicable filtration policy using the Control Center interface (see section 2.6 on page 21). 1.1. What's new in version 3.0 Kaspersky Anti-Spam 3.0 preserves all advantages of the previous version featuring also a number of improvements and additions: 1. New version of the Spamtest filtering engine. The new filtering engine included Anti-Spam 3.0 offers the following benefits: · · · 2. Higher performance and stability. Low RAM requirements. Low volume of web traffic (updates to the content filtration databases). into Kaspersky Improved filtration methods. Practically all the spam detection methods employed in earlier versions have been enhanced, including: · Improved algorithms used for parsing of HTML objects in mail messages (increasing the efficiency of detecting various spammer tricks meant to circumvent filtration systems). Extended and improved subsystem that analyzes the headers of mail messages. Enhanced subsystem analyzing graphic attachments (GSG). · · 1 The application scans attachments in plain text, HTML, Microsoft Word, and RTF formats (see section 2.2.2 on page 16 for details). 8 Kaspersky Anti-Spam 3.0 · · Added support for the use of Sender Policy Framework (SPF) and Spam URL Realtime Blocklists (SURBL) services. Included internal Urgent Detection System (UDS), which allows the user to receive information about certain types of spam in real time. 3. An absolutely new user interface. Kaspersky Anti-Spam 3.0 uses Control Center, which allows you to perform the following operations: · · · Configure the product: filtering rules, actions over messages, performance parameters, etc. Manage the licenses to use the product: install license keys, view the information about the current license. Monitor product activity and view statistical data. 4. Convenient configuration of filtration-related settings. Version 3.0 of the application uses the intuitively understandable Control Center interface to customize the filtration policies. Its benefits include: · Easy administration: convenient interface offers the minimum toolset necessary for system administration while providing a lot of ways to customize the system for a specific environment. Individual settings for user groups: certain scanning methods can be enabled/disabled individually for every group; you can also define the actions to be performed over e-mail messages. · 5. Enhanced tools for integration of the product and customization of its infrastructure: · · · Redesigned and improved modules for interaction with such email servers as Sendmail and Communigate Pro. A new system has been designed for the delivery of updates to the content filtration databases. All settings are combined into a single configuration file making it easier to configure and administer the system. 1.2. Licensing policy The licensing policy for Kaspersky Anti-Spam 3.0 implies a system of product use limitations based on the following criteria: · Mail traffic volume. Kaspersky Anti-Spam 3.0 9 · · The number of protected mail accounts. The number of mail systems users. The said limitations will only apply to the messages addressed to the senders within protected domains. The list of protected domains receiving the traffic that the product will filter can be customized in the Control Center (see section 4.3.4 on page 44). E-mail sent to recipients in domains that are not included into the list will not be filtered. Please specify the list of protected domains before you start using Kaspersky Anti-Spam. 1.3. Hardware and software requirements Minimum system requirements for normal operation of Kaspersky Anti-Spam are as follows: · · · Intel Pentium III 500 MHz processor or higher. At least 512 B of available RAM. One of the following operating systems: · · · · · · · · · · · · · · · RedHat Linux 9.0. Fedora Core 3. RedHat Enterprise Linux Advanced Server 3. SuSe Linux Enterprise Server 9.0. SuSe Linux Professional 9.2. Mandrake Linux version 10.1. Debian GNU/Linux 3.1. FreeBSD 4.10. FreeBSD 5.4. Sendmail 8.13.5 with Milter API support. Postfix 2.2.2. Qmail 1.03. Exim 4.50. Communigate Pro 4.3.7. One of the following mail servers: 10 Kaspersky Anti-Spam 3.0 · · Installed bzip2 and which utilities. Perl interpreter. 1.4. Distribution kit You can purchase Kaspersky Anti-Spam either from our dealers (retail box) or online (for example, you may visit http://www.kaspersky.com, and go to E-Store section). The contents of the retail box package include: · · · · Sealed envelope with an installation CD, or set of floppy disks, containing the application files. Administrator's Guide. License key written on a special floppy disk. License Agreement. Before you open the envelope with the CD (or a set of floppy disks) make sure that you have carefully read the license agreement. If you buy Kaspersky Anti-Spam online, you will download the application from the Kaspersky Lab website. In this case, the distribution kit will include this User's Guide along with the application. The license key will be emailed to you upon the receipt of your payment. The License Agreement is a legal contract between you and Kaspersky Lab that describes the terms and conditions under which you may use the product that you have purchased. Please read the License Agreement carefully! If you do not agree with the terms and conditions of the License Agreement, return the retail box to the Kaspersky Anti-Spam dealer you purchased it from and the money you paid for the product will be refunded to you on the condition that the envelope with the installation CD (or set of floppy disks) is still sealed. By opening the sealed envelope with the installation CD (or set of floppy disks), you confirm that you agree with all the terms and conditions of the License Agreement. 1.5. Help desk for registered users Kaspersky Lab offers all registered users an extensive service package enabling them to use Kaspersky Anti-Spam more efficiently. Kaspersky Anti-Spam 3.0 11 After purchasing a license you become a registered user and during the license period you can enjoy the following services: · · · application module and anti-virus database updates; support on issues related to the installation, configuration and use of the application. Services will be provided by phone or via email; information about new Kaspersky Lab products. You can also subscribe to the Kaspersky Lab newsletter, which provides information about new computer viruses as they appear. Kaspersky Lab does not provide support on issues related to the performance and the use of operating systems or other technologies. 1.6. Conventions In this book we use various conventions to emphasize different meaningful parts of the documentation. The table below lists the conventions used in this document. Convention Bold font Meaning Menu titles, commands, window titles, dialog elements, etc. Note Attention Additional information, notes. Critical information. Actions that must be taken to run a program. To run a program: Step 1. ... Task: Solution Task statement as an example of parameter definitions, functions, etc. Solution to the task formulated. CHAPTER 2. ARCHITECTURE OF KASPERSKY ANTI-SPAM AND PRINCIPLES OF SPAM FILTERING This section contains descriptions of the main product components and the principles of filtering as well as the Control Center, the main tool for Kaspersky Anti-Spam administration and configuration. 2.1. Product structure Kaspersky Anti-Spam 3.0 is a spam recognition and filtering system functioning as an integral part of an appropriate mail server. Kaspersky Anti-Spam 3.0 is not a full-featured mail server able to receive mail, relay it or deliver e-mail to the mailboxes of end recipients. The architecture of Kaspersky Anti-Spam is shown in Fig. 1. Kaspersky Anti-Spam consists of the following components: · · Client plug-in modules intended for product integration with mail server. Anti-Spam Engine ­ the filtration server component that analyzes e-mail messages rating and processing them. Filtration server includes a number of auxiliary modules, which provide for its functioning and integration with mail servers: · · · Filtration module ­ the module filtering spam. Licensing module ­ the module that manages product licenses and the list of protected domains. Content filtration databases ­ a corpus of data that the filtration server uses to rate messages; updates to the content filtration databases are published on the servers of Kaspersky Lab every 20 minutes. Updater module for the content filtration databases ­ a system that provides for automatic downloading of new content filtration databases from updating servers and their installation for further use by the anti-spam engine. · Architecture of Kaspersky Anti-Spam and principles of spam filtering 13 Figure 1. The architecture of Kaspersky Anti-Spam · Control Center ­ web-based interface that administrators can use to configure the product, analyze its status and functionality. Monitoring system ­ a system that tracks the status of Kaspersky Anti-Spam and its individual components and notifies system administrator about various problems in product operation. · Client plug-in modules are designed for Kaspersky Anti-Spam integration with various mail servers. Every client plug-in takes into account the peculiarities of a specific mail server and the selected integration method. 14 Kaspersky Anti-Spam 3.0 The distribution package of Kaspersky Anti-Spam includes client plug-ins for Sendmail, Postfix, Exim, Qmail and Communigate Pro. As a rule, a client plug-in must be installed as a filter providing for receipt of messages to be analyzed from the mail server and for the subsequent return of modified e-mail. Client plug-in modules are started by their respective mail servers. The sole exception is Sendmail, which does not launch a client plug-in. Mail server can start several client plug-ins for parallel processing of several letters. Please refer to Appendix A.2 on page 84 for details on client plug-in modules and the methods of their integration. Irrespectively of the individual peculiarities of client modules, each module interacts with the filtration server via a network or a local socket using internal data exchange protocol. Anti-Spam Engine responds to the requests of clients accessing it, receives from them messages for analysis and returns the results. The standard installation procedure assumes that the mail server with an integrated client plug-in and the filtration server are installed on the same computer. However, the anti-spam engine of Kaspersky Anti-Spam can also be installed to a separate server. In that case client modules running on another computer (server) will exchange data with the filtration server through local network using TCP. Anti-Spam Engine running on a dedicated computer can serve several mail servers at once provided that the performance of the computer it uses is sufficient to process all that e-mail traffic. Anti-Spam Engine consists of the following components: · · · · · · filtration module that performs message analysis licensing module, which checks the availability of a valid license key file and compliance with the limitations specified in the purchased license daemon processing SPF requests script, which performs automatic downloads of content filtration databases and compiles them Control Center Auxiliary programs and scripts. Filtration master process (ap-process-server) is the main component of the filtering module; it performs the following tasks: · monitoring of requests from client modules for connection to the filtering process Architecture of Kaspersky Anti-Spam and principles of spam filtering 15 · · · initiation of new filtering processes when there are no available processes left monitoring the status of running processes termination of child processes upon an appropriate signal (e.g., SIGHUP). If traffic volume is considerable, the number of running filtration processes can reach several dozens. When the mail server load becomes lower, idle filtering processes will terminate. Maximum and minimum number of running filtration processes are defined by the anti-spam engine settings (see Appendix A.3.1 on page 101). When the filtering process (ap-mailfilter) starts, it loads the existing filtration policies and the content filtration databases. As soon as a connection to a client module is established, the filtering process receives from the module message headers and body, performs their analysis and returns the results to client module. If message sender has to be checked for compliance with the SPF policy, the filtering process transmits a request to the SPF daemon (ap-spfd), which sends necessary queries to a DNS server and returns the results to the filtering process. The application analyzes messages and applies to them rules defined in the filtration policies only if there is a valid license key available. All licensing checks are performed by the licensing module (kas-license) upon a request from a filtration process. Having finished processing a message, the filtering process does not terminate. Instead, it keeps waiting for a new request. A filtering process terminates after it processes the maximum number of messages specified for a single process (as a rule, 300) or remains idle for a long time. The script for automated downloading of updates (sfupdates) runs according to its schedule (using the cron service) and provides for downloads of the latest version of the content filtration databases from the update servers, it also builds the current database version and installs it for further use by the filtration server. Control Center is a web-based interface, which allows the administrator to configure the product and spam filtration policies. Monitoring system controls the status of Kaspersky Anti-Spam components and notifies system administrator about problems occurring in the operation of the filtration server and other product components. Kaspersky Anti-Spam 3.0 processes e-mail traffic using the following algorithm: 1. 2. Client plug-in module integrates with an installed mail server. Mail server transfers to the client module messages for analysis by the filtration server. 16 Kaspersky Anti-Spam 3.0 3. Filtration server checks messages scanning them for signs of spam and, depending upon the result, modifies them in accordance with the existing rules. Client plug-in module returns processed messages to the mail server for delivery. 4. 2.2. Recognition technology Kaspersky Anti-Spam offers powerful tools for spam detection in e-mail traffic. This section contains a brief overview of spam recognition technologies implemented in the product. 2.2.1. Analysis of formal signs The method uses a set of rules based on examination of certain message headers and their comparison with sets of headers typical of spam messages. In addition to header analysis, the application takes into account message structure, size, presence of attachments and other similar signs. The method also provides for analysis of data transmitted by the sender during an SMTP session. In particular, the following information is estimated: · · · · · IP address of the server that has sent the message, and whether it is included into white or black lists of recipients IP addresses of intermediate relay servers obtained from the Received headers e-mail address of message sender and recipients transmitted in SMTP session commands presence of the sender's and recipients' addresses in white or black lists conformity of the addresses transmitted during SMTP session to the set of addresses specified in message headers and a number of other checks. 2.2.2. Content filtration Message analysis employs the algorithms of content filtering: the application uses artificial intelligence technologies to analyze the actual message content (including the Subject header), and its attachments (attached files) in the following formats: · plain text (ASCII, non-multibyte) Architecture of Kaspersky Anti-Spam and principles of spam filtering 17 · · · HTML (2.0, 3.0, 3.2, 4.0, XHTML 1.0) Microsoft Word (versions 6.0, 95/97/2000/XP) RTF. The purpose of spam filtering is to decrease the volume of unwanted messages in the mailboxes of your users. It is impossible to guarantee detection of all spam messages because too strict criteria would inevitably cause filtering of some normal messages as well. The application uses three main methods to detect messages with suspicious content: · Text comparison with semantic samples of various categories (based on the search for key terms (words and word combinations) in message body and their subsequent probabilistic analysis). The method provides for heuristic search for typical phrases and expressions in text. Fuzzy comparison of a message being examined with a collection of sample messages based on comparison of their signatures. The method helps detect modified spam messages. Analysis of attached images. · · All the data employed by Kaspersky Anti-Spam for content filtering: classification index (a hierarchical list of categories), typical terms, etc. are stored in its content filtration databases. The group of spam analysts at Kaspersky Lab works nonstop to supplement and improve the content filtration databases. Therefore, you are advised to update the databases regularly (see section 4.4 on page 52). You can also send to Kaspersky Lab samples of spam messages, which Kaspersky Anti-Spam has failed to recognize as well as the samples of messages erroneously classified as spam. The data will help us improve the content filtration databases and react in a timely manner to new types of spam. Please refer to Appendix B for details on forwarding sample messages. 2.2.3. Checks using external services In addition to the analysis of message text and headers, Kaspersky Anti-Spam allows a number of the following checks involving external network services: 18 Kaspersky Anti-Spam 3.0 · · · availability of a DNS record for message sender's IP (reverse DNS lookup); the presence of the sender's IP address in a DNS-based real time black hole list or lists (DNSBL); a check of the sender's address for compliance with SPF (Sender Policy Framework) policy for the domain containing the server used to send the message; a check of addresses and links to sites in message text for the presence in the Spam URL Realtime Blocklists database ­ www.surbl.org. recognition of e-mail messages using the UDS (Urgent Detection System) technology. · · All the checks listed above, except for UDS, are based on the use of the DNS protocol and as a rule they require no additional network configuration. 2.2.4. Urgent Detection System Urgent Detection System is an original technology of spam detection developed and supported by Kaspersky Lab. It is based on the following principles: 1. A message being analyzed is used to select a collection of properties, which can be used to identify the message. The set of properties may include header information, text fragments and other information about the message being processed. Filtration server uses the properties thus collected to generate a small UDS request and sends it to one of UDS servers of Kaspersky Lab. Since the product does not transmit to external servers any data that could allow viewing the recipients or the text of the processed mail, the use of this method does not pose any risk to the safety or confidentiality of your information. 3. The UDS server checks the received request against a database of known spam. If the request matches a known spam sample, a message will be sent to the filtration server informing that the e-mail is very likely to be spam. The information will be taken into account during assignment of a certain status to e-mail. The UDS technology allows filtering of known spam before updates to the content filtration databases become available. 2. Architecture of Kaspersky Anti-Spam and principles of spam filtering 19 A filtration server interacts with UDS servers of Kaspersky Lab via UDP using port 7060 for communication. In order to use UDS, a filtration server must be able to establish outgoing connections through that port. Information about available UDS servers is added to the content filtration databases. The choice of an individual UDS to be used for message analysis is performed automatically on the basis of the response time of accessible UDS servers. 2.3. Recognition results and actions over messages The analysis procedure results in assignment of one of the following statuses to a message: · · · Spam ­ message recognized as spam with a high degree of reliability. Probable Spam ­ message contains some spam signs; however, it cannot be unambiguously identified as spam. Formal ­ message is formal. E.g., it is a mail server notification informing about mail delivery or inability to deliver it or about message infection with a virus. The category includes messages sent automatically by mail clients. Such messages are usually not considered to be spam. Trusted ­ message received from trusted sources, for example, from internal mail servers. The administrator must create a list of trusted sources (a white list of senders). Trusted status is also assigned to messages addressed to users whose mail the product does not scan in accordance with the corresponding group policy settings. Blacklisted ­ message received from an address present in a black list. The administrator must create the black list. Not detected ­ a message that has not been recognized as spam. · · · Each e-mail message can be assigned just one of the above statuses. The application records the status assigned to a message after analysis to a special X-Spamtest-Status-Extended header. Please refer to section A.5 on page 112 for details about the headers added to mail messages after filtering. After recognition, the application may perform one of the following actions over a message: · · · accept the message relay the message or a copy thereof to another address add a text mark in the message subject field 20 Kaspersky Anti-Spam 3.0 · · · append a special header to the message delete message reject message. System administrator can define which of the listed actions will be performed over messages with a specific status. Preservation of all useful mail must be the top priority for the system administrator because the loss of a single important message may cause more trouble for the end user than receipt of a dozen of spam messages. To avoid the loss of necessary mail, you are advised to use only non-destructive actions with mail identified after content analysis as spam or probable spam. E.g., append to the Subject header labels, such as [!! SPAM]. 2.4. Content filtration databases The application recognizes spam messages using the records of its regularly updated content filtration databases. These databases contain the sets of rules, terms and message signatures used in the process of filtering. Content filtration databases can be downloaded from the updating servers of Kaspersky Lab using the updater module. During the procedure, the system reduces the volume of downloaded data loading only those files, which have changed. Since new samples of spam messages appear every day, normal product functioning requires regular updates to its content filtration databases. Recommended updating frequency: every twenty minutes. Be sure to update the content filtration databases immediately after product setup on your computer! 2.5. Filtration policies Kaspersky Anti-Spam employs filtration policies to determine the methods applicable for spam recognition, the actions to be performed over messages and the black and white lists of senders. The product uses a double-layered system of filtration policies, which consists of a default general filtration policy and group filtration policies. The default filtration policy contains settings common for all groups: methods applicable for spam recognition, and the black and white lists of senders. Group policies, in addition to the mentioned settings, also define the actions performed over messages depending upon their status.