SpamTitan has multiple whitelists to which you can add email addresses, domains, IP addresses and server names.  This article will explain the difference between them and how to use them effectively.  To start a brief overview of how SpamTitan works is needed.

Mail Flow

The flow of mail through SpamTitan is as follows:

The Front line test are the first line of defense.  They are very quick, taking a fraction of a second to run, and block a large percentage of all mail that is blocked.  Virus scanning carried out by Kaspersky Anti-Virus and ClamAV.  Next any attachments are examined to see if they are listed as a banned attachment type.  The contents of compressed/archive files are examined by default.  The mail content checks are the most processor intensive and can take 2-15 seconds per mail to be completed.

Front line tests

The Front lines tests include:

  • RBL
  • SPF
  • Greylisting
  • SMTP Controls
(You can find detailed information on the front line tests here)

  The Front line tests do not quarantine mail, mail blocked by these tests is rejected.  A record of the mail (To and Envelope-From and From addresses, source IP, time and date, etc) is stored and can be viewed in Reporting > History.  Each of the Front line tests has their own whitelist.  If mail from a specific server is being blocked by a Front line test, you will have to add the server IP or host name to the whitelist for the specific test. The Front line tests are all configured under System Setup > Mail Relay.  

Virus Scanning

All mails are scanned for viruses.  The only way this can be bypassed is by:

  • Adding the IP of a server to the IP White list (System Setup > Mail Relay > IP Controls)
  • Configuring your domain or user policy to "Pass & Tag" virus mails
  • A Content Filter rule is matched and white lists the mail (Content Filtering > Content Filtering)

Obviously, bypassing virus scanning is not recommended.

Attachment Scanning

Attachment scanning is carried out by default.  Attachment scanning can be bypassed using the same methods described for bypassing Virus Scanning.

Spam Content Checks

This category encompasses tens of thousands of individual tests.  These tests examine the actual content of the mail and try to determine if s mail contains spam-like content.  Only a small percentage of mail will make it this far.  These tests can be split in to two types:
  • Host based tests
  • Content based tests

The host based tests are tests that examine the settings of the server sending the mail using information contained in the mail headers.  These tests examine:
  • Are any of the IP addresses in the Received headers listed on IP address blacklists
  • Does the server hostname contain an IP address
  • Does the PTR record contain an IP address
  • Is there forward matching reverse DNS entries i.e. Do the A records, IP and PTR record match
  • Does the host name contain words such as: .*dsl.* cable catv ddns dhcp dial(-?up)? dip docsis
  • The IP address isn't in the A records for the domain
  • The sender domain leads to a host that doesn't have an A record
  • etc

A badly configured server can trigger a lot of these tests and this can lead to legitimate mail being blocked.  The best resolution to this issue is to add the offending server IP address to the Internal Networks list (Anti-Spam Engine > Settings > Internal Networks).  This will exclude that server IP address from testing.

The Content based tests examine the mail body.  These tests include:
  • Identification of spam-like phrases and words in the mail body
  • Links in the mail body that contain domains that are on URI blacklists
  • Fuzzy-checksum-based spam detection (Pyzor & Razor)
  • Bayesian filtering
  • etc

These tests can be bypassed by adding the sender email address or domain to the Global, Domain Group, Domain or User white lists.  The Global Whitelist is only available to the admin user and is allped to all inbound mail.  The Domain Group whitelist is administered by Domain Group Administrators and applied only to domains within the specific domain group.  The Domain whitelist is administered by Domain Administrators and applied only to mail addressed to one domain.  The User whitelist is maintained by individual users and only applied to mail addressed to one user.