Welcome to Spamphibian Gateway for Mac OS X. Spamphibian Gateway turns any Mac OS X (10.3 / G4 or higher) into a reliable and efficient SMTP proxy that protects your company or organization from unwanted spam, viruses, phishing scams, and more. The Mac OS X native Spamphibian Admin application allows you to remotely administer and maintain Spamphibian Gateway, as well as manage the messages that have been quarantined. The simple configuration procedure will have you stopping unwanted emails in minutes.

Spam is a topic that needs no introduction. Here are a few facts that you may not know:

• Spam is the #1 complaint of email-using computer users
• In 2005, spam will account for 59% of all email
• The worldwide cost of users having to contend with spam is over $8 billion (USD)
• Spam costs businesses roughly $500 (USD) per employee per year in lost man hours
• Over 25% of all spam is adult oriented, most of which contains offensive content
• Phishing emails are costing consumers and financial institutions millions of dollars per year

Spamphibian Gateway is Outspring's powerful spam fighting solution that is setup between your current email server and the rest of the Internet, evaluating all incoming emails. In addition to spam, unwanted emails can also contain attachments with viruses, spyware, adware and phishes. The content of unwanted emails constantly changes. Outspring has a team of spam analysts who collect, qualify, and create rules for the thousands of new variations of unwanted emails on a daily basis. Once you subscribe to Outspring's Spamcaster Service, we will send our rule updates to your Spamphibian Gateway on a daily basis, which will update automatically. No further action is required. Outspring's rules are designed to avoid false-positives to prevent Spamphibian Gateway from stopping non-spam emails from reaching your users.

Spamphibian Gateway allows you to write your own rules and configure which actions to take when an unwanted mail is detected. You can write rules that accept or reject emails based on strings, URLs, domains, and IP addresses. For advanced users, we offer support for regular expressions. Spamphibian Gateway also provides support for DNSBL from multiple services. Spamphibian Gateway can be configured to quarantine, tag and send, immediately delete, or bounce unwanted emails. To track the effectiveness of Spamphibian Gateway, Spamphibian Admin provides and extensive graph based monitoring system. Spamphibian Admin also provides an easy-to-use way to deliver, redirect, rescan or delete the messages that have been quarantined by Spamphibian Gateway.

• Quick and easy setup and configuration
• Stops spam, phish, email viruses and other unwanted email before it reaches your mail server or users.
• Intuitive, easy-to-use, remote administration tool (Spamphibian Admin) allows you to control Spamphibian from your desktop.
• Uses filter data from a wide variety of sources. (*)
• Filter data automatically updated daily. (*)
• No "training" required. Begins stopping spam immediately.
• Multiple DNS Blacklist support.
• Versatile DNS Blacklist options: terminate connection or quarantine.
• User-definable white lists and black lists.
• User-definable filter rules.
• Supports import/export of filter rules.
• Stunning graphs that can be customized by the user.
• Easy management of quarantined mail.
• Mac OS X native application set.
• Quick and simple setup and configuration. No cryptic UNIX commands necessary.
• Works with your existing SMTP mail server.
• Supports unlimited number of domains. (**)
• No per-domain or per-user fees.
• Domain specific configuration of filter settings.
• Quick and easy implementation: simply alter your MX records.
• Full control over disposition of unwanted email: quarantine, tag & pass, bounce or immediate deletion.
• Cost effective hardware requirements due to low system resource usage.

* Requires Spamcaster Subscription Service (first year included free with a purchase of Spamphibian Gateway).

** Assuming suitable hardware and bandwidth is provided to Spamphibian Gateway.

• Macintosh G4 or better (***)
• OSX 10.3 or better

*** While the Spamphibian Gateway can be configured to operate on the same system as your email server, we strongly suggest dedicating a computer solely to the operation of Spamphibian Gateway.

Spamphibian has two pieces: Spamphibian Admin, the administration tool and Spamphibian Gateway. Spamphibian Admin is used to setup, configure, monitor and administer Spamphibian Gateway. Spamphibian Gateway is a standalone SMTP daemon that processes your incoming mail rejecting the unwanted messages and accepting and delivering the good message. Spamphibian Admin can be installed on the same machine as Spamphibian Gateway, but can also be installed on another machine to remotely administer Spamphibian Gateway.

In order for your incoming mail to be delivered to Spamphibian Gateway, you will need to be able to change your MX record. You need to make your primary MX record point to the machine running Spamphibian Gateway. For more information about the MX record changes necessary for Spamphibian Gateway, see the "DNS Requirements" section of "Chapter 2: Setting Up the Spamphibian Gateway".

The following table is for a Mac OS X Server 10.3.9 with a 1 GHz PowerPC G4 with 1.25 GB of RAM. The recommend defaults and limits will vary depending on the machine you use to run Spamphibian Gateway. Please see the "Hardware Requirements" section of "Chapter 2: Setting Up the Spamphibian Gateway" for the minimum hardware requirements Spamphibian Gateway.

Feature	Recommended or Default Value	Limit
Maximum number of emails per day	100,000	tbd
Maximum number of domains per gateway	500	2700
Maximum messages size	tbd	tbd
Maximum log size	5,000	tbd
Maximum messages to retrieve	10,000	tbd
Disk space utilization	tbd	When using the "quarantine" action, messages will be saved to disk.
Maximum number of rules	tbd	More rules means a longer scan time and longer process time.
DNSBL service limit	tbd	More DNSBL services mean a longer process time.
Maximum number of Spamphibian Admin per Spamphibian Gateway	tbd	tbd
Maximum number of Spamphibian Gateways per Spamphibian Admin	tbd	tbd

Outspring has provided a centralized place for you to get help if you have questions or problems with Spamphibian Gateway or Spamphibian Admin. See http://www.outspring.com/support.html

We know that you have a choice in what spam fighting software you use and we appreciate you choosing Spamphibian Gateway. Outspring values your feedback and suggestions. Please feel free to email any suggestions, comments or ideas to staff@outspring.com, or post a comment in our online forums.

Before installing Spamphibian Gateway, you need to have a machine with the minimum requirements to run it and you need to be able to the make changes to your MX record.

• PowerPC G4 or better
• Mac OS X 10.3 or greater.
• 20 MB of disk space for Spamphibian Gateway and Spamphibian Admin
• 100 MB disk space for the "Quarantine Folder" (*)
• 256 MB of RAM or higher.

(*) By default, Spamphibian Gateway will quarantine unwanted email onto your disk. To prevent out of disk space errors, Spamphibian Gateway will automatically archive and delete quarantined email after a certain number of days. See the "Quarantine" section of "Chapter 7: Advanced Spamphibian Gateway Management" for more information about the archive and delete settings.

Here are Outspring's recommended steps for setting up Spamphibian Gateway:

1. Install Spamphibian Gateway
2. Install Spamphibian Admin
3. Configure Spamphibian Gateway using Spamphibian Admin
4. Test Spamphibian Gateway (before changing your MX records)
5. Updating your MX records
6. Test Spamphibian Gateway (after changing your MX records)

If you do not already have the software you can download the software directly from our web page at http://www.outspring.com/download/spamphibian.html

Begin by running the Spamphibian Gateway installer. Run the installer double clicking on the "Spamphibian Gateway.pkg" icon on the "Spamphibian Gateway" disk image. Follow the instructions and install Spamphibian Gateway on your machine.

The installer will start up Spamphibian Gateway and open up the Spamphibian Gateway Preference pane. By default, Spamphibian Gateway will automatically start when your computer starts up. To stop or start Spamphibian Gateway or to prevent it from starting when your computer starts up, use Spamphibian Gateway Preference pane.

Mac OS X Server 10.4 (Tiger) ships with Postfix enabled by default. If the Spamphibian Gateway Preference pane detects Postfix, it will alert you and give you the option to disable it.

The installer will install the all the necessary files for Spamphibian Gateway into /Library/Spamphibian. For more information about the disk layout, see "Chapter 7: Advanced Spamphibian Gateway Management". To launch the Spamphibian Gateway Preference pane, click on the "Spamphibian Gateway" icon in System Preferences.

Before installing Spamphibian Admin, make sure that Spamphibian Gateway is running. Use the Spamphibian Gateway Preference pane to determine if it is running. If it is not running, click the "Start Spamphibian Gateway" button to start it. If you are unable to start Spamphibian Gateway, see "Chapter 9: Troubleshooting Guide" for suggestions.

After you have successfully installed Spamphibian Gateway and have made sure it is up and running, the next step is to install Spamphibian Admin. Spamphibian Admin is a drag and drop install. Simply drag the "Spamphibian Admin" icon from the "Spamphibian Gateway" disk image to the location of your choice. For example, choose the "Applications" folder of your system.

You are now ready to configure Spamphibian Gateway using Spamphibian Admin.

Double click on the Spamphibian Admin application icon to launch it. You will be prompted to agree to the license. Please read the license, and if you agree to the terms, hit "Agree". If you do not agree, hit "Disagree". You will be unable to use Spamphibian Admin unless you agree to the license.

After you have agreed to the license, Spamphibian Admin will start and prompt you to enter the settings to connect to your Spamphibian Gateway. By default, Spamphibian Admin is configured to connect to the Spamphibian Gateway running on the localhost at port 2066. Because you are using Spamphibian Admin on the same machine that is running Spamphibian Gateway, you do not need to specify a username or password. Click the "OK" button to connect to the Spamphibian Gateway running on the local machine.

The first thing you'll see is the "Welcome" dialog, which will take you through activation, basic configuration, and registration. The first panel of the "Welcome" process is the "Serial Number" panel.

If you have a 15-digit serial number, enter it into the "Serial Number" text field. If not, leave the "Serial Number" text field blank to run Spamphibian Gateway in demo mode. The demo mode is fully functional, but after 30 days, Spamphibian Gateway will stop filtering messages and will automatically deliver all incoming messages to the destination mail server.

Click on the "Next" button to continue. The next panel in the "Welcome" process is the "Administrator" panel.

If you'd like to be able to monitor, configure and administer Spamphibian Gateway remotely, enter username and password. If you leave the password blank, you will be unable to monitor, configure and administer Spamphibian Gateway remotely. See "Chapter 8: Remote Spamphibian Gateway Administration" for more information. You can always change the administrator username and password later. See "Chapter 7: Advanced Spamphibian Gateway Administration" for more information.

Click on the "Next" button to continue. The next panel in the "Welcome" process is the "Domain" panel.

Use the "Domain" panel to set up the primary domain Spamphibian Gateway will be filtering. You will be able to use Spamphibian Admin to add, remove and modify the domains that Spamphibian Gateway will be filtering. For the "Domain Name" value, enter the primary domain. For example, enter "metrosense.com". For the "Server Address" value, enter the hostname of the SMTP server that currently receives mail sent to users at your primary domain. For example, enter "mail.metrosense.com". For the "Server Port" value, enter the port of the SMTP server that current receives mail sent to users at your primary domain. Most likely, this will be the default value of "25", the standard SMTP port.

After you have filled in the "Domain Name" and "Server Address" values, click on the "Next" button to continue. The next panel in the "Welcome" process is the "Registration" panel.

Use the "Registration" panel to register your Spamphibian Gateway. By properly registering your Spamphibian Gateway, Outspring will be able to give you a trial subscription to the "Spamcaster Service". Your Spamphibian Gateway will receive automatic "Outspring list rules" updates for a limited time. For more about the "Spamcaster Service" and the benefits of using the "Outspring list rules", see "Chapter 4: Managing Your Filtering Services".

Before changing your MX records, you should verify that your Spamphibian Gateway is setup and configured properly by testing it. The purpose of this test it to make sure that once mail starts arriving at your Spamphibian Gateway, the accepted mail will be properly delivered to the proper destination SMTP server.

Because you have not changed your MX records yet, you will have to use telnet to test that your Spamphibian Gateway is setup and configured properly.

Below is a sample telnet session that tests the Spamphibian Gateway:

# telnet localhost 25
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 spamphibian.metrosense.com ESMTP Service Ready (Spamphibian Gateway 1.0 51205 for Mac OS X)
helo test.com
250 spamphibian.metrosense.com Hello test.com [127.0.0.1]
mail from: <test@test.com>
250 OK
rcpt to: <gp@metrosense.com>
250 OK
data
354 Enter message, ending with "." on a line by itself
Subject: test
To: gp@metrosense.com
From: test@test.com
Date: Tue, 1 Nov 2005 17:44:28 -0800

test
.
250 OK
quit
221 spamphibian.metrosense.com closing connection
Connection closed by foreign host.

Alternatively, you can use an email client, such as Apple Mail or QuickMail Client. Configure your email client to send outgoing mail to the machine running Spamphibian Gateway. Make sure to send the message to a user at a domain you've configured Spamphibian Gateway to filter.

After performing this test, you should make sure that your destination mail server received the test message. Look at the "Received" headers in the message source to confirm that this message was processed by Spamphibian Gateway. You should have a "Received" header like:

Received: from [206.221.243.227] by spamphibian.metrosense.com 
	with ESMTP (Spamphibian Gateway 1.0 51208 for Mac OS X); Tue, 1 Nov 2005 17:44:28 -0800

In this case, "Spamphibian Gateway 1.0 51208" is running on spamphibian.metrosense.com

Note: If any connectivity issues arise from the above tests result in errors, please see "Chapter 9: Troubleshooting Guide".

Once you've confirmed that Spamphibian Gateway will deliver accepted message to the proper destination SMTP server, you will need to change your MX records for your domain so that email from the Internet will be delivered to the machine running Spamphibian Gateway.

In the example below, Spamphibian Gateway is running on spamphibian.metrosense.com and has been configured to receive and filter messages for the metrosense.com domain. The destination SMTP server is running on a machine with the hostname of mail.metrosense.com and mail.metrosense.com is currently listed as the MX record for the metrosense.com domain.

IN MX 10 mail.metrosense.com

Edit your MX record and change the MX record to point to spamphibian.metrosense.com You may need to ask your ISP to change your MX record for you.

Change the MX record to point to the machine running Spamphibian Gateway, which has been configured to filter messages for the metrosense.com:

IN MX 10 spamphibian.metrosense.com

By changing the MX record for the metrosense.com domain to spamphibian.metrosense.com, mail for the metrosense.com domain will start arriving at spamphibian.metrosense.com and will be filtered by the Spamphibian Gateway running on that machine. If accepted by Spamphibian Gateway, messages will be delivered to the existing mail server running on mail.metrosense.com. Within 2 or 3 days, most mail from the Internet will stop arriving directly at mail.metrosense.com.

Note: It may take a several days for the MX change to fully propagate.

Although it is not recommended, you could change your MX record to list the machine running Spamphibian Gateway as the primary MX and your existing SMTP server as the secondary MX record.

The advantage of listing your existing SMTP server as a secondary MX record is that your existing SMTP server can act as a backup in the event the machine hosting the primary MX is unreachable. Additionally, the existing SMTP server can receive mail during periods of heavy load. The disadvantage to this is mail will arrive directly at the server pointed to by your secondary MX record will not be filtered by Spamphibian Gateway. Additionally, spammers may choose not to send mail to your primary MX (to avoid Spamphibian), and will be able to send mail directly to your destination mail server. For this reason, Outspring recommends that you do not list your existing SMTP server as a secondary MX record.

Once you've changed your MX records, your Spamphibian Gateway should begin to receive mail from the Internet. To test this, send a message to an account on a domain now being filtered by Spamphibian Gateway. Send this test message from an external email account, one that does not use your destination SMTP server as its outgoing SMTP server, such as a webmail account like Yahoo!, Hotmail, Gmail, etc.

If you have already purchased a subscription to the "Spamcaster Service", visit http://www.outspring.com/spamcaster-activation.html to activate it.

Please be sure to have your invoice number and activation key ready. Once you have entered in your information and clicked the "Activate" button your Spamcaster Service Subscription will be activated and you will start automatically receiving Outspring rules lists.

In some cases it can take several hours to receive your first Outspring rules list. If you do not receive your Outspring rules list, please contact our technical support department. Additionally, you can use http://www.outspring.com/spamcaster-rules-request.php to make a manual request for a rules list.

To determine if you have received the Outspring rule list, see the "Outspring list version" field of the "Server Info" pane. For more information about the "Server Info" pane, see "Chapter 2: Basic Spamphibian Gateway Administration".

This chapter describes the basics of using Spamphibian Admin to monitor, configure and administer Spamphibian Gateway. For more advanced administration topics, see "Chapter 7: Advanced Spamphibian Gateway Administration".

As the administrator, you can use Spamphibian Admin to check on the status of your Spamphibian Gateway. In order to check the status of Spamphibian Gateway, your Spamphibian Admin must be connected.

If Spamphibian Admin is connected to your Spamphibian Gateway, there will be a green icon next to the server name in the "Servers" view.

If Spamphibian Admin is disconnected from your Spamphibian Gateway, you will see a grey icon next to the server name in the "Servers" view. Additionally, if you have started Spamphibian Admin in a disconnected state, you will not see any data in the "Server Info" pane.

You many also see a green icon with a lock or a dotted green icon. This means that the Spamphibian Admin is in the process of authenticating.

A flashing red icon means that the Spamphibian Admin is attempting to connect to the Spamphibian Gateway, but is unable to. This could mean that you've specified the wrong username or password, that the Spamphibian Gateway is down (or unreachable), etc. Please see Chapter 9 for some suggestions on how to trouble shoot this problem.

After connecting, you may be reminded to activate your Spamphibian Gateway. It is important to activate before your demo period expires. After the demo period expires, Spamphibian Gateway will stop filtering out unwanted messages, and deliver all messages and deliver them to your destination SMTP servers,

To get a quick overview of the status of your Spamphibian Gateway, click on the server in the "Servers" view. This will load the "Server Info" pane.

To connect to a disconnected Spamphibian Gateway, select the server in the "Servers" view, and click the "Connect" button. Alternatively, you can use the "Connect" menu item under the "File" menu or the Command-Shift-C shortcut.

To disconnect from a connected Spamphibian Gateway, select the server in the "Servers" view, and click the "Disconnect" button. Alternatively, you can use the "Disconnect" menu item under the "File" menu or the Command-Shift-D shortcut.

The "Connection Settings" controls how the Spamphibian Admin remotely connects to Spamphibian Gateway. To modify the connection settings for a Spamphibian Gateway, select it in the "Servers" list and then click button titled "Settings..." next to the "Connection:" label.

A sheet will drop down from the top of the window the settings for the current connection. To change the name of the Spamphibian Gateway as it appears in the server list pane, use the "Server Name" field.

To change the address of the Spamphibian Gateway, use the "Server Address". This is useful if you have to move or rename your Spamphibian Gateway after the initial installation and configuration.

By default, the Spamphibian Admin connects to Spamphibian Gateway on port 2066. To change this value, use the "Server Port" field.

To change the username and password that Spamphibian Admin presents to Spamphibian Gateway during authentication, use the "Username" and "Password" fields.

Once Spamphibian Admin is connected to your Spamphibian Gateway, you can check the status, configure, and administer your Spamphibian Gateway. To get a quick overview of the status of your Spamphibian Gateway, click on the server in the "Servers" view to load the "Server Info" pane.

The "Hostname" field shows the value your Spamphibian Gateway will use for incoming SMTP connections as well as outgoing SMTP connections. This value will also appear in the "Received:" headers for all email that passes through your Spamphibian Gateway.

The "Version" field shows the version (ex: 1.0) and build ID (ex: 51208) of the Spamphibian Gateway that you are connected to. Note, this is not version of the Spamphibian Admin that you are using. See the "About Spamphibian Admin Dialog" section of "Chapter 3: Basic Spamphibian Gateway Administration" for information on how to determine which version of Spamphibian Admin you are running.

The "Free disk space" field shows how much disk space you have left on the machine running Spamphibian Gateway. Note, this is not the amount of free disk space you have on the machine running Spamphibian Admin, unless it is running on the same machine as Spamphibian Gateway. See the "Free Disk Space" section of "Chapter 3: Basic Spamphibian Gateway Administration" for more information.

The "Outspring list version" field shows the version of Outspring's list that your Spamphibian Gateway is using to filter messages. If you have subscribed to the Spamcaster Service, you will automatically receive updates of Outspring list, and the "Outspring list version" field will update. The format of the "Outspring list version" field is "<year>-<month>-<date>.<distribution number>". The "<distribution number>" distinguishes between multiple updates that occur on the same day.

The "Last update received" field shows the date and time your Spamphibian Gateway received the Outspring rules listed in the "Outspring list version" field.

See the "Outspring Rules" section of "Chapter 4: Managing Your Filtering Services" for more information about "Outspring Rules" and the Spamcaster Service.

The "Number of rules" field shows the number of Outspring rules your Spamphibian Gateway is using. Note, this number does not include any rules that you have created.

The "Filter overview" part of the "Server Info" pane shows you a quick summary of the amount and types of messages your Spamphibian Gateway has received. For more information about this part of the "Server Info" pane, see the "Filter Overview" section of "Chapter 3: Basic Spamphibian Gateway Administration".

The "Current status" and "Current error" fields provide some additional information about the connection to your Spamphibian Gateway.

The possible "Current status" field values are: "Error", "Disconnected", "Connecting...", "Connected....", "Admin Logged in", and "Unknown".

The possible "Current error" field values are: "None", "Unable to GetHostByName", "Unable to create socket connection", "Unable to correctly preset I/O", "Connection Closed Unexpectedly", "Connection to Server timed out", "Connection Error", "Server Busy", "Invalid username or password", "Only connections from localhost are allowed", "Invalid Protocol", and "Unknown Error".

If you are having problems establishing a connection from Spamphibian Admin to Spamphibian Gateway, see "Chapter 9: Troubleshooting Guide" for help.

When communicating with Outspring's technical support department, please include the Spamphibian "Version" and "Build ID", as well as the Spamphibian Admin "Version" and "Build ID".

To determine the Spamphibian Admin "Version" and "Build ID", use the "About Spamphibian Admin" dialog. To open the "About Spamphibian Admin" dialog, use the "About Spamphibian Admin" menu item under the "Spamphibian Admin" menu item.

In addition to seeing the current status of your Spamphibian Gateway, you can use the "Filter overview" on the "Server Info" pane to get a quick overview of the email processed by your Spamphibian Gateway. The "Filter overview" shows the ratio of "Accepted" to "Rejected" messages, breaking down the "Rejected" messages by type. The "Accepted" messages are represented by the green, and the "Rejected" messages are represented by yellow (spam), orange (phish), red (virus), and black (DNSBL). The "Filter overview" uses the same colors as the "Monitor" pane. If you change the colors in the "Monitor" pane, the colors of the "Filter overview" in the "Server Info" pane will change. See the "Monitor" section below for details on how to configure the colors. See "Chapter 4: Managing Your Filtering Services" for more information about spam, phish and virus emails and for more information about DNSBL.

By default, the "Filter overview" shows the ratio of "Accepted" to "Rejected" messages for all domains. Use the domain popup to show the ratio of "Accepted" to "Rejected" messages for a particular domain. Alternatively, you can use the "Domain" menu item under the "View" menu.

To monitor the amount of free disk space on the machine running Spamphibian Gateway, the "Server Info" pane shows the amount of free disk space left, as well as a graphical indication of the total disk space.

The free disk space "bar" changes color depending on how much free disk space you have on the machine running Spamphibian Gateway. If you have more than 50% free disk space, the "bar" will be green. If you have between 25% and 50% free disk space, the "bar" will be yellow. If you have between 10% and 25% free disk space, the "bar" will be orange. If you have less than 10% free disk space, the "bar" will be red. It is not recommended to let your free disk space drop below 10%.

Note: If you have multiple volumes on the machine running Spamphibian Gateway, the free disk space reported in Spamphibian Admin is for the volume where the "Quarantine Folder" resides. See the "Disk Layout" section of "Chapter 7: Advanced Spamphibian Gateway Management" for details on where the "Quarantine Folder" resides on disk.

By default, Spamphibian Gateway will quarantine all rejected messages and save them to the disk. Depending on your settings, number of messages that Spamphibian Gateway rejects, the amount of disk space you have, and how often you delete or archive quarantined messages, you may run low on disk space. If you are low on disk space, archive or delete old quarantined messages. If you continually run low on disk space, consider changing your settings to archive or delete old messages automatically.

While the "Server Info" pane is useful for determining your connection status, version info, build ID, filter overview, and free disk space, it does not provide any detailed or historical data about the messages your Spamphibian Gateway has received, how long it took to scan or process them, or the load on the machine. To view this data, use the "Monitor" pane. To view the "Monitor" pane click on the "Monitor" item under the server in "Servers" view.

By default, the "Monitor" pane shows the data for all domains. To view the data for a particular domain, use the "Domain" popup located above the graph. Alternatively, you can use the "Domain" menu item under then "View" menu. (Note, not all of the statistics are recorded on a per-domain basis. For example, the "Max SMTP in" and "Busy SMTP in" statistics will only show when you are viewing "All" domains.)

By default, the "Monitor" pane shows the data in 5 minute intervals. To change this value, use the "Graph Interval" popup located above the graph. Alternatively, you can use the "Graph Interval" menu item under the "View" menu. There are several intervals you can choose: 5, 10, 15, 30 minutes, 1, 3, 6, 12 hours, 1 day, 1 week, and 1 month.

Spamphibian Gateway keeps track of many statistics including the types of messages received, the message scan time, the number of messages received, the CPU usage, the size of the incoming queue, the size of the outgoing queue, the size of the retry queue, and the time to process a message. These statistics are organized into three views: "Filter", "Load" and "Queues".

To view the "Filter" statistics in the "Monitor" pane, click on the "Filter" tab. Use this tab to determine the types of messages received during a given interval and the average scan time.

To determine the types of messages received during a given interval, move your mouse over the interval in the chart. Spamphibian Gateway keeps track of how many messages were "Accepted" and how many messages were "Rejected" because they were "Spam", "Phish", "Virus" or blocked by "DNSBL". The message counts will appear next to the message types in the legend below the chart. When your mouse is not over an interval, the message counts will appear as "n/a" (for "Not Available"). The colors in the legend are the same colors that appear in the "Filter overview" in the "Server Info" pane. To change a color for a message type, click on the color next to the label for that message type in the legend and use the color wheel to select a new color. The vertical axis on the right hand side of the chart corresponds to the message counts.

To determine the average scan time during a given interval, move your mouse over the interval in the chart. Spamphibian Gateway keeps track of how long it took for the message to be filtered through your domain specific rules, your global rules, Outspring rules, and the DNSBL filter. See "Chapter 4: Managing Your Filtering Services" for more about these rules and filters. To change the color for the average scan time line graph, click on the color next to the "Scan time" label in the legend, and use the color wheel to select a new color. The vertical axis on the left hand side of the chart corresponds to the average scan time.

Many factors effect the average scan time, including the size and type of messages your Spamphibian Gateway receives, the number and type of rules you have specified, the number and type of rules that make up the Outspring rules, and the DNSBL filter settings. The number of messages that you receive in a given interval will not affect the average scan time. The average scan time appears as a line graph on top of the vertical message count bars.

To view the "Load" statistics in the "Monitor Pane", click on the "Load" tab. Use this tab to determine the incoming SMTP load on your Spamphibian Gateway as well as the average CPU of the machine is running the Spamphibian Gateway.

To determine the maximum number of simultaneous incoming SMTP connections during a given interval, move your mouse over the interval in the chart. If during an interval you've hit the maximum number of allowed simultaneous incoming SMTP connections, you will see a "Busy" peak on top of the "Max SMTP in" bar. To change the colors for "Max SMTP in" and "Busy" bars, click on the color next to the "Max SMTP in" and "Busy" labels in the legend and use the color wheel to select a new color. The vertical axis on the right hand side of the chart corresponds to the number of connections. To learn how to increase the maximum number of allowed simultaneous incoming SMTP connections to reduce the time your Spamphibian Gateway is "busy", see the "SMTP In Settings" section of "Chapter 7: Advanced Spamphibian Gateway Administration".

To determine the average CPU usage during a given interval, move your mouse over the interval in the chart. Spamphibian Gateway keeps track of the average CPU usage on the machine that hosts your Spamphibian Gateway. The average CPU usage appears as a line graph on top of the "Max SMTP in" bars. To change the color for the average CPU usage line graph, click on the color next to the "CPU" label in the legend, and use the color wheel to select a new color. The vertical axis on the left hand side of the chart corresponds to the average CPU usage.

To view the "Queues" statistics in the "Monitor Pane", click on the "Queues" tab. Use this tab to determine how messages efficiently Spamphibian Gateway is processing messages that are to be delivered destination SMTP servers or bounced back to senders.

Spamphibian Gateway has three queues: incoming queue, outgoing queue, and the retry queue. Once a message has been received, it is placed in the incoming queue until it can be run through the various rules and filters. If the message is to be delivered to the destination SMTP server, it is placed in the outgoing queue. Bounce messages and delivery failure notices are also placed in the outgoing queue and Spamphibian Gateway will attempt to deliver them in a "first in, first out" method. If Spamphibian Gateway is unable to deliver a message, it will be placed into the retry queue until it is appropriate to retry to deliver the message. To determine the maximum number of messages that were in incoming, outgoing and retry queues during a given interval, move your mouse over the interval in the chart. To change a color for a queue type, click on the color next to the label for that queue type in the legend and use the color wheel to select a new color. The vertical axis on the right hand side of the chart corresponds to the number of messages in the queues.

To determine the average process time during a given interval, move your mouse over the interval in the chart. Spamphibian Gateway keeps track of how much time passed between when a message arrived and when it was successfully delivered it to the destination SMTP server. The average process time appears as a line graph on top of the queue bars. To change the color for the average process time line graph, click on the color next to the "Average Process Time" label in the legend, and use the color wheel to select a new color. The vertical axis on the left hand side of the chart corresponds to the average process time.

Many factors effect the average process time, including Spamphibian Gateway's various SMTP Out settings and the responsiveness of the destination SMTP server. To learn how to change your SMTP Out settings to reduce your average process time, see the "SMTP Out Settings" section of "Chapter 7: Advanced Spamphibian Gateway Administration".

Note: The time it takes to process bounce, delivery failure, quarantined, rejected, blocked, and purged messages will not affect the average process time statistic. This statistic is provided only to determine if "Accepted" messages are being efficiently delivered to the destination SMTP server.

Managing quarantined messages, messages in the retry queue, and special messages from Outspring is covered by "Chapter 5: Managing Your Messages".

To find even more detail than what the "Monitor" pane offers, use the "Logs" pane to view the Spamphibian Gateway log. Viewing the logs can be helpful when tracking down problems or performance issues.

Depending on your settings, Spamphibian Gateway can write a vast amount of information to the log file. Use the "Domain", "Service", "Level", and "Type" popups, as well as the "Quick Search" filter to find exactly what you're looking for in the log file.

When Spamphibian Gateway writes an entry to its log, it specifies which domain (if any) the entry is associated with. Each domain that your Spamphibian Gateway is configured to accept messages for will appear in the "Domain" popup. For more about configuring domains, see "Chapter 6: Managing Your Domains". By default, Spamphibian Admin will show all the log entries for all the domains. To view only the log entries for a particular domain, use the "Domain" popup to select that domain. Alternatively, you can use the "Domain" menu item under the "View" menu.

Note: Some log entries are not associated with a given domain. Those entries will be visible when you've selected "All" in the "Domain" popup.

When Spamphibian Gateway writes an entry to its log, it specifies which service logged the entry. There are (at most) thirteen different services: info, logs, domain, admin, stats, queue, filter, dnsbl, quarantine, registration, smtp.in.0, smtp.in.1, and smtp.out. By default, Spamphibian Admin is configured to show all the log entries for all the services. To view only the log entries for a particular service, use the "Service" popup to select that service. Alternatively, you can use the "Log Service" menu item under the "View" menu.

When Spamphibian Gateway writes and entry to its log, it specifies the level for that entry. There are four levels: "Generic", "Transaction", "Protocol", and "Debug". Choosing a log level will show you all the log entries at that level, and below. For example, choosing "Generic" would only show you the "Generic" log entries. Choosing "Transaction" would show you both "Transaction" and "Generic" log entries. Choosing "Protocol" would show you "Transaction", "Generic" and "Protocol" log entries. Finally, choosing "Debug" would show you "Transaction", "Generic", "Protocol" and "Debug" entries.

By default, Spamphibian Admin shows log entries with the level "Transaction". To change the log level, use the "Log Level" popup. Alternatively, you can use the "Log Level" menu item under the "View" menu.

When Spamphibian Gateway writes and entry to its log, it specifies the type for that entry. There are four log entry types: Info, Warnings, Errors, System Errors. By default, Spamphibian Admin shows all four types of log entries. To change which type of log entries are shown in the "Logs" view, use the "Types" popup. Alternatively, you can use the "Log Types" menu item under the "View" menu.

In addition to the "Domain", "Service", "Level" and "Type" popups, you can use the "Quick Search" field to only show entries that match the specified text.

Additionally, to find a specific log entry, you can use all the standard "Find" keyboard commands, which can also be found under the "Find" menu item under the "Edit" menu.

The "Clear Log" button does not permanently remove any log entries from disk. It clears the visible log items, which can be useful when tracking down issues. If you disconnect and reconnect Spamphibian Admin from Spamphibian Gateway, you will get all the log entries.

Before a message is accepted and delivered to the intended recipient, it has to pass through Spamphibian Gateway's four filtering services: domain specific rules, global rules, Outspring rules and DNSBL. Spamphibian Admin allows you to configure the settings for these filtering services, and to define additional filter rules. You can write many types of filter rules: domain, URL, IP address, text, attachment name, and regular expression rules. For DNSBL, you can use multiple DNSBL service providers and reject message if one or all the DNSBL providers blacklist the IP address of the incoming connection.

In Spamphibian Gateway, domain specific rules take precedence over global rules, global rules take precedence over Outspring rules. Within a list of rules, the "accept" rules take precedence over all other rule actions. The precedence of DNSBL depends on the filter action you have chosen for DNSBL.

When a message arrives, Spamphibian Gateway will first compare it to the domain specific rules for the intended recipient. If there are any domain specific "accept" rules that match the message, it will be accepted and delivered to the intended recipient. Otherwise, if there are any matching domain specific "reject" rules, the action associated with the first (*) matching "reject" rule is followed.

If there are no matching domain specific rules, the message will be compared against the global rules. If there are any global "accept" rules that match the message, it will be accepted and delivered to the intended recipient. Otherwise, if there are any matching global "reject" rules, the action associated with the first matching "reject" rule is followed.

If there are no matching global rules, the message will be compared against the Outspring rules. If there are any matching Outspring "reject" rules, the default action for Outspring rules is followed. If there are no matching Outspring "reject" rules, the message will be delivered to the intended recipient. Note, there are no "accept" rules in the Outspring rule list.

If the filter action for DNSBL is configured to "block connection", it will take precedence over all the rules. If the IP address of the incoming connection is blacklisted and your filter action for DNSBL is "block connection", the connection will be dropped and the incoming message will not be received. If your filter action for DNSBL is not "block connection", Spamphibian Gateway will save off the incoming IP address and perform DNSBL only if the message has passed through the domain specific, global and Outspring rules. At that time, the IP address will be checked against the configured DNSBL services. If it is blacklisted, the filter action for DNSBL is followed.

Under "Global Settings" in the "Servers" view, all the domains your Spamphibian Gateway is configured to filter will be listed. Select the domain you wish to edit, and then click on the "Filter" tab to load the "Filter" view.

You can enable the domain specific rules by using the "Enable <domain> Filter Rules" checkbox. If your domain specific rules are enabled, you can use the "Default action" popup to configure which default action should be taken when a message matches a domain specific rule. By default, the action is "Quarantine"

If enabled, domain specific rules only apply to message intended for recipients of that domain.

You can modify, view, and export the domain specific rules. Under "<domain> Rules Settings", use the "Rule List Table" to add, remove and edit your domain specific rules. For more information on adding, removing and modifying domain specific rules, the "Rule List Table" section below.

In the "Filter" view of "Global Settings", under "Global Rules Settings", you can enable the Global rules by using the "Enable Global Filter Rules" checkbox.

If Global rules are enabled, you can use the "Default action" popup to configure which default action should be taken when a message matches a Global rule. By default, the action is "Quarantine". If enabled, global rules apply to messages, but see the section on "Rule Precedence" above for more details.

You can modify, view, and export the global rules. Under "Global Rules Settings", use the "Rule List Table" to add, remove and edit your global rules. For more information on adding, removing and modifying global rules, the "Rule List Table" section below.

In the "Filter" view of "Global Settings", under "Outspring Rules Settings", you can enable the Outspring rules by using the "Enable Outspring Filter Rules" checkbox. If Outspring rules are enabled, you can use the "Default action" popup to configure which default action should be taken when a message matches an Outspring rule. By default, the action is "Quarantine".

If enabled, Outspring rules apply to messages, but see the section on "Rule Precedence" above for more details.

Note: It is not possible to directly modify, view or export or the Outspring rules.

To add a rule, click the button beneath the "Rule List" table. To remove a rule, select a rule and click the button beneath the "Rule List" table. Alternatively, you can use the delete key.

Immediately after you add a rule, it will be selected. By default, added rules will have the type "Text", the content "enter rule value here", and the action "Default".

To modify a rule's type, click the "Type" value and use the popup to change the value.

To modify a rule's content, click on the "Content" value and modify the content inline.

To modify a rule's action, click on the "Action" value and use the popup to change the value.

For more information about rule type, content and action, see the "The Anatomy of a Rule" section below.

Once you have finished creating, modifying, or removing a rule you must click the "Save" button to save your changes. To revert the changes since you last save, click on the "Revert" button.

As you probably already know, managing a mail server can be a tedious and timeconsuming process. With upwards of 80% of all email sent per year being spam, the problem is compounded significantly. However, using Spamphibian Gateway in conjunction with a subscription to Outspring's Spamcaster Service will quickly and easily reduce the amount of unwanted email arriving at your mail server. Frequent updates from Outspring will reduce or eliminate the time you spend analyzing unwanted email. Let Outspring do the work for you! Spamphibian Gateway with the Spamcaster Subscription service has shown to consistently significantly reduce spam by nearly 90% with virtually no false positives!

Subscribing to the Spamcaster Service is the easiest and quickest way to reduce the amount of unwanted email reaching your server. The Spamcaster Service will provide you with frequent updates to the powerful and reliable Outspring rules list that takes much of the burden of creating rules off of the administrator.

The Outspring rules are specifically tailored to match the most current characteristics of unwanted email such as spam, "phishing" scams and well known viral attachments while ensuring virtually no good email is caught as spam.

We are continually updating and improving our rules by analyzing thousands of messages reported daily to Outspring as well as culling relevant information from third party databases such as trusted virus, scam and spam alert sources to analyze, monitor and adapt to the ever-changing nature of unwanted email.

Once you are subscribed to the service you don't need to do anything to start using the Outspring rules. The Outspring rule list will be automatically installed by Spamphibian Gateway when it is received.

To subscribe, simply visit our online store at http://www.outspring.com/catalog or contact our sales department by email at sales@outspring.com or by phone or fax at: 1-707-523-7711 or 1-707-523-7710 respectively.

To report a message in your "Quarantine" folder or "Retry Queue" to Outspring for inclusion into the Outspring rule list, redirect the message to spamreports@spamcaster.outspring.com.

See the "Redirect" section of "Chapter 5: Managing Your Messages" for more information on how to redirect messages.

To report a message that gets past Spamphibian and arrives in your inbox, redirect the message to spamreports@spamcaster.outspring.com.

If you find that you do not have the most current version of the Outspring rules list, you can make a "Manual Rule Request" and we will send you the current list immediately. To make the request, enter your domain name into the field at http://www.outspring.com/spamcaster-rules-request.php

Although we make every effort to only include safe rules in our list, it is still possible that one of our rules may block something that you may not want blocked. In the event that this happens, please fill out the rule "Removal Request" form at http://www.outspring.com/spamcaster-removal-request.html and we will process your request.

A rule has three parts: type, content, and action. The type part of a rule tells Spamphibian Gateway where in the message to look for a match on the content. The content of a rule consists of a text pattern that is characteristic of unwanted messages. The action part of a rule tells Spamphibian Gateway what to do with a message that matches the content part of the rule.

There are six rule types that Spamphibian Gateway can utilize to filter messages. These are: Domain, URL, IP Address, Text, Attachment and RegEx. The rule types tell Spamphibian Gateway where to look for a rule in a message. The rule content for these types must conform to a specific syntax in order to be correctly processed by Spamphibian Gateway.

For URL and Domain rules, Spamphibian Gateway looks in the message headers and body for all URLs and email addresses. Nearly all spam messages include URLs that the spammer hopes the recipient will click on. Sometimes this will be a simple URL like: http://populartablets.net, other times it may be more complex as in the following examples:

unsubscribe_link@random.subdomains.populartablets.net
http://l9fv8u3lkajnc.populartablets.net
http://www.populartablets.net/my/spam/site/index.html
http://www%2epopulartablets%2enet%2fbuy%2fsome%2fmeds%5fnow%2ehtml

In the examples above Spamphibian Gateway will see the populartablets.net domain. This filtering these kinds of messages simple even though the details of the URL may change frequently over a series of messages. All that is needed is a single rule "Domain" type rule with the following content:

populartablets.net

A "Domain" rule with this content tells Spamphibian Gateway that it should look at all the URLs in a message and extract the domains to see if any of them match the content part of the rule (populartablets.net in this case). Domain rules are case insensitive.

Note: You can not use the "*" character with domain rules. Domain rules are always exact matches.

You may receive a lot of spam containing URLs with the geocities.com domain. However, it may not be prudent for your organization to block every message containing that domain, so making a domain rule is not a viable option. You might want to block just certain accounts on that domain. URL rules provide this sort of flexibility. For example, you are receiving lots of unwanted emails with the URL:

http://uk.geocities.com/love2spamU82/buyjunk.html

You could simply add the URL rule:

uk.geocities.com/love2spamU82/buyjunk.html 

This rule would catch any message containing that exact URL (this is an "is" rule). You might add the "starts with" rule:

uk.geocities.com/love2spamU82/*

This rule would block all of the following examples:

uk.geocities.com/love2spamU82/buyjunk.html
uk.geocities.com/love2spamU82/buymorejunk.html
uk.geocities.com/love2spamU82/my_stock_picks/cgi-bin/bla/bla/bunchofstuff&param=value

This "starts with" rule may work well at first, but soon you may start seeing unwanted emails with the following URLs:

http://uk.geocities.com/love2spamU83/mynewspamsite.html
http://uk.geocities.com/love2spamU83/buymorejunk.html

You could generalize your rule to be:

uk.geocities.com/love2spamU*

Or even:

*geocities.com/love2spamU*

You may be tempted to do:

*spam*

But this is a bad idea. This rule will block all of the example geocities URLs listed above, but it would also reject emails that were not spam. When "good" email is rejected, it is called a "false positive". For example, the "*spam*" rule would block emails containing:

http://www.outspring.com/spamcaster-activation.html

More specific rules will result in fewer "false positives" than more general rules. Be mindful of when creating general rules for Spamphibian Gateway to avoid false positives.

IP address rules may be one of four types as search rules:

1) A single, fully qualified IP number:

192.168.0.1

2) A range using two IP numbers and a hyphen:

192.168.0.2-192.168.0.25

3) A range using a partially formed IP number with an asterisk:

192.168.0.*
192.168.*.*
192.*.*.*

Note, The * characters must be at the end of the range. The following ranges are invalid: 192.*.*.1, 192.168.*.1, *.*.0.1, etc.

Note, the following range is invalid: *.*.*.*

4) A range using a partially formed IP number with a mask:

192.168.0.1/24

Note, this example is equivalent to:

192.168.0.*

as the mask fixes the first 24 bits.

Text rules should be for sorting messages based on words, phrases or other characteristic text strings. (In computer jargon, a sequence of arbitrary characters is commonly referred to as a text string, or simply a string). String rules use the same search types as URL and Domain rules so you can use the "is", "contains", "starts with" and "ends with" asterisk notation for string rules as you would with URL and Domain rules. Spamphibian Gateway will look in the subject header field and the body of a message for matches to string rules. String rules are case insensitive. In addition to the asterisk search type notation, string rules also support combo rule syntax for specifying an unordered set of strings which all must be present in the message to make a match.

String combo rules allow for greater flexibility than plain string rules with or without the asterisk notation. With a combo rule, you can specify a set of strings that all must be present in the message, but the parts of the rule must all be in the header or all in the body for the combo rule to match. For example, you may receive spam talking about "hot" stock picks. These messages often don't include any domains or URLs that would be usable. String rules are often better to block these types of unwanted messages. Here's a string from one of these stock messages:

the publisher of this stock newsletter is not a registered in-vestment advis0r. 

You could make the string rule:

not a registered in-vestment advis0r.

This would catch this message, but only slight changes to the message in the right place would get around this rule.

You could try a "contains" string rule:

*in-vestment advis0r.*

This would also work, but consider the following combo rule:

stock newsletter + in-vestment + advis0r

This rule is more ideal because the message must contain "stock newsletter" and "in-vestment" and "advis0r" to match the rule. This rule provides a good deal of safety with respect to false positives, but also is flexible enough to not be effected by the order in which these three terms occur in the message. For example, the following text will only be caught by the combo rule:

Read all our stock newsletters now!! We want to be your advis0r for all your st0.ck in-vestments...

Note that the individual parts of a combo rule are always treated as "contains" strings not "is" strings which is why the above combo rule can match the example just given even though the combo rule specifies "stock newsletter" but the example contains "stock newsletters" and similarly with "in-vestment" and "in-vestments...". None of the other string rules presented would match that example given.

Attachment rules consist of the name of the attachment. Some examples include:

virus
.pif
iloveyou
knownvirus.zip

Note, attachment names are always searched as a "contains" rule, and are they case insensitive.

A RegEx or Regular Expression is a text string which is used to search for other text strings that match a pattern or a certain set of conditions. Regular expressions consist of characters, meta-characters, and operators that define a search pattern. Regular expressions provide you with an extremely flexible and powerful search mechanism for finding spam characteristics cleverly hidden in messages. A simple example of a regular expression is:

c.t 

This regular expression will match on any 3-letter word which starts with the letter "c" and ends with the letter "t". A comprehensive guide to the creation and use of Regular Expressions is well beyond the scope of this manual. Please refer to online documentation found through web search or a good Regular Expression manual for further information.

Spamphibian Gateway will first evaluate a regex rule against the headers. If there is no match against the headers, Spamphibian Gateway will then evaluate the regex rule against the "simplified text" version of the message. If there is no match against the "simplified text", Spamphibian Gateway will then evaluate the regex rule against the "raw" version of the message.

Note: Due to the way Spamphibian Gateway evaluates regex rules, negated regex rules ("does not contain") will most likely lead to false positives.

Spamphibian Gateway uses the POSIX 1003.2 format for regular expressions.

For more on this format, see http://developer.apple.com/documentation/Darwin/Reference/ManPages/man7/re_format.7.html or do "man re_format".

If you want to use asterisk symbols as part of a rule, you must enclose all occurrences within double-quotes. For example:

"www.evil.com/*./phish.cgi?param=foo*"

The double-quotes tell Spamphibian Gateway to treat the asterisk as a literal character, not a wild-card character. Similarly, if you would like to use plus symbols in a rule, they must also be enclosed within double-quotes as in:

"www.evil.com/test.cgi?foo+bar"

An individual rule can have one of the following actions: Default, Accept, Quarantine, Tag, Delete, and Bounce.

If an individual rule has the "Default" action, it will follow the specified default action for the rule list.

The accept action will deliver the message to the intended recipient.

The quarantine action moves messages into the "Quarantine Folder". A message undergoing this action will not be delivered but will remain on the Spamphibian Gateway. Messages quarantined by Spamphibian Gateway are prevented from reaching your mail server but are still available for inspection and management by the administrator. For more information on managing messages, see "Chapter 5: Managing Your Messages".

Quarantining messages blocks spam from consuming further resources and shields users from ever seeing the spam. The messages that are quarantined will remain at the Spamphibian Gateway until the administrator manually removes them or they are automatically removed as configured by the administrator. For more information about automatic removal of quarantined messages see the "Quarantine Settings" section of "Chapter 7: Advanced Spamphibian Gateway Administration".

If your organization has policies regarding the storage of email, the Tag action may be a more appropriate alternative to quarantining.

The tag action adds four headers to the message and alters the subject line of the message. A message undergoing this action will pass through Spamphibian Gateway and will be delivered to its destination. This feature is useful for allowing client-side message management and removing the burden of spam message management from the administrator.

Many email client applications allow a user to configure rules which route messages to specific folders based on the contents of an email message. If your users use email applications that have this ability, they can setup a rule to watch for messages Spamphibian Gateway has marked as spam and automatically file them in a special spam folder. Then you can configure Spamphibian Gateway to tag messages it thinks are spam, and then go ahead and deliver them onto their intended recipient. This leaves the final decision as to how the message should be treated to the user for whom the message was actually addressed.

Spam is a subjective concept and the tag feature allows the administrator to leave it up to the user to determine what to do with spam messages.

For messages that are tagged, the subject will be prefixed with the string "***SPAM***". Additionally, there are four header lines that are added to tagged messages. The first two, "Tag" and "Type" are used for routing tagged messages, while the other two, "Value" and "Source" are for informational purposes. The order in which the headers occur does not change.

The tag header is static and will always appear as:

X-Spamphibian-Rule-Tag: YES

All tagged messages will have this header line so it can be used to reliably route tagged messages accordingly. If the header exists, Spamphibian Gateway has tagged the message. If it does not exist Spamphibian Gateway has not tagged the message.

The type header is dynamic and will appear as:

X-Spamphibian-Rule-Type: type

where type is the variable part and will be set to spam, phish, virus or DNSBL. Knowing the type of the rule that matched the message gives the user greater control over how to route messages tagged by Spamphibian Gateway. For example, one might want to automatically route all virus and phish messages to the trash, while routing spam and DNSBL messages to a quarantine folder.

The value header is dynamic and will appear as

X-Spamphibian-Rule-Value: value

where value is variable and will be set to either the actual rule that matched the message or one or more DNSBL service addresses. Knowing the rule that matched the message is useful for identifying rules that tag messages incorrectly, as with false positives, or in weeding out overzealous DNSBL service providers. If a user finds that messages are being tagged that should not, the value and source headers are what the administrator needs to take corrective action.

The source header is dynamic and will appear as:

X-Spamphibian-Rule-Source: source

where source is variable and will be set to either Outspring, global, DNSBL or a domain managed by Spamphibian Gateway (for per-domain admin rules). The source indicates where a rule came from. A source of Outspring indicates that the rule is part of the Outspring Rules distribution that is sent out to subscribers of the Spamcaster Service. A rule source of "global" indicates that the rule is in the global rules for all domains managed by Spamphibian Gateway. These rules are found under Default Settings under the Filter tab. A source of DNSBL indicates that the IP address of the MTA that delivered the message to Spamphibian Gateway was listed in a DNSBL database. Any other source value indicates that the rule is in the Blacklist for the domain indicated by source.

The delete action permanently removes messages. A message undergoing this action will not be delivered and will not be available for inspection by the administrator and will not consume any resources on Spamphibian Gateway. No delivery status notification will be generated.

The bounce action rejects the message. A message undergoing this action will not be delivered to the recipient and a delivery status notification (DSN) indicating that the message was undeliverable will be sent to the address indicated in the SMTP "Mail From" command. This is not generally a recommended action as it causes an increase in resource usage and it is unlikely that the DSN will be returned to a legitimate sender. This is due to the fact that the "From: " header value is often forged in spam messages and may even be the same as the recipient! Please be aware that using the bounce action can cause messages to begin bouncing back and forth between two servers as they try and resolve the sending issue and these messages can begin to back up in the queue delaying processing and sending of other messages.

In addition to rule-based filtering, Spamphibian Gateway provides another layer of protection: DNSBL (Domain Name System based black-hole list). DNSBL uses information compiled by third parties as a basis for rejecting connections to Spamphibian Gateway.

DNSBL is an acronym for Domain Name System based black-hole list. What that mouth-full means is that Spamphibian Gateway will check the IP address of incoming connection requests against Internet accessible databases maintained by third parties. Spamphibian Gateway uses an advanced form of DNSBL that takes advantage of the various Filter Actions. Spamphibian Gateway can be configured to block a connection immediately if the incoming connection's IP address is found in DNSBL that is the traditional form of DNSBL. However, Spamphibian Gateway can be configured to perform any of the Filter Actions so that the administrator has greater flexibility in managing messages (instead of delete, the corresponding action for DNSBL is quarantine). This gives Spamphibian Gateway a chance to pass messages through the "Accept" rules before any action is carried out.

Warning: Because these databases are maintained by third-party sources it can be difficult to ensure the quality of the data. Additionally, the criteria for including addresses in the database varies greatly from list to list. For example, some databases only include servers known to have open relays, while other databases attempt to list IP addresses from specific countries. While Spamphibian Gateway includes some pre-configured DNSBL server entries this does not constitute an endorsement of their policies nor does it imply that Outspring has any control over what gets listed in those databases. It is entirely possible that use of DNSBL may increase the number of false positives you receive.

Also, you should be aware that enabling the use of DNSBL on your Spamphibian Gateway may affect the amount of time it takes Spamphibian Gateway to process messages because it takes time for a DNSBL check to be performed.

By default, Spamphibian Gateway is pre-configured to use two DNSBL service providers (sbl-xbl.spamhaus.org and list.dsbl.org). A third service is listed (bl.spamcop.net) but is not enabled by default. By default, Spamphibian Gateway quarantines messages sent from IP addresses that are blacklisted by any of the enabled DNSBL services.

To make Spamphibian Gateway drop incoming connections from blacklisted IP addresses choose "Block Connection" as the default action for DNSBL.

If you choose an action other than "Block Connection", Spamphibian Gateway will evaluate the message against other filters first.

To configure Spamphibian Gateway to use DNSBL, first select a Spamphibian Gateway from the "Servers" list on the left and then click the small triangle next to the name so that it points down and displays a list of services. Select the "Global Settings" service and then select the "DNSBL" segment in the segmented control located at the bottom of the panel to the right of the "Servers" list.

Check the "Use DNSBL for real time blacklisting" checkbox to enable use of DNSBL. Uncheck this checkbox if you wish to disable the use of DNSBL.

The "Filter action" control allows you determine what will happen when Spamphibian Gateway receives an incoming SMTP connection request from a SMTP server who's IP address has been blacklisted by one of the DNSBL services Spamphibian Gateway is configured to use. By default this action is set to "Quarantine".

Traditionally, DNSBL is used to block incoming connections before any mail is ever received from the blocked SMTP server. This means that if you're expecting mail from someone who's mail server just happens to be blacklisted, you server will never even receive their message. However, Spamphibian Gateway allows you to use all the same actions for DNSBL that are also used for it's rule based filtering. This means that when a connection is made from a blacklisted server, instead of missing the messages entirely, you can still receive messages from this blacklisted server and deal with them in your own way.

You can "Quarantine" messages from your DNSBL blocked connections and if mail is ever missing a simple search through your quarantined messages can find it. You can "Tag" these same kinds of messages instead and then route them to your inbox or your user's inboxes to filtered there with custom rules. You also get the ability to bounce these messages or simply delete them should the need be. In addition to all these great options you can still choose to simply block the connection like traditional DNSBL before the offending SMTP server has any chance to send any time wasting spam.

Spamphibian Gateway can be configured to reject an incoming connection if the sender's IP address is listed in one of the DNSBL services, or all of the DNSBL services. The first option means that if the IP address is found in any of the enabled services databases then the connection will be rejected. The other option is to require that the IP address be found in all of the enabled services databases before the connection is rejected.

Note, to add, edit or remove DNSBL entries, you must first enable DNSBL. DNSBL is a global setting and affects all incoming SMTP traffic for the Spamphibian Gateway.

On the "DNSBL" tab, click the button to add a new DNSBL server entry. A new line will be appended to the list and selected. Double-click on the DNSBL Service Address field for the new entry and type in the server address you would like to use; for example: sbl-xbl.spamhaus.org. Optionally, a Web Site can be added to the entry to keep track of the contact information for the list maintainer. Check the checkbox next to the address to enable Spamphibian Gateway to use that service.

To edit a DNSBL Service Address or the Web Site for a given entry in the list, simply double-click on the field you would like to modify and make your changes. An enabled checkbox next to a line indicates that Spamphibian Gateway will use that service address when performing DNSBL checks. Disabled DNSBL services are ignored by Spamphibian Gateway.

To remove a DNSBL Service Address from the list, click on the entry you would like to remove to select it, then click the button. The entry will then be removed from the list.

If you just want to disable the service but keep it in the list, uncheck the checkbox to the left of the entry.

For each server, Spamphibian Gateway has three message folders to manage: "Quarantine Folder", "Retry Queue" and "Outspring Messages".

These folders can be found under the "Messages" item for each server in the "Servers" view. To view summary information about the folders, select the "Messages" item in the "Servers" view.

By default, Spamphibian Gateway will put rejected messages into the "Quarantine Folder". The "Retry Queue" will contain all the messages that Spamphibian Gateway has not been able to deliver, including: accepted messages, tagged messages, and bounce messages. "Outspring Messages" will contain emails and announcements from Outspring, regarding Spamphibian Gateway and the Spamcaster Service.

To view the messages in the "Quarantine Folder", select the "Quarantine Folder" under the "Messages" item in the "Servers" view. To view the messages in the "Retry Queue", select the "Retry Queue" under the "Messages" item in the "Servers" view. To view the messages in "Outspring Messages", select "Outspring Messages" under the "Messages" item in the "Servers" view.

If your Spamphibian Gateway receives a lot of unwanted messages, and you are using the "quarantine" action, you may find yourself with several thousands messages in your "Quarantine Folder". To help you manage lots of messages and quickly find a particular message, Spamphibian Gateway provides a "Quick Search" filter.

Entering a value in the "Quick Search" text field will reduce the visible messages in the "Messages" view to only those messages which "Sender", "Subject", or "Recipient" columns contain the specified value. Note, the "Quick Search" filter is case insensitive.

The columns that are shown by default are "Sender", "Subject", "Recipient", "Date" and "Size". There are also columns for "File Name", "Rule Type", "Rule Value", "Rule Source", and "Domain", but they are hidden by default. To change which columns are visible, use the "Message View Columns" menu item under the "View" menu.

Alternatively, you can control+click on the column header to get a popup that will allow you to choose which columns to show.

Column Name	Description	Header
"Sender"	The "MAIL FROM" SMTP protocol value. Note, this is not the "From:" header from the message.	X-Spamphibian-Sender
"Recipient"	All of the "RCPT TO:" SMTP protocol values. Note, this is not the values of the "To:" or "Cc:" headers in the message.	X-Spamphibian-Recipient
"Subject"	The subject of the message.	Subject
"Date"	The date the message arrived at the gateway. Note, this is not the value of the "Date:" header in the message.	n/a
"Size"	The size of the message in kilobytes (KB).	n/a
"File Name"	The name of the file on disk.	n/a
"Rule Type" (*)	The type of rule that rejected this message and caused it to be quarantined. Possible values are "spam", "phish", "virus" and "DNSBL".	X-Spamphibian-Rule-Type
"Rule Value" (*)	The value of rule that rejected this message and caused it to be quarantined. Possible values are "<rule text>" and "DNSBL".	X-Spamphibian-Rule-Value
"Rule Source" (*)	The source of rule that rejected this message and caused it to be quarantined. Possible values are: "Outspring", "Global", "<domain>", and "<DNSBL service provider>".	X-Spamphibian-Rule-Source
"Domain"	The domain part of the Recipient field. This column is useful when your Spamphibian Gateway is configured to filter message for multiple domains.	n/a

(*) For messages in the "Retry Queue" and "Outspring Messages", this column will be blank.

You can change the order of the columns by dragging on a column and dropping it. You can change the width of a column by grabbing the edge of the column and resizing it.

To sort the messages in the "Messages" view, you can click on the column header.

There are four actions you can perform on the message: Delete, Deliver, Rescan and Redirect. Note, not all of the actions are enabled for all messages.

To delete messages from the "Quarantine Folder", "Retry Queue" or "Outspring Messages", select the messages and click on the "Delete" button. Alternatively, you can use the "Delete" menu item under the "Edit" menu. Because you can't undo the delete action, you will be prompted to confirm the delete.

To deliver messages in the "Quarantine Folder" or "Retry Queue", select the messages and click on the "Deliver" button. Alternatively, you can use the "Deliver" menu item under the "Message" menu or the Command-D shortcut.

Delivering a message in the "Quarantine Folder" will deliver it to the intended recipients. The "X-Spamphibian-Rule-Tag", "X-Spamphibian-Rule-Value", "X-Spamphibian-Rule-Source", "X-Spamphibian-Rule-Type" headers will be removed before delivering the message. See the "Dealing with False Positives" section for more information about the "Deliver" action.

Delivering a message in the "Retry Queue" will attempt to the deliver the message to intended recipients as soon as possible. Spamphibian Gateway may be busy delivering messages or may be unable to deliver the selected message.

Note: You can't "Deliver" messages in "Outspring Messages", because your Spamphibian Gateway is the intended recipient of these messages from Outspring. But, you can redirect them. See the "Redirect" section for more information.

To rescan messages in the "Quarantine Folder", select the messages you want to rescan and click on the "Rescan" button. Alternatively, you can use the "Rescan" menu item under the "Message" menu or the Command-R shortcut. Rescanned messages may be removed from the "Quarantine Folder" or altered (see "Tag" section of "Chapter 4: Managing Your Filtering Services") depending on the changes made to your filter rules or filter actions since the message was originally filtered into the "Quarantine Folder". Check the "Logs" view to determine the effects of a "Rescan". For more information see the "Logs" section of "Chapter 3: Basic Spamphibian Gateway Administration". See "Dealing with False Positives" for more information about the "Rescan" action.

Note: You can't "Rescan" messages in the "Retry Queue" or "Outspring Messages".

You may find it necessary to deliver a message to a recipient other than the intended recipient. To do this, use the "Redirect" command. To redirect messages from the "Quarantine Folder", "Retry Queue" or "Outspring Messages", select the messages and click on the "Redirect" button. Alternatively, you can use the "Redirect" menu item under the "Message" menu or the Command-Shift-R shortcut. You will be prompted to specify an email address to redirect the selected messages. For each server (in the "Servers" view), Spamphibian Gateway will persist the last email address that you have specified.

To view the contents of a message, select the message in the "Messages" view. The contents of the selected message will be displayed in the "Message Display" view.

Spamphibian Admin can display messages in three formats: "Raw", "Plain" and "Sanitized". To change the message display format, click on the "Raw", "Plain" or "Sanitized" buttons beneath the "Message Display" view. Alternatively, use the "Message Content" menu item under the "View" menu.

While Spamphibian Gateway stores the entire message on disk in the standard RFC #822 format, Spamphibian Admin will not display the entire message when you select it. The "Raw" format is the headers and the "raw source" of the text parts of the original message. All non-text parts (such as inline images and binary attachments) are not show. The "Plain" format is the simplified plain text version of the text parts of the original message. The "Sanitized" format is the sanitized HTML version of the original message. Unlike a typical email application such as Apple Mail or Outspring's QuickMail Client, Spamphibian Admin will not load any remote content when displaying a message. Spamphibian Admin offers all three formats so that you can evaluate whether a messages is unwanted or not, without using a lot of network bandwidth.

When Spamphibian Gateway evaluates rules against a message, it compares the rules against the original message headers, the simplified content and the HTML content. See the "Simplified Content" section of "Chapter 4: Managing Your Filtering Services" for more details about the simplified content and HTML content.

When viewing a message in the "Raw" format, the first few lines will be the headers of the message. Among the standard RFC #822 headers there will be some special "X-Spamphibian" headers that are added to the message by Spamphibian Gateway.

The "Sender" of the message (which is the SMTP protocol "MAIL FROM" value) appears as the "X-Spamphibian-Sender" header. This matches the value in the "Sender" column of the "Messages" view. The intended "Recipients" of the message (which are the SMTP protocol "RCPT TO" values) appears as the "X-Spamphibian-Recipient" headers. This matches the "Recipient" column of the "Messages" view. Note, there can be multiple "X-Spamphibian-Recipient" headers in a single message.

For messages in the "Quarantine Folder", there are four additional "X-Spamphibian" headers: "X-Spamphibian-Rule-Tag", "X-Spamphibian-Rule-Type", "X-Spamphibian-Rule-Value", and "X-Spamphibian-Rule-Source".

The "X-Spamphibian-Rule-Tag" header indicates that the message has been rejected by Spamphibian Gateway. The value for this header is always "YES".

The "X-Spamphibian-Rule-Type" header indicates the type of rule that rejected this message and caused it to be quarantined. The possible values for this header are "spam", "phish", "virus" and "DNSBL".

The "X-Spamphibian-Rule-Value" header indicates the value of rule that rejected this message and caused it to be quarantined. The possible values for this header are "<rule text>" and "DNSBL".

The "X-Spamphibian-Rule-Source" header indicates the source of rule that rejected this message and caused it to be quarantined. The possible values are: "Outspring", "Global", "<domain>", and "<DNSBL service provider>".

For messages in the "Retry Queue", there is an additional "X-Spamphibian" header: "X-Spamphibian-Bounce-Reason". This header indicates the reason why the message is being bounced back to the sender.

There are no additional "X-Spamphibian" headers for messages in "Outspring Messages".

Each server has a "Quarantine Folder" that contains quarantined messages for all domains handled by that server. As explained in "Chapter 4: Managing Your Filtering Services", the default filter action is "quarantine". The "quarantine" action will put rejected messages into the "Quarantine Folder" instead of delivering them to the intended recipient. The advantage of the "quarantine" action is it keeps unwanted messages from reaching the intended recipient. The disadvantage of the "quarantine" action is it requires an administrator to manage the "Quarantine Folder".

Two types of rejected messages can appear in the "Quarantine Folder": unwanted messages and false positives. False positives are good messages rejected by Spamphibian Gateway.

Here is Outspring's recommended strategy for dealing with unwanted messages:

1) Find all the unwanted messages in the "Quarantine Folder". You may find column sorting and "Quick Search" useful for finding unwanted messages. See the section on "Quick Search" for more details.

2) Delete all the unwanted messages using the "Delete" action

Note: You can't undo the delete action.

See the "Message Actions" section for more details on the "Delete" message action.

Deleting unwanted messages prevents Spamphibian Gateway from using up disk space. Additionally, certain actions will be slower when you have lots of messages in the "Quarantine Folder".

After you have removed the unwanted messages, you will need to deal with any false positives that Spamphibian Gateway quarantined.

Here is Outspring's recommended strategy for dealing with false positives:

1) Find all the false positives in the "Quarantine Folder".

2) Determine which rule caused the false positive by selecting the message and looking at the "X-Spamphibian-Rule-Value" header in the "Message Display" view when in the "Raw" content mode.

If the false positive was caused by a rule from the Outspring Rule List, please issue a "Removal Request" using http://www.outspring.com/spamcaster-removal-request.html and we will modify our rules.

You may also want to add an "Accept" rule to your rules to avoid future false positives caused by this rule in the "Outspring rule list".

If the false positive was caused by a rule from your rules, you may want to modify your user rules to avoid future false positives.

3) Deliver all false positives by using the "Deliver" action. Alternatively, if you modified your user rules to deal with the false positive, and you can use the "Rescan" action. See the "Message Actions" section for more information on the "Deliver" and "Rescan" actions.

To avoid running out of disk space, Spamphibian Gateway can be configured to automatically archive and remove old messages from the "Quarantine Folder".

By default, Spamphibian Gateway will archive messages after 7 days. Archived messages are not visible in the "Quarantine Folder".

By default, Spamphibian Gateway will not delete old archives.

To change these preferences, select the "Quarantine" tab in the "Global Settings" pane.

Note: Spamphibian Gateway will only archive and remove messages in the "Quarantine Folder" and will not archive and remove message from the "Retry Queue" or the "Outspring Messages" folder.

See the "Archival and Removal" section of "Chapter 7: Advanced Spamphibian Gateway Administration" for information about how to recover an archive and how to skip a domain when performing the automatical archival and removal.

Unlike the "Quarantine Folder", the "Retry Queue" does not usually require manual administration. The three actions that you can perform on messages in the "Retry Queue" are "Deliver", "Delete" and "Redirect". The "Deliver" action will attempt to deliver messages in the "Retry Queue" as soon as possible, instead of waiting until the next automatic attempt to deliver the message. The "Delete" action will remove messages from the "Retry Queue". This will prevent Spamphibian Gateway from further attempts to deliver them. The "Redirect" action will send the message to the address you specify in the "Redirect To:" dialog.

The "Retry Queue" may contain messages that the Spamphibian Gateway has not been able to deliver. Three types of messages can appear in the "Retry Queue": accepted, tagged, and bounce messages.

Spamphibian Gateway will immediately attempt to deliver accepted and tagged messages to the destination server. For more about tagged messages, see the "Tag" section of "Chapter 4: Managing Your Filtering Services".

Note: Accepted messages will not contain "X-Spamphibian-Rule-Tag", "X-Spamphibian-Rule-Type", "X-Spamphibian-Rule-Value", or "X-Spamphibian-Rule-Source" headers.

Tagged messages will contain "X-Spamphibian-Rule-Tag", "X-Spamphibian-Rule-Type", "X-Spamphibian-Rule-Value", and "X-Spamphibian-Rule-Source" headers. Additionally, tagged messages will always have a subject that begins the "spam subject prefix". By default, the "spam subject prefix" for Spamphibian Gateway is "***SPAM***". You can change this value by setting a hidden pref. See "Chapter 7: Advanced Spamphibian Gateway Management" for more information on how to change the "spam subject prefix".

If Spamphibian Gateway is unable to deliver an accepted or tagged message, it will be placed into the "Retry Queue". Spamphibian Gateway will attempt to deliver the message every 5 minutes for 72 hours. If Spamphibian Gateway is unable to deliver the message after 72 hours, the message will be removed from the "Retry Queue" and Spamphibian Gateway will send a bounce notifying the sender that the message delivery failed.

Spamphibian Gateway will immediately attempt to deliver bounce messages to the sender. Bounce messages can be the result of a failed message delivery or the "bounce" filter action. If Spamphibian Gateway is unable to deliver a bounce message it will be placed into the "Retry Queue". Bounce messages will contain a "X-Spamphibian-Bounce-Reason:" header.

Spamphibian Gateway will attempt to deliver the bounce message every 5 minutes for 72 hours. If Spamphibian Gateway is unable to deliver the bounce message after 72 hours, the bounce message will be removed from the "Retry Queue". To determine if any bounced messages have been removed from the "Retry Queue", check your "Log" view.

Occasionally, Outspring may send you special messages about your Spamcaster Subscription, updates to Spamphibian Admin or Spamphibian Gateway or other announcements. These special messages will automatically appear in "Outspring Messages". You can't "deliver" the messages in "Outspring Messages" as your Spamphibian Gateway is the intended recipient of these messages. Because they are not spam, you can't "rescan" these messages, either. You can "delete" these messages, or "redirect" them another recipient.

Each Spamphibian Gateway can be configured to filter spam for multiple domains. For each domain that you want your Spamphibian Gateway to filter, you will need to specify the "Domain Name" and the "Mail Server Address" (which is the destination SMTP server.)

Note: You can only specify one server as the "Mail Server Address" for a given domain. It is not possible to specify multiple SMTP servers, in order to "round robin" to multiple SMTP servers when delivering messages. If you have multiple SMTP servers, it is recommended that you configure multiple Spamphibian Gateways, one for each SMTP server.

To view the list of domains that your Spamphibian Gateway is configured to receive and filter, select "Global Settings" under your server, and then select the "Domains" tab.

In the example above, the Spamphibian Gateway running on localhost (in this case, spamphibian.metrosense.com) is configured to receive and filter emails for metrosense.com, roadhog.us, and openexpressway.com. Accepted emails for these domains will be delivered to the SMTP servers running on mail.metrosense.com, mail.roadhog.us, and mail.openexpressway.com, respectively.

If a message arrives at your Spamphibian Gateway for a domain that is not listed in the "Domains" tab, it will be rejected. The incoming connection will get a "553 Mail relay turned off, connection refused." error message and the connection will be closed. This includes sub-domains of the domains listed in the "Domains" tab. This prevents your Spamphibian Gateway from being an open relay. Open relays are frequently abused by spammers and often become blacklisted by DNSBL providers. For more on DNSBL, see "Chapter 4: Managing Your Filtering Services".

In the example above, the Spamphibian Gateway will accept messages for email addresses of the metrosense.com domain, but not for email addresses of sub-domains of metrosense.com, such as info.metrosense.com. For the Spamphibian Gateway shown above to filter messages for the info.metrosense.com sub-domain, you would have to add the "info.metrosense.com" domain (with mail.metrosense.com as the "Mail Server Address" value.)

To add an additional domain, select "Global Settings" under your server, and then select the "Domains" tab. While viewing the "Domain Settings", click on the button that is below the list of domains. A new entry will appear with "mydomain.com" as the "Domain Name" value and "mail.mydomain.com" as the "Mail Server Address" value. Click on these values to edit them. You can specify the "Mail Server Address" value by hostname or IP address. When you are done adding domains, click on the "Save" button. To revert the changes you've made since you last clicked "Save", click on the "Revert" button.

Note: After adding a domain, make sure you change the MX records for the domain you added to point to the machine running Spamphibian Gateway. Otherwise, mail for this domain will not arrive at the Spamphibian Gateway. See the "MX Record" section of Chapter 2 for more details.

After adding a domain, it will appear in the "Servers" view under "Global Settings" as well as the various domain popups. To further configure how Spamphibian Gateway handles messages for a particular domain, click on the domain in the "Servers" view under the "Global Settings" item

There is practically no limit to the number of domains your Spamphibian Gateway can be configured to filter. However, having many domains filtered by a single gateway can lead to bottleneck and delivery delay issues. Check the "Load" tab of the "Monitor View" to see if your Spamphibian Gateway is frequently "busy".

To reduce the likelihood of your Spamphibian Gateway having to deny incoming connections because it is busy, you may want to increase the "Max Connections" setting of the "SMTP In Settings" section in "SMTP" tab of the "Global Settings" view. Additionally, check the "Process time" statistic in the "Queues" tab of the "Monitor View" to determine if your server is overloaded. If Spamphibian Gateway is taking too long to process and deliver messages, you may want to increase the "Max Connections" setting of the "SMTP Out Settings" section under the "SMTP" tab of the "Global Settings" view.

To edit an existing "Domain Name" or "Mail Server Address" value, click and edit these values in the "Domains" tab of the "Global Settings" view. When you are done making changes, click on the "Save" button. To revert the changes you've made since you last clicked on the "Save" button, click on the "Revert" button.

Once you have changed the "Domain Name" value and clicked the "Save" button, Spamphibian Gateway will filter messages for the currently specified domain and will stop filtering messages for the previously specified domain.

Once you have changed the "Mail Server Address" value and clicked the "Save" button, Spamphibian Gateway will being delivering accepted messages for the specified domain at the currently specified address and will stop delivering accepted messages at the previously specified address.

Before changing an existing "Domain Name" value, make sure the MX record no longer points to the Spamphibian Gateway, as the Spamphibian Gateway will no longer filter messages for that domain. Because MX records can take time to propagate, it may be a good idea to keep your Spamphibian Gateway configured to filter messages for "old" domains for 72 hours after you have changed your MX records.

After changing the "Domain Name" value, the new value will appear in the "Servers" view as well as the various domain popups. Any "per-domain" user rules for the previously specified domain will apply to the new domain.

For messages in the "Retry Queue" for a previously specified domain, Spamphibian Gateway will do an MX lookup to determine where to deliver the messages.

Message for the previously specified domain in the "Quarantine Folder" will still be accessible, and you will still be able to "delete", "deliver", "rescan" and "redirect" these messages. Any actions that would cause these messages to be delivered to the originally intended recipients will cause Spamphibian Gateway to do an MX lookup to determine the destination SMTP server.

To remove an existing domain, click on the domain in the "Domains" tab of the "Global Settings" view and then click on the button below the list of domains. When you are done removing domains, click on the "Save" button. To revert the changes you've made since you last clicked the "Save" button, click on the "Revert" button.

Once you removed a domain and clicked the "Save" button, Spamphibian Gateway will stop filtering messages for the removed domain.

Before removing an existing domain, make sure the MX record no longer points to the Spamphibian Gateway, as the Spamphibian Gateway will no longer filter messages for that domain. Because MX records can take time to propagate, it may be a good idea to keep your Spamphibian Gateway configured to filter messages for "old" domains for 72 hours after you have changed your MX records.

After removing a domain, the removed domain will no longer appear in the "Servers" view or the various domain popup. Any "per-domain" user rules for the deleted domain will also be deleted.

For messages in the "Retry Queue" for a removed domain, Spamphibian Gateway will do an MX lookup to determine where to deliver the messages.

Message for the removed domain in the "Quarantine Folder" will still be accessible, and you will still be able to "delete", "deliver", "rescan" and "redirect" these messages. Any actions that would cause these messages to be delivered to the originally intended recipients will cause Spamphibian Gateway to do an MX lookup to determine the destination SMTP server.

Messages for all the domains on a given Spamphibian Gateway will appear together in the "Quarantine Folder", "Retry Queue" and "Outspring Messages". Additionally, the statistics for all your domains will appear together in the "Monitor" view, the "Filter overview", and the "Log" view. In order to narrow results to a specific domain, use the domain popups. Alternatively, you can use the "Domain" menu item under the "View" menu. For the "Quarantine Folder", "Retry Queue" and "Outspring Messages", can also use "Quick Search" to limit messages to a particular domain by entering the domain in the text field.

For each domain, the only required setting is the "Mail Server Address", which you specify in the "Domains" tab of the "Global Settings" view. By default, all the settings in the "SMTP", "DNSBL" and "Filter" tabs under the "Global Settings" view apply to all domains on a given Spamphibian Gateway.

You can override the "SMTP Out" and "Filter" settings on a per-domain basis. By default, each domain uses the global "SMTP Out" and "Filter" settings as specified under the "SMTP" tab and the "Filter" tab of the "Global Settings" view.

To modify the "SMTP Out" settings on a per-domain basis, click the domain in the "Servers" view and then select the "SMTP" tab. For more about the "SMTP Out" settings, see "Chapter 7: Advanced Spamphibian Gateway Administration".

To modify the "Filter" settings on a per-domain basis, click the domain in the "Servers" view and then select the "Filter" tab.

Per-domain filters take precedence over global filter rules as well as any Outspring rules. For more about the "Filter" settings, see "Chapter 4: Managing Your Filtering Services".

The "SMTP In" and "DNSBL" settings cannot be overridden on a per-domain basis as they affect the behavior of incoming SMTP traffic to the Spamphibian Gateway before the Spamphibian Gateway has determined the domain. For more about "SMTP In" settings, see "Chapter 7: Advanced Spamphibian Gateway Administration". For more about "DNSBL" settings, see "Chapter 4: Managing Your Filtering Services".

Spamphibian Gateway was designed to be simple and easy to use, setup and configure and requiring very little advanced administration. But advanced administrators may find this chapter useful. This chapter assumes you have already read "Chapter 3: Basic Gateway Administration" and the other relevant sections of the manual.

The "SMTP In Settings" for Spamphibian Gateway are global for all domains. To view the "SMTP In Settings", select the "SMTP" tab of the "Global Settings" pane.

By default, the Spamphibian Gateway accepts incoming connections on port 25, which is the standard SMTP port. To change this value, use the "Port" field in the "SMTP In Settings" group.

By default, Spamphibian Gateway will handle 16 concurrent incoming SMTP connections. Beyond that limit, Spamphibian Gateway will tell incoming SMTP connections that it is temporarily busy, and to try again later. Specifically, incoming SMTP connections will get a "421 server busy. Try later" message before Spamphibian Gateway closes the connection. To change the maximum number of concurrent incoming SMTP connections, use the "Max Connections" field in the "SMTP In Settings" group. Note, increasing this value will increase the amount of resources Spamphibian Gateway will use.

By default, Spamphibian Gateway will wait 30 seconds before closing any inactive incoming SMTP connections. To change this value, use the "Timeout" field in the "SMTP In Settings" group.

Note: Unlike "SMTP Out Settings", there are no domain specific overrides for the "SMTP In Settings".

To view the global "SMTP Out Settings", select the "SMTP" tab of the "Global Settings" pane. Unlike the "SMTP In Settings", the global "SMTP Out Settings" for Spamphibian Gateway can be overridden on a domain specific basis. Note, the global "SMTP Out Settings" are also applied to any outgoing SMTP connections for domains not handled by Spamphibian Gateway, such as redirects, delivery failure notices, bounce messages and delivery of messages to domains not handled by Spamphibian Gateway.

By default, the Spamphibian Gateway will connect to destination SMTP servers on port 25, which is the standard SMTP port. To change this value, use the "Port" field in the "SMTP Out Settings" group. Note, for any outgoing SMTP connections for domains not handled by Spamphibian Gateway, this preference is ignored and the standard port 25 is always used.

By default, Spamphibian Gateway will make 4 concurrent outgoing SMTP connections to deliver mail to the destination SMTP servers. To change this value, use the "Max Connections" field in the "SMTP Out Settings" group. Increasing this value should reduce the "average process time" for messages. Note, increasing this value will increase the amount of resources Spamphibian Gateway will use.

By default, Spamphibian Gateway will send at most 16 messages during one session with a destination SMTP server. To change this value, use the "Max Messages Per Session" value.

By default, Spamphibian Gateway will wait 240 seconds before closing any inactive outgoing SMTP connections. To change this value, use the "Timeout" field in the "SMTP Out Settings" group.

If Spamphibian Gateway fails to deliver a message (due to timeout or temporary failure on the destination SMTP server), it will attempt to re-deliver every 10 minutes for 72 hours. To change how frequently Spamphibian Gateway attempts to re-deliver a message in a 72 hour period, use the "Retry Delay" field in the "SMTP Out Settings" group. To change the duration of the 72 hour period, see "smtp.out.max_retry_time" in the "Hidden Preferences" section below.

You can override all the global "SMTP Out Settings" on a domain specific basis. To view the domain specific "SMTP Out Settings", select the domain in the "Servers" view (under the "Global Settings" item) and click on the "SMTP" tab. By default, all domains heed the global "SMTP Out Settings" which are set in the "SMTP" tab of the "Global Settings" pane. To override the global "SMTP Out Settings" and use settings specific to a domain, check the "Override Global Settings" check box.

To prevent the "Quarantine Folder" from using all the disk space, Spamphibian Gateway can be configured to automatically archive and delete old messages. To view or change the current "Quarantine" settings, select the "Quarantine" tab of the "Global Settings" pane.

By default, Spamphibian Gateway will archive old messages in the "Quarantine Folder" after 7 days. Archived messages are stored on disk as .tbz files. (For example, /Library/Spamphibian/Quarantine/metrosense.com/2005-10-30.tbz)

Once a message is archived, it is will not be accessible from Spamphibian Gateway until you manually restore the archive. To manually restore an archive you will need access to the machine running Spamphibian Gateway. Below is an example of how to manually restore an archive from a "Terminal" window.

# cd /Library/Spamphibian/Quarantine/metrosense.com/
# bunzip2 2005-10-30.tbz
# tar xvf 2005-10-30.tar
# mv 2005-10-30.archive 2005-10-30
# rm 2005-10-30.tar

You must rename the .archive folder in order to show it in "Quarantine Folder" in Spamphibian Admin. You may need to quit and restart Spamphibian Admin in order to see the messages in the restored folder.

To avoid re-archival or deletion of a restored folder, a "skip" file is put into the folder before it is archived. (For example, /Library/Spamphibian/Quarantine/metrosense.com/2005-10-30/skip). If you create a "skip" file in any date folder it will not be automatically archived or deleted. If you create a "skip" file in any domain folder, none of the date folders in the domain folder will be automatically archived or deleted.

By default, Spamphibian Gateway will not delete old messages.

Note: Messages in the "Retry Queue" and "Outspring Messages" folder are not archived or deleted.

To view the "Administration Settings", select the "Admin" tab of the "Global Settings" pane.

By default, the Spamphibian Gateway communicates with Spamphibian Admin on port 2066. To change this value, use the "Server Port" field in the "Administration Settings" group. You may find it necessary to change this value if port 2066 is already in use or if that port is blocked by a firewall and you are forced to use another port.

Note, if you change the "Server Port" value you will need to change the "Server Port" field in the "Connections Settings" of Spamphibian Admin in order to communicate with Spamphibian Gateway. See the "Modifying Connection Settings" section of "Chapter 3: Basic Spamphibian Gateway Administration" for more information.

By default, Spamphibian Gateway will handle 4 concurrent Spamphibian Admin connections. To change this value, use the "Number of Connections" field in the "Administration Settings" group.

To change the username and password that Spamphibian Gateway requires from Spamphibian Admin during authentication, click the "Change Username and Password..." button in the "Administration Settings" group. Note, if you change these values, you will need to change the username and password in the "Connections Settings" of Spamphibian Admin in order to communicate with Spamphibian Gateway. See the "Modifying Connection Settings" section of "Chapter 3: Basic Spamphibian Gateway Administration" for more information.

Note: If you clear the password, you will not be able to use Spamphibian Admin from another machine to remotely administer Spamphibian Gateway. You will only be able to use Spamphibian Admin from the same machine running Spamphibian Gateway. To enable remove administration, your admin password must be non-empty.

See "Chapter 8: Remote Gateway Administration" for information about remote administration, including performance, privacy and security issues.

You may find it useful to view multiple pane of Spamphibian Admin at the same time. To open another "Spamphibian Admin" window, use the "New Window" menu item under the "File" menu. Alternatively, use the Command-N shortcut to open a new window.

By default, Spamphibian Admin will only retrieve the 5,000 most recent log entries. To change this value, open the "Spamphibian Admin Preferences" dialog by using the "Preferences..." menu item under the "Spamphibian Admin" menu. Alternatively, use the Command-, shortcut.

By default, Spamphibian Admin will retrieve the 1,000 messages at a time from a folder. This makes Spamphibian responsive for folders with many messages. To change this value, open the "Spamphibian Admin Preferences" dialog by using the "Preferences..." menu item under the "Spamphibian Admin" menu. Alternatively, use the Command-, shortcut.

By default, Spamphibian Gateway keeps (at most) the last 10,000 lines of log data on disk in the "/Library/Logs/Spamphibian" folder. This value is a determined by two hidden preferences in spamphibiand.conf: "logs.max_lines_per_file" and "logs.max_files". To change the maximum number of log files, change the "logs.max_files" hidden preference, which defaults to 10. To change the maximum number of log entries per file, change the "logs.max_lines_per_file" hidden preference, which defaults to 1000. See the "Hidden Preferences" section below for more information.

By default, Spamphibian Gateway refreshes the statistics shown in the Monitor View every 15 seconds. To change how often Spamphibian Gateway refreshes the statistics, change the "stats.refresh_rate" preference in your spamphibiand.conf file.

For the "5 minutes" data, Spamphibian Gateway will only record the last 432 intervals (for a total of one and a half days worth of data). In order to change this amount, change the "stats.set.1.max_of" preference in your spamphibiand.conf file. This set of data is used for the "10 minutes", "15 minutes" and "30 minute" graphs, as well. Changes made to the "stats.set.1.max_of" preference will affect those intervals as well.

For the "1 hour" data, Spamphibian Gateway will only record the last 336 intervals (for a total of 14 days worth of data). In order to change this amount, change the "stats.set.2.max_of" preference in your spamphibiand.conf file. This set of data is used for the "3 hours", "6 hours" and "12 hours" graphs, as well. Changes made to the "stats.set.2.max_of" preference will affect those intervals as well.

For the "1 day" data, Spamphibian Gateway will only record the last 365 intervals (for a total of one years worth of data). In order to change this amount, change the "stats.set.3.max_of" preference in your spamphibiand.conf file.

For the "1 day" data, Spamphibian Gateway will only record the last 365 intervals (for a total of one years worth of data). In order to change this amount, change the "stats.set.3.max_of" preference in your spamphibiand.conf file.

For the "1 week" data, Spamphibian Gateway will only record the last 260 intervals (for a total of about five years of data). In order to change this amount, change the "stats.set.4.max_of" preference in your spamphibiand.conf file.

For the "1 month" data, Spamphibian Gateway will only record the last 60 intervals (for a total of about five years of data). In order to change this amount, change the "stats.set.5.max_of" preference in your spamphibiand.conf file.

To reset the statistics that are shown in the "Monitor" view, you need to delete all files in /Library/Spamphibian/Statistics. Before deleting these files, make sure to stop Spamphibian Gateway first.

In order to reduce backscatter, Spamphibian Gateway can be configured to do "RCPT TO" checking.

If enabled, this feature will cause Spamphibian Gateway to first check if the intended recipients of a message are known to the destination SMTP server.

To check in an intended recipient is known to the destination server, Spamphibian Gateway will open a SMTP connection to the destination server and issue "HELO", "MAIL FROM:", "RCPT TO:", and "QUIT" SMTP commands. The result of the "RCPT TO:" command is temporarily cached in Spamphibian Gateway to reduce the load on the destination server.

If the destination server is unreachable, or if the "HELO" or "MAIL FROM:" commands fail, Spamphibian Gateway will assume that the intended recipient is known by the destination SMTP server.

By default, Spamphibian Gateway will not do "RCPT TO" checking as it slows downs message processing, and not all SMTP servers will report back if a recipient is unknown.

To enable "RCPT TO" checking for all domains, add this hidden pref to your spamphibiand.conf file:

smtp.in.check_rcpt_to = yes

For more information about setting hidden preferences, see the "Hidden Preferences" section of "Chapter 7: Advanced Spamphibian Gateway Administration".

To enable "RCPT TO" checking for a specific domain, add the following hidden prefs to your spamphibiand.conf file:

domain.n.smtp_in_overrideDefaults = yes
domain.n.smtp_in_check_rcpt_to = yes

...where n is the corresponding domain number.

To change the length of time the "RCPT TO" result is cached in Spamphibian Gateway, add the following hidden prefs to your spamphibiand.conf file:

# cache "good" values for 3600 seconds, or 60 minutes
smtp.in.rcpt_to_good_cache_entry_timeout = 3600 
# cache "good" values for 1800 seconds, or 30 minutes
smtp.in.rcpt_to_bad_cache_entry_timeout = 1800

A "good" value is one where the SMTP server knows about the intended recipient, and responds with a 2xx result to the "RCPT TO:" command.

A "bad" value is one where the SMTP server does not know about the intended recipient, and responds with a 4xx or 5xx result to the "RCPT TO:" command.

The preferences below are considered hidden because there is no UI to change them in Spamphibian Admin. To change the value of a hidden preference, first stop Spamphibian Gateway, then edit the spamphibiand.conf file (located at /Library/Spamphibian/etc/spamphibiand.conf on the machine running Spamphibian Gateway). When you are done editing spamphibiand.conf, start Spamphibian Gateway. To stop and start Spamphibian Gateway, use the "Spamphibian Gateway" Preference Panel described in "Chapter 2: Setting Up Spamphibian Gateway".

If you remove the global.hostname pref from your spamphibiand.conf file, Spamphibian Gateway will reset it based on your machine's name.

global.hostname = "spamphibian.metrosense.com"

# number of minutes in 72 hours
smtp.out.max_retry_time = 4320  

# 0 = None , 1 = Generic, 2 = Transaction, 3 = Protocol, 4 = Debug
global.log_level = 2

# 0 = None , 1 = Generic, 2 = Transaction, 3 = Protocol, 4 = Debug
global.console_level = 0

filter.spam_subject_header_prefix = "***SPAM***"

admin.greeting = "Admin Service Ready"

smtp.in.greeting = "ESMTP Service Ready"

# ip address on which the admin service listens
# set it to [0.0.0.0] to listen on any of the available address
admin.server.address = [0.0.0.0]       

# ip address on which the SMTP service listens
# set it to [0.0.0.0] to listen on any of the available address
smtp.in.0.address = [0.0.0.0]  

# ip address the SMTP service uses to connect to other mx,
# set it to [0.0.0.0] to use any of the available address
smtp.out.address = [0.0.0.0]  

# Loop count before cycle
smtp.in.loop_limit = 3

#Received header limit before reject
#DNSBL timeout cache pref
#DNSBL clear cache pref
#Changing strings in delivery failure or bounce messages

As described in the "Overview" section of "Chapter 1: Introduction", it is recommended that you run Spamphibian Gateway on a different machine separate from your destination SMTP server.

If you are unable to set up a second machine to host Spamphibian Gateway, you can run Spamphibian Gateway on the same machine as your destination SMTP server.

To do this, you will need to change the SMTP port of your SMTP server to be something other than port 25. For example, port 250. Spamphibian Gateway needs to listen on the standard port 25 for incoming SMTP traffic. Then, you will need to change the "Port" field in the "SMTP Out Settings" group of the "SMTP" tab to be 250. Then you will need to re-configure all of your users email clients to use port 250 as your SMTP server.

Alternatively, if you have a machine with multiple IP addresses and multihoming, you can also use the "smtp.in.0.address" hidden preference to run Spamphibian Gateway on the same machine as your destination SMTP server.

To enable administrators to share filters and to write and edit filters using a text editor, Spamphibian Admin allows administrators to export and import global filter rules as well as domain specific filter rules.

To export a rules file, select the "Filter" tab and use the "Export Rules..." menu item under the "File" menu. This will bring up the standard "Save" dialog. Choose where you want to save your rules file and hit "Save".

To import a rules file, select the "Filter" tab and use the "Import Rules..." menu item under the "File" menu. This will bring up the standard "Open" dialog. Choose where you want to save your rules file and hit "Open".

When importing rules, Spamphibian Admin will merge the selected rules file with the rules already in the Filter view. If you want to replace the rules you will need to select and delete the rules in the Filter view first before importing.

Advanced users may find it easier to edit the global (or domain specific) filter rules in a text editor, instead of the "Filter" view within Spamphibian Admin. Please be aware the rules on disk will appear differently than what is presented in the "Filter" tab. For more information, see the "Rule File Structure and Syntax" section below. There are two ways to manually edit a rule file: "export edit import" the rule file using Spamphibian Admin or directly editing the rule file on the machine running Spamphibian Gateway.

The recommend way to manually edit a rule file is to "export edit import" the rule file using Spamphibian Admin. Alternatively, you can edit the rule files on the machine running Spamphibian Gateway. Before attempting to edit the rule files on disk, you should first stop Spamphibian Gateway. The filter rule files can be found in the "/Library/Spamphibian/Lists/" folder on the machine that is running Spamphibian Gateway.

A rules file follows a specific structure and syntax.

The first line in a Spamphibian Gateway rule file must always be:

#<SPAMPHIBIAN><LISTVERSION: 1.000000>

This indicates to Spamphibian Gateway that this is indeed a Spamphibian list. If this line is not present or modified in any way Spamphibian will not load the rule file.

Rules must conform to a specific syntax in order to be correctly processed by Spamphibian Gateway. Different syntax is necessary for each of the different types of rule. Comments may be added to rule files by starting a line with a pound sign '#'. Any line which starts with this character will be ignored by Spamphibian Gateway. Rules must be grouped according to action and type by using the following headings:

[URLs] - URL or domain rules
[Strings] - string rules
[RegExs] - regular expression rules
[IPs] - IP number rules
[Parts] - part or attachment rules

Additional rule characteristics can be set by appending the end of the rule with a <RULE_TAGS> tag.

Examples:

"junk Mail Rule"<RULE_TAGS><IS><action>Default</action>
scam.biz<RULE_TAGS><DOMAIN><action>Default</action>

Instructions for the applicable <RULE_TAGS> for each rule type can be found in the following sections.

URLs rules are case insensitive string based rules and may be used as one of four different string types:

is - no other characters next to first or last characters in string

starts with - no other characters next to first character in string

ends with - no other characters next to last character in string

contains - general search for string anywhere in text of message URLs

Asterisks ( * ) are used to signify that the rule is one of the above types.

1) is - no asterisks

ramblinggrandparx.biz<action>Default</action>

2) starts with - asterisk at end of string

ramblinggrandparx.biz*<action>Default</action>

3) ends with - asterisk at beginning of string

*ramblinggrandparx.biz<action>Default</action>

4) contains - asterisk at both beginning and end of string

*ramblinggrandparx.biz*<action>Default</action>

Alternatively, you can use the <RULE_TAGS> tag:

1) is - ramblinggrandparx.biz

ramblinggrandparx.biz<RULE_TAGS><IS><action>Default</action>

2) starts with - ramblinggrandparx.biz*

ramblinggrandparx.biz<RULE_TAGS><STARTSWITH><action>Default</action>

3) ends with - *ramblinggrandparx.biz

ramblinggrandparx.biz<RULE_TAGS><ENDSWITH><action>Default</action>

4) contains - *ramblinggrandparx.biz*

ramblinggrandparx.biz<RULE_TAGS><CONTAINS><action>Default</action>

There are two different types of URL rules:

1) Domains

Domains are always located as exact matches with the type set to is, once the rule is established as a domain. Domains must be specified using the <DOMAIN> rule tag. Examples:

buysomething.biz<RULE_TAGS><DOMAIN><action>Default</action>
spamspamspam.com<RULE_TAGS><DOMAIN><action>Default</action>
sellyoujunk.info<RULE_TAGS><DOMAIN><action>Default</action>

2) URL fragments

You can also write rules for specific URLs or URL fragments. The following are valid URL fragment rules:

www.drugsforcheap.com/buy/stuff/here/index.html<action>Default</action>
*.com/buy/stuff/here/*<action>Default</action>
*/here/index.html<action>Default</action>
drugsforcheap.com/buy/stuff/*<action>Default</action>
spammer@spammer.biz<action>Default</action>
*@spammer.biz<action>Default</action>

Note: Do not include URL protocols schemes when creating URL or domain rules. These include:

• http://
• https://
• mailto:
• file://
• ftp://
• gopher://
• ldap://
• etc...

Note: Spamphibian URL rules will only apply to http, https and mailto URLs. For other URL types, you will need to use string rules.

If you wish to use asterisks as part of a rule, you must enclose the rule within quotation marks. For example:

"www.evil.com/*./phish.cgi"<action>Default</action>

If you wish to use + as part of a rule, you must enclose the rule within quotation marks. For example:

"www.evil.com/test.cgi?foo+bar"<action>Default</action>

IMPORTANT: URL rules must be encoded on disk.

In order to allow URLs with reserved, control, non-ASCII and unsafe characters, you must encode your URL rules following RFC 1738 (section 2.2).

Some examples:

• regions-secure.com/Reactivate%20Your%20Account%20Now<action>Default</action>
• www.foo.com?url=http%3a%2f%2fevilescape.com%2fevilescape.cgi<action>Default</action>

When Spamcaster loads URL rules from disk, it will always decode them in order to properly compare them to the URLs from messages which have also been decoded.

String rules use the same search types as described above: is, contains, starts with, and ends with. Examples:

1) is

viagrayy<action>Default</action>

2) starts with

makemoneyfast*<action>Default</action>

3) ends with

*rolex<action>Default</action>

4) contains

*nigerian*<action>Default</action>

Alternatively, you can use the <RULE_TAGS> tag:

1) is

viagra<RULE_TAGS><IS><action>Default</action>

2) starts with

makemoneyfast<RULE_TAGS><STARTSWITH><action>Default</action>

3) ends with

rolex<RULE_TAGS><ENDSWITH><action>Default</action>

4) contains

nigerian<RULE_TAGS><CONTAINS><action>Default</action>

Strings rules may also be combinations of words or strings. Combinations are signified by separating words or phrases with plus signs ( + ). Examples:

eat + at + joes<action>Default</action>
eat at joes + hand of doom<action>Default</action>

The words or phrases in a combination may exist anywhere within the message, including the headers. When combinations are used, the normal search types are ignored. A match occurs on a combination rule only if all the words or phrases in a combination are found within the body of a message. If you wish to use a + sign as part of a rule without creating a combination, you must enclose the rule within quotation marks.

"eat + at + joes"<action>Default</action>

If you wish to use asterisks as part of a rule, you must enclose the rule within quotation marks. To match on the string "eat at joes*", you would do:

"eat at joes*"<action>Default</action>

However, the asterisks to signify the search type must lie outside of the quotation marks:

*"eat + at + joes"*<action>Default</action>

Note, all string rules are case insensitive.

IMPORTANT: String rules must be encoded on disk. See the section on "Special Characters" for which characters need to be encoded.

IP address rules may be one of four types as search rules:

1) A single, fully qualified IP number:

192.168.0.1<action>Default</action>

2) A range using two IP numbers and a hyphen:

192.168.0.2-192.168.0.25<action>Default</action>

3) A range using a partially formed IP number with an asterisk:

192.168.0.*<action>Default</action>
192.168.*.*<action>Default</action>
192.*.*.*<action>Default</action>

Note, the * characters must be at the end of the range. The following ranges are invalid:

192.*.*.1, 192.168.*.1, *.*.0.1, etc.

The following range is invalid: *.*.*.*

4) A range using a partially formed IP number with a mask:

192.168.0.1/24<action>Default</action>

Note: This example is equivalent to 192.168.0.*, as the mask fixes the first 24 bits.

Parts rules consist of the name of the attachment. Examples:

virus<action>Default</action>
.pif<action>Default</action>
iloveyou<action>Default</action>
knownvirus.zip<action>Default</action>

Note, attachment names are always searched as a contains rule, and are they case insensitive.

Every rule must have an action, or defer to the default action. As mentioned in "Chapter 4: Managing Your Filtering Services" the available actions are Tag, Accept, Bounce, Delete and Quarantine.

To write a string rule for "make money fast" that takes the "Default" action, you would do:

"make money fast"<action>Default</action>

To write a string rule for "make money fast" that takes the "Tag" action, you would do:

"make money fast"<action>Tag</action>

To write a string rule for "make money fast" that takes the "Bounce" action, you would do:

"make money fast"<action>Reject</action>

To write a string rule for "make money fast" that takes the "Delete" action, you would do:

"make money fast"<action>Purge</action>

To write a string rule for "make money fast" that takes the "Quarantine" action, you would do:

"make money fast"<action>Quarantine</action>

To write a string rule for "make money fast" that takes the "Accept" action, you would do:

"make money fast"<action>Accept</action>

On disk, special characters (such as [ ] < > and #) are escaped. When displayed in the "Filter" view, these special characters will appear normally.

If you want to edit the rule files on disk, you must escape the special characters.

• For [, use %5B. (This character is used for opening a rule type or action declaration.)
• For ], use %5D. (This character is used for closing rule type or action declaration.)
• For #, use %23. (This character is used for comments.)
• For <, use %3C. (This character is used for opening rule tags.)
• For >, use %3E. (This character is used for closing rule tags.)
• For %, use %25. (This character is used for escaping.)

Some examples:

• thisis%5Bspam%5D<action>Default</action>
• 100%25 Free Money<action>Default</action>

If you are currently using QuickMail Server 3.5.x with Spamcaster 1.0.x, it is possible to import your filter rules into Spamphibian Gateway. Locate your Spamcaster 1.0.x rule files (typically "/Applications/QuickMail Server 3.5.3/Settings/Spamcaster/Lists/Blacklist.txt" and "/Applications/QuickMail Server 3.5.3/Settings/Spamcaster/Lists/Whitelist.txt") and use the "Import Rules..." menu item under the "File" menu, when viewing the "Filter" tab of a particular domain. If you want your Spamcaster 1.0.x to apply to all domains filtered by Spamphibian Gateway, use the "Import Rules..." menu item when viewing the "Filter" tab for "Global Settings".

Here are files and folders that Spamphibian Gateway keeps on disk:

/Library/Spamphibian/Data (at most, the last six rule files from Outspring.)

/Library/Spamphibian/Lists (the global and domain specific rule files)

/Library/Spamphibian/Queue (the messages in the incoming, outgoing and retry queues)

/Library/Spamphibian/Quarantine (the messages in the "Quarantine Folder", organized by domain and date, including any archived messages.)

/Library/Spamphibian/Outspring (the messages in the "Outspring Messages", organized by domain and date)

/Library/Spamphibian/Statistics (the raw stat files, in binary format, organized by global and domain)

/Library/Spamphibian/bin (the Spamphibian Gateway binaries)

/Library/Spamphibian/etc (the Spamphibian Gateway configuration files)

/Library/Logs/Spamphibian/ (the log files)

Recovering an Archive

Messages are archived by date within each "domain" folder. For example, the archive of quarantined messages for the "metrosense.com" domain for 11/20/2005 are in the following archive:

/Library/Spamphibian/Quarantine/metrosense.com/2005-11-20.tbz

Archived messages are not accessible to Spamphibian Admin. To access archived messages using Spamphibian Admin you will need to un-archive them first.

Here are the steps to unarchive an archive (.tbz) file:

# cd /Library/Spamphibian/Quarantine/metrosense.com/
# bunzip2 -cd 2005-11-20.tbz | tar xvf -
# mv 2005-11-20.archive 2005-11-20

After restoring and renaming the .archive folder, you will be able to view the messages in Spamphibian Admin.

Note: To avoid automatic archival or removal of a restored archive, a "skip" file has been added to the folder.

/Library/Spamphibian/Quarantine/metrosense.com/2005-11-20/skip

The "skip" file

To avoid automatic archival or removal of a domain in the "Quarantine Folder", create a "skip" file in the directory. For example:

/Library/Spamphibian/Quarantine/metrosense.com/skip

You can also avoid automatic archival or removal by date. For example:

/Library/Spamphibian/Quarantine/metrosense.com/2005-11-20/skip

Note: To allow the folder to be archived or removed, remove the "skip" file.

Once you have established a remote connection, you can use Spamphibian Admin to monitor and administer the remote Spamphibian Gateway just as you would if you were running Spamphibian Admin on the same machine.

Warning: If you remove the admin username and password from a remote connection, Spamphibian Admin will be unable to automatically re-establish your remote connection.

If you do not already have the Spamphibian Admin, you can obtain it directly from our website at http://www.outspring.com/downloads/spamphibian.html

Spamphibian Admin is a drag and drop install. After downloading, simply open up the "Spamphibian Admin" folder and drag the application to copy it the location of your choice. Typically, you would copy the application into your "Applications" folder.

After you have copied the Spamphibian Admin application, click on the Spamphibian Admin icon to launch it. You will be prompted to agree to the license. Please read the license, and if you agree to the terms, hit "Agree". If you do not agree, hit "Disagree". You will be unable to use Spamphibian Admin unless you agree to the license.

After you have agreed to the license, Spamphibian Admin will start and prompt you to enter the settings to connect to your Spamphibian Gateway.

By default, the connection settings point to the local machine. You will want to replace the "Server Name" and "Server Address" fields with the hostname of the machine running Spamphibian Gateway that you want to administer. You will also need to provide the Spamphibian Gateway admin port (2066, by default), the username and the password that you entered when you configured Spamphibian Gateway.

After connecting, you may be prompted to activate the remote Spamphibian Gateway.

Note: If you did not configure a username and password for your Spamphibian Gateway, you will be unable to connect to it remotely. If there is no password, Spamphibian Gateway will only accept local connections. To set the username and password you will need to use Spamphibian Admin on the same machine as Spamcaster Gateway. For more information on how to change the admin username and password, see "Chapter 7: Advanced Spamphibian Gateway Administration". If you are having problems establishing a remote connection, see "Chapter 9: Troubleshooting".

Depending on the speed of your network connection, you may notice some performance issues while using Spamphibian Admin to remotely administer Spamphibian Gateway. In particular, it may be slower to display the "Logs" view, the "Monitor" view, and "Quarantine Folder" because the data needs to be downloaded from the remote Spamphibian Gateway before it can be displayed. The speed of your network connection between Spamphibian Admin and Spamphibian Gateway will affect the performance.

The data exchanged between Spamphibian Admin and Spamphibian Gateway is not encrypted. This includes your username and password as well as the contents of any emails you display in the "Message" view. For this reason, it is recommend you use Spamphibian Admin and Spamphibian Gateway behind your firewall, and not over the Internet.

The table below lists some common problems and solutions to help you troubleshoot Spamphibian Gateway and Spamphibian Admin.

Problem	Solution
Unable to make a remote connection between Spamphibian Admin and Spamphibian Gateway.	Make sure your password is not empty.
Unable to make a local connection between Spamphibian Admin and Spamphibian Gateway.	Make sure you can access port 2066 on the remote machine.
Spamphibian Gateway is not receiving any mail.	Make sure your MX records are correct.
Spamphibian Gateway is receiving mail, but not filtering anything.	Make sure your demo has not expired.
No Outspring rules.	Make sure you have registered your Spamphibian Gateway.

If there is a SMTP server running on the machine you wish to install Spamphibian Gateway on, you will need to disable it. Only one SMTP server can listen on port 25 at a time, and Spamphibian Gateway is an SMTP server. By disabling or uninstalling any SMTP servers on the target system you will avoid any conflicts (over port 25) that may occur. For information on how to disable your current SMTP server running on your target system please refer to the documentation that came with your server application.

Mac OS X Server 10.4 (Tiger) comes with Postfix on by default. SMTP servers will try to listen to incoming connections on the standard SMTP port (25). You will need to disable Postfix (and any other SMTP servers) to use Spamphibian Gateway

Port 2066 for Spamphibian admin protocol

Port 25 for SMTP protocol