GFI is a
UK based software company that focuses on mail and security software. All of
their products are available as a 30 day fully functioning evaluation product.
After the evaluation period the software continues to function but with limited
capabilities The Mail Essentials (ME) package can be downloaded from the company Web site along with
documentation. The list price of ME for unlimited mailboxes is $1350 plus 20
percent yearly for software maintenance. Reduced pricing is available for 25,
50, 100 and 250 mailboxes. A 25-mailbox license is as little as $350 plus
maintenance. Additional discounts are available when you purchase the ME
companion Anti-Virus and attachment checking software product Mail Security.

ME can be
installed in two different configurations: SMTP gateway mode or directly on the <a
mail server</a>. Both installation methods offer advantages and
disadvantages. SMTP gateway mode installs ME on a separate gateway server and
is therefore independent of the type of mail server software you are running.
Gateway mode allows the SPAM duties to be off loaded to a separate less
powerful server, leaving the Exchange server to concentrate on running
Exchange. Native Exchange mode is for Exchange 2000 / 2003 Exchange servers,
and installs the ME product on the Exchange server. This installation method
allows ME to deliver SPAM to a local SPAM or Junk mail folder within Outlook.
Note: If you are still running Exchange 5.5 you must install ME in SMTP mode.

This article will look at the SMTP gateway option. I prefer
this option for a number of reasons. First it removes the burden of SPAM
filtering from the primary Exchange server(s) and is a first stop for all
incoming and outgoing e-mail. In my environment I chose it because I knew we
would be running GFI’s Mail Security (more on that in
another download) and Mail Archiving software and I did not want all the
products on my Exchange server. Also having a separate gateway allows me to
keep my Exchange server behind the firewall and out of the DMZ. If I need to
reboot or perform maintenance on my Exchange box the gateway server can still
receive incoming mail from the Internet.

Installing supporting components

Since we are setting up a separate gateway server, the
installation is slightly more complicated. First thing we need to do is install
Internet Information Server (IIS) on the server if it’s not
installed, and set up SMTP within IIS. The GFI documentation does a good job of
explaining this but we will run through it here.

SMTP via Add Remove Programs – Windows programs. SMTP is a sub component of
IIS. In Windows Server 2003 select Application Server – Internet Information
Server (IIS) and then select the SMTP option. (Figure A) Once installed
the Internet Information Services MMC is used to manage the server.

Figure A


Next we
will configure the properties of the SMTP server. Open the IIS console and
expand the server node. The Default SMTP Virtual server should be present.
Right click and select properties. On the General tab assign an IP address to
the server. Next click the Access tab. Here we can configure authentication and
connection parameter. If you wish to configure secure communication between the
gateway and your primary server you can configure those setting here. Our
concern for this discussion is the relay tab. To keep the gateway from becoming
an open relay we want to specify which server or servers can relay mail through
this server. Click the relay tab and then click add. You can specify an IP
address and group of servers of a domain. (Figure B)

Figure B


completed your servers IP should be listed. Uncheck the check box titled
“Allow all computers which authenticate to relay regardless, of the list
above.” (Figure C)

Figure C


Now we
will configure the SMTP server to relay mail to your primary mail server. Under
the Default SMTP server right click Domains and select New. Select the remote
option and click next. Enter the name of the mail domain in the next box. When
completed the IIS manager will list the local domain and your remote domain (Figure

Figure D


click on the newly created domain and select properties. Select the allow incoming mail to be relayed to this domain
and the forward all mail to a smart host
radio buttons. Enter the name of the primary server in square brackets that
will receive the mail. (Figure E)

Figure E


We have
now configured the gateway server to relay mail to and from your primary mail
server. The next step is to configure the Exchange or other mail server to
relay mail to the newly configured gateway server. (In this example we will use
Microsoft Exchange, however in gateway mode installation ME can work with any
SMTP server.)

From the
Exchange System Manager expand the properties of your SMTP connector. On the
general tab click the Forward all mail
through this connector to the following smart hosts
radio button. Add the
IP address, enclosed in brackets of the newly configured server. (Figure F)

Figure F


test the configuration. Send an e-mail from an internal address to an external
address such as a hotmail or yahoo account. Send a message in the reverse
direction to test connectivity both ways. If both messages are received you
have successfully set up the SMTP box to relay mail to and from your Exchange
or SMTP server.

Installing ME

Now that
the SMTP relay is set up we can move on to installing the actual ME product.
The download will extract and begin the setup process. When setup first
launches it gives you the chance to check for a newer build. GFI releases new
builds quite frequently, so if it’s been even a few days since you downloaded
the file go a head and select Check for a
newer build of GFI Mail Essentials on the GFI Web site
, otherwise select do not check for a newer build and move
on. (Figure G) The next screen prompts to accept the license agreement
to proceed.

Figure G


The next
screen prompts for an installation location. (Figure H) Accept the
default or point the software to the appropriate place.

Figure H


The next
screen prompts for user, company and license key information. If you are
current customer you can enter your key or leave the word Evaluation in the
license key field. (Figure I)

Figure I


The next
screen requires the IP address of your server and the local domain. (Figure

Figure J


The next
screen after that requires an e-mail addresses for the
administrator e-mail. This is used for critical notification e-mail. (Figure
If the server you are installing ME on is part of an AD Domain, setup
will prompt for access to Active Directory. GFI can use AD or SMTP addresses to
build rules for ME. In this example my server is not part of an AD Domain so
the prompt does not appear.

Figure K


The next
screen asks to install the Microsoft Message Queuing Service. This service is
only required if you are using ME to manage a list server. In this article we
are focusing on the SPAM capabilities so we won’t install it here. (Figure

Figure L


The next
screen displays the local e-mail domains found by the installation program.
These should match the domains that were created when we set up the SMTP server
earlier. The localhost domain is created by default. (Figure
The wizard will complete the file copy and display a message that the
SMTP service needs to be restarted. Click Yes. The SMTP service will restart
and the wizard finish dialog will display. Click Finish and ME has been installed.

Figure M


Managing ME

installation program installs several tools for managing the ME product. The ME
Configuration MMC is the primary tool used to manage the product. In addition,
a reporting tool, GFI monitor, troubleshooter and on line help system are also
installed under the GFI ME group.

dive in and look at the ME configuration tool. Select Start | Programs | GFI
Mail Essential | Mail Essentials Configuration to launch the tool. (Figure
The Configuration provides a clean interface for managing the product. I
have found the configuration tool to be quit intuitive to use. The ME
configuration is divided into three main sections: Anti-Spam, E-mail Management
and General.

Figure N


First let’s look at the Anti-SPAM configuration

As you
can see from the previous screenshot the Anti-SPAM section has ten different
parameters or rules for detecting SPAM. Each rule can be configured by double
clicking the item in the right windows pane or selecting it in the left pane
and then selecting properties. We’ll look at each one below and discuss what it
does and how effective it might be in fighting SPAM. In addition the order in
which the rules are applied can be configured as well.

Properties of each rule are divided into multiple tabs. Several of the tabs,
such as the Actions tab are the same in each rule. The configuration process
works like this: Enable each rule as desired, fine tune it, and then decide
what action to take when a piece of SPAM meets the criteria of the rule.

First up is the Sender Policy
This is
new in version 11.0. It fights SPAM by detecting e-mail with forged senders.
The Sender Policy Framework feature is a community effort to fight SPAM. SPF
requires that the sender has published its mail server in a SPF record. When
the mail is received, GFI can check to see if the sender is authentic or
forged. More information about SPF can be found at the Sender Policy Framework Web site. After configuration
of SPF, ME will prompt to configure the perimeter
server option for proper operation of the SPF function. In this example we have
installed GFI on a perimeter server (gateway) so no configuration is needed.

The General
(Figure O) allows SPF to work at various levels. Sliding the
bar all the way to the top sets SPF to never block messages, effectively
turning the rule off. All the way to the bottom sets it to high which will
block any e-mail that has not passed the SPF test. GFI recommends the medium
setting, which blocks e-mail from addresses that appear to have forged senders.

Figure O


The Exceptions
allows a list of IP addresses or recipient exclusion lists to be
created. (Figure P)

Figure P


Actions tab
(Figure Q) allows the desired action to be
configured when a rule is triggered. Several options are available here: Delete
the e-mail, forward to another mailbox, move to a specified folder on the
server, or tag the e-mail with text such as SPAM. The tag option can be used to
send e-mail to a specified folder in the user’s mailbox. This feature requires
configuring the rule manager tool to configure rules for each user mailbox or a
group of mailboxes. This can be useful if certain users wish to sort their own
junk mail.

Figure Q


Note: IF ME is
installed on an Exchange 2003, mail can be routed directly to the users junk
mail folder by selecting the Move to users junk mail folder radio button. In
this example we are using the gateway mode installation, which would require us
to use the rule manager tool.

The Other
(Figure R) allows additional actions to be taken such as
logging an occurrence of the rule. This is useful if you chose the delete
action and then later need to verify if an e-mail was “eaten” by a
SPAM rule. Unfortunately you could not retrieve the e-mail but you could
confirm its demise.

The next SPAM filter is the white
(Figure S)
The white list is enabled by default and is one of the oldest SPAM fighting
techniques. ME automatically builds a white list based
on outbound e-mails. Other options include manually adding e-mail addresses or
importing them from a list.

Figure S


lists can also be built from Keywords in the Body, subject or based on IP
address of the sender. Creating a key word white list based on subject was
particularly effective in my organization for allowing inbound e-mail from list
servers that employees had subscribed too. (Figure T)

Figure T


The next filter is Directory
detects e-mails sent to an e-mail server that are addressed to non-existent
recipients. This is often a sign of a directory harvest attack to discover
e-mail addresses on a particular server. In my environment we receive allot of
SPAM addressed to employees who no longer work for the organization. Enabling
this filter allowed us to dump the e-mail so we did not have to sort through it
later to determine if it was legitimate. The general tab is used to enable the
feature. This feature requires AD or LDAP connectivity to a DC to work. (Figure

Figure U


The Custom Blacklist filter allows creation of custom
black lists to be created for known domains and e-mail addresses. (Figure V)

Figure V


The Bayesian filter is main SPAM
fighting filter in ME.
Bayesian technology uses probability to analyze your company’s mail
patterns and determine if an e-mail is SPAM. The Bayesian filter is turned off
by default. (Figure W) GFI recommends that you train the filter for a
minimum of one week or until at least until 3000 messages have passed through
the filter. Once the training period is done the filter can be enabled.

Figure W


the Automatically learn from outbound e-mails radio
button enables the filter to continually analyze e-mail patterns. The update
tab allows automatic updates of the SPAM database from GFI. (Figure X)

Figure X


The DNS blacklist (Figure Y) allows checking
the sending mail server against know blacklists managed by multiple outside
blacklist organizations. This feature requires a properly configured DNS
server. If the blacklist is configured and the DNS server is miss-configured a
time out may occur and the e-mail will be processed slowly. Use care when
configuring and use the test button to verify connectivity. See GFI’s Knowledge Base article KBID001770
for more information. Multiple lists can be queried but each list adds
additional e-mail processing time.

Figure Y


The Spam URI Real-time Block lists rule (Figure Z) checks
e-mails for the presence of URL’s and URN’s embedded
in e-mails that are known to originate from spammers. Multiple lists can be
queried by selecting each list you wish to use. As with the DNS blacklists, the
more lists selected will add to the mail processing time of the ME product. The list
combines several lists into one and results in faster processing that if
multiple lists are selected.

Figure Z


The Header Checking rule looks at the e-mail header field,
SMTP and MIME. The SMTP field is generated by the sending e-mail server and the
MIME field is generated by the e-mail client. The General tab and the General
tabs have eight different criteria that can be detected. (Figure
Each checkbox provides an explanation of the criteria. If you require a
detailed explanation of each criteria, review the ME documentation.

Figure AA


The Keyword checking is the oldest SPAM fighting tool. (Figure
Many SPAM e-mails can be singled out by this criterion alone. Of course
depending on your business, this can also eat allot of valid e-mail. This
filter comes predefined with keywords for both e-mail subject and body.
Additional words and conditions can be added to make this filter more effective
than just detecting the presence of a single word. For instance, a condition
could be created to detect the presence of more than one word or group of words
before the e-mail is marked as SPAM.

Figure BB


The New Senders rule automatically identifies e-mails
that have come from a sender that you have never sent e-mail. These could be
new contacts as well as SPAM that was not detected by other ME rules. (Figure
Exceptions can be configured based on the MIME TO address.

Figure CC


Now that
we have looked at all the rules, you may be wondering, in what order do the
e-mails get processed? The order is set by right clicking the Anti-Spam item in
the left pane and selecting order module priorities. (Figure DD) Here we
canset the order from highest priority to lowest priority of each rule.

Figure DD


E-mail Management

the SPAM capabilities ME provides several other E-mail
management capabilities as well. Expanding the E-mail management branch in the
left pane reveals several additional capabilities of the ME product: List
Server, Disclaimers, Mail Archiving, Mail Monitoring, Auto Replies and

The List
module allows management of an e-mail list service. I did not
examine this capability for this download.

The Mail
section provides the ability to create an inbound and outbound
e-mail archive. (Figure EE) Archives can be flat text files without
attachments, or saved to a SQL / MSDE database. Once created an HTML search
page is used to query the e-mail archive. While the functionality is quite
primitive, it still can provide an archive for those organizations trying to
provide an archive to meet regulations that are on a limited budget. GFI also offers
a dedicated e-mail archive product.

Figure EE


Adding a disclaimer
to an outbound e-mail is another feature of the ME product. Disclaimers are
created for outbound e-mail only and can be configured on a per-domain or
per-user basis. Another feature is Auto-Replies. Auto Replies are handy
if you run a service organization and want to let your customer now that an
e-mail has been received.

the creation of inbound and outbound monitoring rules. Mail can be examined
from specific senders or domains and a copy routed to a monitoring mailbox. (Figure

Figure FF


General Settings

general section provides links to version information, license key and links to
information on other GFI products. The General tab under version
information is the most useful in that it provides the ability to automatically
check for product patches and version updates.

Other components

other tools appear in the GFI Mail Essentials program group. The GFI monitor
provides a real-time window into the ME engine. Here you can actually view
e-mails being processed. (Figure GG) This can be helpful during initial
configuration and setup.

Figure GG


The ME
Reports tool
allows various canned reports to be generated such as User
usage statistics, Mail server Daily usages and Daily SPAM statistics. The Daily
SPAM report gives a good insight into how effective each rule is in detecting
SPAM. The Mail Essential Help system is a Windows help version of the
PDF based manual that is available for download with the ME product. The Mail
Essentials troubleshooter
is a wizard-based tool used at the direction of
GFI when an issue is encountered and you must contact support. The wizard
creates a zip file that is sent to GFI for analysis.

Now what?

OK, so we
have installed Anti-SPAM software. Now what? This is the part that Anti-SPAM
software vendors do not talk about. Do we install it and then walk away? All
the SPAM is gone and we can go back to doing other things? Wouldn’t that be
nice? The reality is that once the SPAM is detected you have to “do
something” with it. Do we just set the action of each rule to delete and
walk away? You could do that. But you might have some angry high-level
employees who are missing e-mails that their colleges insist they sent.

reality is that SPAM technology is not perfect. What if a legitimate e-mail is
detected and the rule was set to delete? In this case you would not know if the
e-mail ever made it. You could, however, check the log file to confirm, as I
mentioned earlier, its demise.

bottom line is that you must choose HOW, and also, WHO will
manage the SPAM. The how side addresses what you will do with the SPAM: Send it
all to a central folder or mailbox for analysis and final deletion? Delete it
permanently upon detection? Configure some rules to delete and other to send to
a SPAM box?

The who
side of the equation asks the question, does IT manage the SPAM or just send it
on to the user, categorized as SPAM for them to sort through? Do you want your
users to look through their own SPAM? If SPAM causes productivity losses than
what have the users gained? Now their detected SPAM is all in one place instead
of scattered throughout their in box. Having users manage their own SPAM brings
up many legal issues. Several employees have sued employers over porn SPAM,
claiming these e-mails caused them to work in a hostile work environment, by
exposing them to nudity or other undesirable images. These are all questions
and processes you must work out when implementing a SPAM solution.

A real life example

Here is
how we manage the SPAM process using ME at my Organization: First, we made the
decision early on that we could not afford to lose e-mails that were
incorrectly tagged as SPAM. We knew we would quickly lose the trust of our
employees and upper management if the SPAM filter was “eating” their
good e-mails. Second we did not want our users to sort their own SPAM because
of fear of lawsuits and lost productivity. Also, many users were complaining
about getting SPAM in the first place that we figured they did not want to
manage it.

On the
Mail Essentials product, I felt very confident in the Custom Blacklist, DNS
Blacklist and the Directory Harvesting rules so I set all SPAM detected by
these rules to delete, with the logging option turned on. All other rules are
set to forward all mail to a central mailbox, called Our IT help desk employees check this mailbox
several times during the day and delete the known SPAM and forward mail
suspected as good to the user. If the user confirms the mail as good the sender
is manually added to the white list so as not to be tagged again as SPAM.
Sorting the detected SPAM e-mail by sender quickly weeds out the SPAM from the
legitimate e-mail. Since many of our employees receive the same SPAM, sorting
this way causes all the duplicates to appear together and makes mass deletion
easy. Additionally our help desk employees integrate
SPAM management as part of their daily process.

addition we use the archive feature of ME so we have a flat text file record,
minus attachments of all mail flowing in and out of the organization. Be
careful of archiving to a text file, as the file can grow large quickly. We
simply create a new archive each week to keep the file size manageable. Long
term we will look to other solutions but have implemented this until we settle
on a final solution. The archive is also helpful in troubleshooting whether an
e-mail was actually sent or left the organization.

Not just a set and forget system

We have
used the product for over a year and have had great success. Unfortunately SPAM
management is not a set it up and forget about it process. It takes time to
analyze the rules and fine-tune them as needed. The reporting mechanism can be
helpful in explaining the severity of the problem to management as well as give
the mail administrator insight into how effective each rule is at detecting
SPAM. The list server, mail archiving, disclaimers and reporting tools all add
value to an economically priced product, making it quite a value. Before you
invest $1000 of dollars in an appliance or other product, check out the GFI Mail
Essentials product.