Mailsweeper Undocumented features
This document details configuration options that have been discovered during support and not covered by product documentation and that may be useful to some customers. It is intended for use by internal support. Currently it covers MAILsweeper and PORNsweeper. It will be updated as new features become available.
MAILsweeper for SMTP 4.2x Undocumented Configuration
Multi threaded delivery per domain
Stripping SMTP received headers.
Configuring minimum CDA ASCII length
Some SMTPDS useful registry settings
Making the security service run on a single processor on a multi- processor host
Configuring the maximum number of CDA streams
MAILsweeper for SMTP 4.3 undocumented features
Multi-threaded delivery per domain
The MAILsweeper SMTP delivery service will bring up one TCP/IP connection per domain for delivery purposes. It is possible to make the delivery service bring up more connections per domain. This could be of use in a high throughput environment or times when back logs are caused by problem messages. This will bring a new connection when there are a defined number of messages (MsgLimit1) waiting to be delivered up to a maximum number (DomainLimit1) of connections.
In mailswp.cfg ,in the section [SMTP Delivery]. Add the following
[SMTP Delivery]
v:MsgLimit1=$I50
v:DomainLimit1=$I25
Stripping of SMTP received headers
It is possible to make MAILsweeper remove any SMTP received headers from any messages it processes.
To do this add the following entry to mailswp.cfg:
Strip Received Headers
[SMTP Receiver]
v:StripReceivedHeaders=$I1
To turn stripping off again set the value to $I0
Make sure customers are aware of the potential issues explained below (in bold) before using this though: (from the manual)
StripReceivedHeaders (*) REG_DWORD
If non-zero, then mail messages which SMTPRS receives from hosts which are in the AcceptForRelayFrom list, will have their Received: headers removed. Similarly for messages received on authenticated connections. This is intended as a security features for organizations which do not wish the details of their internal networks to be exposed in messages sent over the Internet. However, it makes it more difficult to trace the origin of messages. WARNING: if you turn on this feature while leaving the AcceptForRelayFrom list at its default setting of "*", you become a "laundry" for spam - there is no way (other than the log files) of tracing mail back to the originating system. It is therefore essential that you understand the full implications of this before turning this option on. Default: 0.
In MAILsweeper for SMTP SP2, a new feature was added allowing the specification of a real time black list host.
This was configured as follows (from the SP2 release notes)
RBL Configuration
To set up the RBL domain add the following to mailswp.cfg [SMTP General] section:
v:RBLDomain=$S"Required Domain".
Note: This service may require a subscription and IP address registration with the Real Time Blacklist organization.
e.g v:RBLDomain=$SBlackholes.mail-abuse.org
However the message returned to the sending SMTP relay can also be configured.
The default message is:
550 This system is configured to reject mail from 194.168.90.24
There is a new configuration entry v:RBLResponse=$S”Required Message”
e.g.
[SMTP General]
v:RBLDomain=$SBlackholes.mail-abuse.org
v:RBLResponse=$SMessage Blocked by RBL
This would return the following message:
550 This system is configured to reject mail from 194.168.90.24 Message Blocked by RBL
The MAILsweeper SMTP delivery service will try and deliver up to 50 connections at a time. This number can be controlled via a configuration entry.
In MAILswp.cfg add the following to [SMTP General] section
[SMTP General]
v:MaxDeliveryThreads=$I30
This will reduce the number of delivery treads from 50 to 30
Configuring Minimum CDA ASCII length
Microsoft PowerPoint can be prone to false positives in text analysis as MAILsweeper will extract lots of sets of 3 ASCII characters and this can match common phrases on the default profanity list such as XXX. The default setting is to extract words of three characters or above. This value can be increased to avoid these types of false positives.
This setting is done in the file format.cfg in the [Format\CDA Files] section The line to modify is
v:MinAsciiLength=$I3
However users need to be aware that this will decrease false positives, it could allow genuine three letter words to by pass the system.
Some useful SMTPDS Registry settings
The SMTPDS registry manual contains some useful information on registry keys to control timeout and other delivery settings.
All these keys exist under the SYSTEM\CurrentControlSet\Services\SMTPDS\Parameters key
Registry entry Type Function
SendTimeout0 (*) REG_DWORD
This parameter is the timeout in seconds for socket send operations (sending commands and blocks of message data) when SMTPDS is sending mail. Default: 300.
ReceiveTimeout0 (*) REG_DWORD
This parameter is the timeout in seconds for socket receive operations (for receiving responses to SMTP commands) when SMTPDS is sending mail. Default: 300.
ReceiveTimeout1 (*) REG_DWORD This parameter is the timeout in seconds for socket receive operations (for receiving the final response to the SMTP DATA command) when SMTPDS is sending mail.
Default: 600.
Timeout (*) REG_DWORD SMTPDS regularly checks the domain subdirectories to see if it is time to retry any domain. This value is the interval in seconds between checks.
Default: 120.
Making the security service run on a single processor on a multi- processor host
It is possible to make MAILsweeper run with only one processor on a multi-processor box. This is done via the modification of a registry entry.
To do this, set the key - LimitToSingleProcessor to be 1 under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSS\Parameters
Configuring the maximum number of CDA streams
Some CDA documents with complex/non compliant structure can fail to undetermined with the error :
“The system encountered a failure in the OLE libraries”
This is commonly caused by corrupt or non compliant documents. MAILsweeper will handle up to 50 data streams before failing the message to Undetermined. This value can be changed however with the use of a configuration entry
In the file Format.cfg in the section [Format\CDA Files] add the line
v:MaxNumStreams=$I500
Where the $I value is the number of streams that MAILsweeper will process before failing the message off.
If the processing of a message takes longer than a specified number of seconds, the priority of the message will be lowered so other messages will be processed. The message will remain in the \unchecked folder. The default value is 30 seconds but this can be changed in mimeswp.cfg in the [Jobs] section
[Jobs]
v:MaxJobTime=$I30
MAILsweeper will, by default, process up to 5 messages simultaneously. The value can be changed via the use of a configuration entry. This is achieved in mimeswp.cfg in the [jobs] section.
[Jobs]
v:MaxJobs=$I5
It is important to be aware that no MAILsweeper testing is done on configurations with a setting over 5 and anything over that would be unsupported. Experience has show anything over a setting of 8 leads to performance reductions.
The font size for disclaimers can be set via the use of a configuration entry. The entry is added to the scenarios.cfg file to the relevant disclaimer section:
[Scenarios\Outgoing\Legal disclaimer\Content\Ame]
v:FontSize=$I36 v:Append=$Btrue v:AddText=$S"************************************************" v:AddText=$S"This electronic message together with any attachments is confidential. If"
The SMTP receiver service port can changed from the default setting of 25. This is achieved in the file mimeswp.cfg in the [SMTP Receiver] section.
[SMTP Receiver]
v:PortNo=$I25
Here are several configuration entries for the section [Format\CDA Files] in format.cfg
v:MinUnicodeLength=$I6 (any value > 0)
Minimum number of contiguous valid ASCII characters to be extracted as text. This value defaults to 6 if no configuration setting is given
V:CDAClassId
This feature allows the specification of a new class ID to a format
I.e
V:CDAClassId=$S{0003000C-0000-0000-C000000000000046}, MS Word
This means that any object with the class id of {0003000C-0000-0000-C000000000000046} will be classed as MS Word
V:DisableProcessingOf
This configuration will disable analysis of a particular class id which will then just be seen as binary.
E.g.
V: DisableProcessingOf=$S{0003000C-0000-0000-C000000000000046}
MAILsweeper for SMTP 4.3 undocumented features
This section covers undocumented features in 4.3.
CDA Settings
There are some specific CDA features added in the 1.4 technology release that may be of some use. These are added to the format.cfg file in the section [Format\CDA Files].
V:SetProcessingOf
Can be used to set the required processing of a specific CLSID (if, say, it is causing instability in the field). The general format is as follows:
SetProcessingOf=CLSID, The first token defines the CLSID, and the second token indicates the desired processing. It may take one of the following values:
“Specific” if document-specific processing is required.
”Default” if default CDA decomposition is required.
”Disabled” if no handling is required. The data will be treated as binary.
For example, the following property:
SetProcessingOf={E6FDDA0C-01BA-4643-81CD-42BC00F7AAF0},Disabled
will prevent any decomposition, default or otherwise, of any CDA component with the specified CLSID.
The data will be treated as binary.
The following property:
SetProcessingOf={E6FDDA0C-01BA-4643-81CD-42BC00F7AAF0},Default will prevent decomposition by a CLSID-specific handler, but will allow default decomposition. Note: if the wild CLSID is specified, it has the effect of setting required processing for ALL CLSIDs.
For example:
SetProcessingOf={FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF},Default
will prevent CLSID-specific decomposition of all CDA document types. However, if a specific CLSID is also present in the configuration, it will take precedence.
For example:
SetProcessingOf={FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF},Default SetProcessingOf={E6FDDA0C-01BA-4643-81CD-42BC00F7AAF0},Specific
will force default decomposition for all CLSIDs except the specified one, which will have document-specific handling applied.
Search for the section headed [SMTP Receiver], and add the following item:
v:BlockBlankReturnPathDomain=$I1