Community Manager kgroneman Community Manager
Community Manager
398 views

Spam filter vs Black List

Jump to solution
This is probably a dumb end user question (because I'm a dumb end user).

When I go into my quarantine, I see posts that have been caught by the spam filter. I have the option of marking them black listed. Is there a benefit of doing so? Logically, to me, if the spam filter caught them, the work is done. Why would I want to take the time to mark them as black listed? Looking to be a little bit educated here. Thanks in advance. - Kim
--
My computer used to beat me at chess all the time, but then I changed the competition to kick boxing.......
0 Likes
1 Solution

Accepted Solutions
Knowledge Partner
Knowledge Partner

Re: Spam filter vs Black List

Jump to solution
kgroneman;2500688 wrote:
This is probably a dumb end user question (because I'm a dumb end user).

When I go into my quarantine, I see posts that have been caught by the spam filter. I have the option of marking them black listed. Is there a benefit of doing so? Logically, to me, if the spam filter caught them, the work is done. Why would I want to take the time to mark them as black listed? Looking to be a little bit educated here. Thanks in advance. - Kim


Normally, SMG would be configured to do the easier checks first. It's easier and faster to block an IP address than it is to scan an email.

If you are getting thousands of emails from a specific source (user, IP address, etc.) it would make sense to blacklist them otherwise, as you point out, once the spam filter caught them, the work is done.
_____
Kevin Boyle - Knowledge Partner - Calgary, Alberta, Canada
Who are the Knowledge Partners?
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
9 Replies
Knowledge Partner
Knowledge Partner

Re: Spam filter vs Black List

Jump to solution
kgroneman;2500688 wrote:
This is probably a dumb end user question (because I'm a dumb end user).

When I go into my quarantine, I see posts that have been caught by the spam filter. I have the option of marking them black listed. Is there a benefit of doing so? Logically, to me, if the spam filter caught them, the work is done. Why would I want to take the time to mark them as black listed? Looking to be a little bit educated here. Thanks in advance. - Kim


Normally, SMG would be configured to do the easier checks first. It's easier and faster to block an IP address than it is to scan an email.

If you are getting thousands of emails from a specific source (user, IP address, etc.) it would make sense to blacklist them otherwise, as you point out, once the spam filter caught them, the work is done.
_____
Kevin Boyle - Knowledge Partner - Calgary, Alberta, Canada
Who are the Knowledge Partners?
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
Community Manager kgroneman Community Manager
Community Manager

Re: Spam filter vs Black List

Jump to solution
Thanks Kevin.

That's interesting. I would have tought that the spam filter is the one that has to do the heavy lifting and scan the entire email, and blacklist would only have to look at the email address or IP so it would be desirable to have them in the blacklist if you wanted to save bits and bytes of processing. Did I understand you right that this is reversed and it's less desirable to have them in the blacklist? - Kim
--
My computer used to beat me at chess all the time, but then I changed the competition to kick boxing.......
0 Likes
Knowledge Partner
Knowledge Partner

Re: Spam filter vs Black List

Jump to solution
kgroneman;2500699 wrote:
Thanks Kevin.

That's interesting. I would have tought that the spam filter is the one that has to do the heavy lifting and scan the entire email, and blacklist would only have to look at the email address or IP so it would be desirable to have them in the blacklist if you wanted to save bits and bytes of processing. Did I understand you right that this is reversed and it's less desirable to have them in the blacklist? - Kim


What you say is correct. There is much less overhead blocking a single IP address or sender's email address.

The issue is this: How much spam do you get from the same email address or IP address? If you get 1,000 spam emails and block each one, what are the chances of getting even a second one from the same source? If you block every spam email you receive you create a large list of sources against which each incoming email must be checked. That would greatly increase the overhead and, if no match is found, the email would still need to be scanned to see if it was spam.
_____
Kevin Boyle - Knowledge Partner - Calgary, Alberta, Canada
Who are the Knowledge Partners?
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Community Manager kgroneman Community Manager
Community Manager

Re: Spam filter vs Black List

Jump to solution
Thanks. I understand now. Blacklist those you get a lot from, and let the spam filter take care of the rest.
--
My computer used to beat me at chess all the time, but then I changed the competition to kick boxing.......
0 Likes
Knowledge Partner
Knowledge Partner

Re: Spam filter vs Black List

Jump to solution
kgroneman;2500710 wrote:
Thanks. I understand now. Blacklist those you get a lot from, and let the spam filter take care of the rest.


Another thing to consider: SMG is not perfect. Sometimes somethings are flagged as spam when they aren't. When you see them in the quarantine you can release them. If they are blacklisted, they may not make it to the quarantine.
_____
Kevin Boyle - Knowledge Partner - Calgary, Alberta, Canada
Who are the Knowledge Partners?
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
JoshGibbs Frequent Contributor.
Frequent Contributor.

Re: Spam filter vs Black List

Jump to solution

A brief follow up to this question and the answers...

The usefulness of blacklisting quarantined items is highly dependent on how your SMG system is configured and used.  For spam specifically, spam detection isn't a perfect science, and when it's not doing its job for specific sender addresses, the blacklist option can help out.

Anti-spam isn't the only thing SMG does.  Items may end up in quarantine for any number of reasons, based on the configuration.  For example, text filters used to catch specific patterns in messages can provide valuable sources of addresses and domains to be blacklisted.

Blacklisting is also optional, so if it's not required it can be hidden from users view.

SMG provides a very flexible engine that can do a lot of things a lot of different ways.  As a result, you might question why it does something that you don't need.  Like that brand new SUV in the driveway, you don't get the option to order one without the 4x4 button or Android auto just because you'll never use them. 

And lastly, a clarification on the resource usage when items are blacklisted.  There is no benefit in resource consumption when messages are blacklisted.  There are various reasons for this, but the easiest one to reference is when a message has multiple recipients.  Because blacklists are sender/recipient pairs, it's possible to have an email come in that will be blacklisted for only one recipient.  In this case, all other filters must still be applied.

Hope that helps.

Josh

0 Likes
Knowledge Partner
Knowledge Partner

Re: Spam filter vs Black List

Jump to solution

Hi Josh,

The original question was: If a particular IP address is sending lots of spam, why not just block (blacklist) that IP address?

What you say is true but, in this case, it doesn't answer that question.

_____
Kevin Boyle - Knowledge Partner - Calgary, Alberta, Canada
Who are the Knowledge Partners?
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
JoshGibbs Frequent Contributor.
Frequent Contributor.

Re: Spam filter vs Black List

Jump to solution

Ah, I missed those comments about the IP address, thanks for pointing that out.

Worth adding a couple of extra tidbits of info here as well.

The IP address blocking needs to be done either at the firewall or, if done in SMG, needs to be done in the SMTP interface to reduce system burden.  This is important to be aware of, as there is also an IP address filter within the scan engine itself and that would still run all of the scan processes.

The internal scan engine filter would generally be used when other services need to be combined with the filter, i.e. for stats recording, and in multi-tenant systems where different tenants must have independent control of that level of filtering.

For single OU systems, IP address blocking outside the scan engine is generally the easiest and best way to go.  Care should be taken in these cases too, as they may be relaying off a legitimate mail system.

I generally only directly block IP addresses when the SMTP interface logs start growing at abnormally high rates.  Typically you'll find a repetitive client attempting dictionary attacks over and over, and these over-consume SMTP connections.

Highlighted
Knowledge Partner
Knowledge Partner

Re: Spam filter vs Black List

Jump to solution

@JoshGibbs wrote:

 

I generally only directly block IP addresses when the SMTP interface logs start growing at abnormally high rates.  Typically you'll find a repetitive client attempting dictionary attacks over and over, and these over-consume SMTP connections.


That's good advice and my approach too.

Your input is appreciated. Feel free to jump in when your time permits or when you feel it's appropriate. 🙂

_____
Kevin Boyle - Knowledge Partner - Calgary, Alberta, Canada
Who are the Knowledge Partners?
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.