Page discontiuned

This blog is no longer maintained

Please visit:
Official website:
Community page:

Training Bayes

I’m writing this because understanding Bayesian (Bayes) filter is critical in environments with high traffic email.
Administering high traffic might be difficult, but having high traffic with reach content is important for learning.

First aspect:
Bayes learning filter needs, at least, 200 SPAM messages and 200 HAM messages in order to become active.
Both types of messages (ham and spam) must met some technical requirements in order to be learned (SPAM: 3 header tokens + 3 body tokens; HAM: only 3 body tokens).
Both SPAM and HAM messages are various in content (even languages differ). Thus, the overall email traffic may vary from one day/week to the next one, from one company to another.

By design, Bayes filter learns (by itself) gradually from your email traffic.
Let the learning system (bayes, spamassassin) work as was designed, by itself from your email traffic.

Second aspect:
Along with Bayes, Network Rules play an important role when Bayes is not active (and a less important one after Bayes has become effective).
Network rules (such as IP/URL checks against RBLs) use a delay in order to avoid flooding against providers.

Few flooding spam messages may pass because RBLs (network rules) checks are skipped due their safety mechanism. A well trained/adjusted bayes will compensate these cases, in Scrollout.

In the end:
Spam messages that have not been seen before, sent from legit sources, containing legit elements (IPs,URLs), are most difficult to catch.
Is not possible to stop All-Spam messages in 2 hours work, feeding 200+200 different messages.
Feeder’s scope is to adjust learning system and cover these occasionally cases.

Scrollout wins 2nd Virus Bulletin award

Scrollout wins 2nd Virus Bulletin award

Tips & tricks

Assign an outbound IP address per domain

Assigning an outbound IP address to a Sender Domain may:
Prevent default IP from losing reputation when a Sender Domain is not trusted.
Increase delivery/quality by associating an IP with good reputation to a Sender Domain.
Increase limits/time by associating an IP with good throughout to a Sender Domain.
Build reputation for a new IP using a Sender Domain with normal transactions.
Isolate a Sender Domain from being associated with others.

Disclaimer per domain

A disclaimer for each domain can be added in /var/www/disclaimer/

Useful Bounce

You can add an URL page and a phone number for support. (web GUI > ROUTE)
These will appear in the returned bounce error.
Instead of phone number you can add an unfiltered email address such as You can add as an alias to your mailbox, on your email server. But postmaster may become target for spam.
telnet 25
220 ESMTP  – Scrollout – Scrollout F1 2012-10-03
502-5.5.2 Error: command not recognized
502 5.5.2 For assistance, see or contact +40720xxxyyy. Please provide the following information in your problem report: Time: (Jan 30 10:43:07), Client: (, Server: (

Tag only the spam

You can choose to TAG only the spam messages as following:
1. Go to ROUTE
2. Click on Quarantine
3. Input a score value of 5 in the first field and 999 in the second field.

Install Kaspersky

Install Kaspersky Anti-Virus for Linux Mail Server

Kaspersky Anti-Virus is a commercial (non-free) anti-virus with a trial period.


1. Download three files on a Windows PC (the antivirus application and two trial activation files).
2. Transfer all three files on Scrollout F1, in a temp folder (/tmp).
3. Install & configure the antivirus:
license agreement, enable automatic update, change the user, integration etc.


1. Download three files on a Windows PC (the antivirus application and two trial activation files).

Choose Version 5.6 ( for Linux (deb)

You need to request a trial activation key from:

You will receive an email with two files attached (.key and .txt files). Save both files (.key and .txt) in same location with .deb file.

2. Transfer all three files on Scrollout F1, in a temp folder (/tmp).

Use WinSCP ( to transfer the .deb, .key and .txt files from your Windows PC to Scrollout F1. I choose /tmp folder for permission reasons.

3. Install & configure the antivirus

Go to Scrollout F1 terminal and run:
cd /tmp
dpkg -i kav4lms_5.6-48_i386.deb

You’ll be asked to agree or disagree the License terms.
You’ll be asked to answer basic configuration settings.

At this step:
Set up mail server anti-virus protection.
The following mail server(s) have been found on the server:
1) No integration
3) Postfix (/etc/postfix/
Please choose 1-2:

Choose 1) No integration

Run in terminal:
chown amavis:amavis -R /etc/opt/kaspersky/; chown amavis:amavis -R /var/opt/kaspersky/; chown amavis:amavis -R /var/log/kaspersky/; chown amavis:amavis -R /var/run/kav4lms/

/opt/kaspersky/kav4lms/bin/ –switch-credentials=amavis,amavis

/opt/kaspersky/kav4lms/bin/ –remove-services

Update Scrollout F1:
Change the value in /var/www/ver
Run /var/www/bin/

Optional tasks

Check the current key:
/opt/kaspersky/kav4lms/bin/kav4lms-licensemanager -s

Add a new key:
/opt/kaspersky/kav4lms/bin/kav4lms-licensemanager -a /path-to/filename.key

apt-get autoremove –purge kav4lms
/etc/init.d/amavis restart

Install BitDefender

BitDefender for Unices (Unixes) is a commercial (non-free) antivirus product with 30 days free trial.

Many well known antivirus products can be added thanks to Amavisd-new module, but the command-line installation for BitDefender is very easy (takes 3-5 minutes).

Note: During the following steps, you will be required to read (accept or decline) the license terms.

Installation steps

Edit /etc/apt/sources.list and add the line below:
deb bitdefender non-free

sudo apt-key add bd.key.asc
sudo apt-get update
sudo apt-get install bitdefender-scanner
sudo bdscan

Read the license terms, accept or decline.

sudo /etc/init.d/amavis restart
Scrollout will show Found primary av scanner BitDefender at /usr/bin/bdscan in Monitor > Logs.

Update the antivirus:
sudo bdscan –update

Activate a new license key

If you decide to purchase a license key, you need to change the “key =” value in file /opt/BitDefender-scanner/etc/bdscan.conf


If you decide to uninstall:
sudo apt-get autoremove –purge bitdefender-scanner -y
rm -fr /opt/BitDefender*

Install Avast

Install Avast Anti-Virus Home Edition for Linux

Avast Anti-Virus Home Edition is a commercial (non-free) anti-virus with a free version for home use (not for business).

Register and obtain a License:
By registering you agree with these terms.

Download the Home Edition (non-business) for evaluation purpose:
cd /tmp
wget -O avast4workstation_1.3.0-2_i386.deb

dpkg -i avast4workstation_1.3.0-2_i386.deb

Increase shared memory:
sysctl -w kernel.shmmax=2147483648

Remove the existing serial key file (if any):
rm -fr ~/.avast/avastrc

Execute avast for the first time. It will ask for new key:

Update avast:

Schedule hourly update:
printf ‘#!/bin/bash\navast-update > /dev/null 2>&1\n’ > /etc/cron.hourly/avast
chmod +x /etc/cron.hourly/avast

Allow amavis to access the new key file:
chown amavis.amavis ~/.avast/avastrc

Update Scrollout F1:
Change the date in /var/www/ver
Run /var/www/bin/

apt-get autoremove –purge avast4workstation
rm -fr /etc/cron.hourly/avast
/etc/init.d/amavis restart

How to Update

Run the Update

See the latest changes here

1. Go to Linux console.
2. rm /var/www/ver
3. /var/www/bin/

Configure Scrollout F1 email firewall

An email gateway (a.k.a. firewall) is a machine (physical or virtual) installed between Internet and the email server.

Its primary role is to protect the email server by filtering incoming messages, via SMTP protocol, from Internet.

Secondary, an email gateway may be used as an outgoing gateway in case you want to add some new email features which are not provided by older email servers. For instance, Exchange 2000 or 2003 has no DKIM signing and verification service – a quality improvement for message delivery.

The features offered by Scrollout F1 are presented on short in About page.

After installation, the configuration is pretty easy.

In order to start using this application you need to cover only the BASIC CONFIGURATION (points 1 and 2 below).

Basic configuration:


    Set the network connection: IP address, subnet mask, gateway and DNS.




    You need to mention your domains and the responsible email server for each domain. Each domain must be unique, but the servers can have same value in case you are using one email server for multiple domains.

    The gateway system will become responsible for receiving emails that are addressed to all domains mentioned in this page and will forward the messages to the email servers.

    Optionally, in case you want to use the gateway for sending outgoing messages, Scrollout offers a DKIM signature and the values that are necessary to be used in your DNS server for each domain. In case that your email servers are using IP addresses different than standard intranet CIDR (,, you must mention the range or IP in CIDR format by clicking “OUTBOUND”.
    Note, this requires some time to process and the web interface will be provided before finishing the task in order to allow you to make other settings in the meantime.

    Now, you are ready to point your incoming SMTP traffic to Scrollout box. This can be done via an existing router (or firewall) or by modifying DNS MX records for each domain. The first method is much simpler.

    TRAFFIC Route

    TRAFFIC Route

Advanced configuration:

    1. SECURE


      SECURE > Security

      SECURE > Security

        You can set the aggressiveness by clicking on a number between 1 and 10 (green is aggressive, red is permissive). Each filter is explained in the web gui.


        Set the geographical area in which you have business, you may have business or you are 100% sure you will never have any business (contact).

      SECURE > Countries

      SECURE > Countries

    2. COLLECT

      SPAM & LEGIT has two roles:

      Quarantine role:Indicates the quarantine mailbox hosted on your email server. All spam and infected messages will be recorded in this mailbox along with a reporting email.

      Feeder role:  Scrollout F1 can learn from legit and spam messages, block sender email address and whitelist the sender domain using same Collector mailbox that is used for quarantine.
      Using an IMAP Client like MS Outlook you can easily drag & drop multiple emails into mailbox folders.In order to use the feeder feature, you need to:
      – Create two additional folders under this mailbox. Lets create a GOOD folder and a BAD folder.
      – Activate IMAP service on your email server.
      – Input the name, user & password of the mailbox, server IMAP address, and the GOOD and BAD folders.In case you created subfolders (instead of folders) under Inbox, you need to mention Inbox\GOOD and Inbox\BAD. Never use standard folders like Inbox and Sent Items. Scrollout deletes messages after reading.

      Tip 1:
      With Microsoft Office Outlook you can open multiple mailboxes simultaneously. This method allows you to easily drag & drop multiple emails from other mailboxes in GOOD & BAD folders.
      Tip 2: The Collector mailbox can be opened by multiple users via IMAP and they can share the GOOD and BAD folders. Depending on the permissions set they can read, contribute, delete etc.
      Tip 3: Never whitelist public email providers (yahoo, gmail, hotmail etc.). By doing that, you will allow a large number of spammers to send junk emails. In case you did that, find spam emails originating from those domains and drag them in BAD folder.

      Spam traps: its goal is to infect spammers’ databases with traps (alphabetically). Press “Get code” and hide the email addresses from the csv file into your web page. In approximately 1 month you will receive spam in the Collector’s Inbox which can be used to feed Scrollout F1.

      Collector & Feeder

      Collector & Feeder

      LiteDLP can be used to:

      Lite Data Loss Prevention


      - block files using MD5 signatures. In case the file is modified, it will not be blocked. It is useful to block files that cannot be blocked by content filters and are rarely modified: e.g.  personal sensitive pictures, designs, scanned documents without text etc.

      - detect and block keywords and phrases in MS Word, Excel, PowerPoint, PDF and scanned documents containing text.
      The sensitive email must reach the score level set in Security > LiteDLP, . The score is the sum of all keywords and phrases found in the entire email content (sum of all results found in all attachments + email body). In this way, we cover the cases when the sender breaks a document in multiple pieces in order to trick the scoring.
      In order to provide the files and phrases to be blocked by Scrollout F1, you need to share a folder on a Windows PC or Server and provide write permissions for the account mentioned in LiteDLP page.
      LiteDLP is mainly addressed to managers and leaders, not to IT staff. Thus, you may provide write permission to a Management\Leadership Group (in Active Directory) for the shared folder.

      I’m an infrastructure admin and in practice the informational flow (involving data leakage) is:
      step 1: managers, chefs and team leaders are assigning tasks, in their departments, providing necessary information and documents.
      step 2: the information and documents are leaked (accidentally or not) from their departments to external emails (personal emails or, worse, to third parties).
      In response: any information and documents, that are for internal use only, should be addressed to LiteDLP too.
      IT staff can assist, but cannot decide and act in these cases.

      In addition, LiteDLP attempts to detect compressed files and files without extension type (including multimedia files).

    3. MONITOR

      LOGS- Watch traffic in action.

      Monitor > Logs

      Monitor > Logs

      STATS- See statistics.


      Monitor > Graph

Scrollout F1 is under development. You will receive automatic updates with each improvement.


Get every new post delivered to your Inbox.

Join 47 other followers

%d bloggers like this: