/features/antispam-antivirus-policy

Antispam and Antivirus Policy

All email accounts hosted on our servers are protected by multiple levels of antispam and antivirus filters. Protection is in place for both received and sent emails. Our antispam analysis systems are based on algorithms that calculate the reputation, positive and negative, of the sender's IP, of the URLs contained in the messages, and of a series of commercial third-party filters. Thanks to the most up to date Machine Learning techniques, our antispam and antivirus solutions are able to intercept and block new trends in spam and viruses in real time. Furthermore, Qboxmail users are protected by special antivirus signatures dedicated to blocking 0-day Ransomware or new variants of previously known attacks.

The first level of protection happens at the SMTP connection level. All the remote servers that connect to our MX Records must have the following requirements:

  • A qualified reverse DNS (FQDN type);
  • Must not be present in the main DNSBLs;
  • Have a valid HELO FQDN.

If your server or its configuration does not comply with these parameters, you will likely be unable to deliver your emails online.

Antivirus

The first analysis performed aims at understanding if the message contains a potential threat: virus, malware, phishing, ransomware. In the event that our antivirus detects a danger, the email is silently discarded since the sender of these emails is almost always non-existent. Therefore, sending a notification would not make sense.

Antispam

The second scan is intended to understand if the message can be considered unwanted (Spam or Bulk email) or if it contains a potential threat not detected by the previous virus filter. Each email is assigned a score which is the result of a series of evaluations and analysis performed by the system. This score is linked to the content of the message and the presence of the sender's IP in various less relevant DNSBLs. Depending on the score assigned, the email can:

  • be quarantined in the Spam folder of your email account;
  • be rejected with an error 500 at the SMTP dialog level. The email sender will receive a notification of non-delivery and will have to take appropriate action.

Analysis via Tracemail

With Tracemail, a real-time log analysis tool, you can independently verify if the antispam/antivirus filters blocked one or more messages due to a false positive. For more information on searching through Tracemail, read the relevant documentation provided.

White list and black list

A white list is a list where you can enter email addresses or domain names considered to be safe and whose messages (both incoming and outgoing) should not be blocked by the antispam filter. A white list acts only at the analysis level of the antispam email content. So, if an email arrives from an IP in the black list, an incorrectly configured server, or contains a virus, it will be refused anyway. You can add an email address or a domain in the white list directly from the Webmail Settings.

A black list is a list where you can enter email addresses or a domain which you do not want to receive messages from, because you consider them spam or unwanted. Entering an email address or a domain in the black list will result in the sender receiving a message of rejection with a 500 SMTP error. You can add an email address or a domain in the black list directly, from the Webmail Settings.

The white and black lists aim at temporarily solving a problematic situation. Our system is able to learn, on the basis of user reports, possible false positives/negatives and to adapt its filters in this sense. Because of this, user customizations can be removed automatically after a few months.

The senders' email addresses must be valid Internet addresses. It is not possible to accept emails from senders whom a reply message cannot be sent to (e.g. domains without a correct DNS configuration or invalid or non-existent domains).

If the sending domain uses SPF or DKIM, the settings must be valid.

The DNSBL lists used may vary over time, depending on technical factors. Any changes will, when possible and appropriate, be reported on these pages after their application. When our servers receive a connection from an IP added to the black list, they will send a permanent error 5.x.x. The remote server will not retry the connection and will immediately generate a bounce (error message) addressed to the sender.

With the exception of antispam analysis, it is not possible to customize the filters indicated above because they are connected to common rules and common sense that all email server administrators must follow. Furthermore, since the block is at the IP/DNS level, or in the early stages of the SMTP dialog, the email addresses of the blocked senders are not present in the registers of our systems — only the IP addresses of the sending servers. In any case, following a block for one of the reasons indicated above, the sending server or the sender itself (i.e. the email address specified in the "Return-Path" header) always returns an error message. If that is the case, then no email can be lost.

Our technical support is always at your disposal to evaluate cases of false positives and find solutions that best suit your needs.

Antispam on emails sent

For greater security, we hold antispam and antivirus systems in place on our SMTP servers too. This is to avoid that a compromised email account (e.g. password theft) could lead to servers sending spam, thus penalizing the reputation of our IP addresses. Through Tracemail, you can check if an account or message has been blocked for one of these reasons. Here's how the error appears in Tracemail when trying to send a spam email via our SMTP:

If attempts to send spam are repeated over time, the email account will be inhibited by sending other messages through an SMTP block. You will first need to scan the user's PC to make sure there are no viruses or malware and then force a password change on the blocked account. Once these procedures are performed, it is possible to unlock SMTP following the procedure indicated in the related documentation.

Notification on abnormal sending

Qboxmail accounts are protected by a system that identifies when an account is sending abnormal emails via our SMTP servers.

This usually happens following the theft of credentials to access the email account, in order to use that account to send spam or phishing emails. When this abnormal activity is detected, an email is sent to the email account subject of attack and to the service holder of the Qboxmail account that the account is connected to. Also, as a precaution, sending additional emails via SMTP will temporarily be suspended.

Once the cause of the attack is identified (for example, by analyzing the email traffic registers with the Tracemail tool), and even when an antivirus is installed on the user's computer, it will be mandatory to perform a password change.

Once these procedures have been performed, it is possible to unlock SMTP following the procedure indicated in the related documentation.

We use cookies to provide you with a better browsing experience, continuing to accept their use.

Accept