After Migrating GWAVA To A Linux Server, There Is A Lot Less Spam. Is GWAVA Blocking Good Mail?

After moving GWAVA from a NetWare server to a Linux server, there is a significantly lower amount of spam.  Is it possible that GWAVA is also blocking legitimate messages?

The answer to this problem depends on GWAVA's settings.  GWAVA can be configured in a number of ways, all of which can have a different effect. 

Follow these steps to narrow down whether GWAVA is blocking the proper messages:

1)  Find out what scanning method is being used.

Log in to the GWAVA Management Cosole, and browse to Server/Scanner Management-> [Server Name]-> Manage Scanners-> [scanner]-> Scanning Configuration-> Antispam-> Heuristics.

Click on 'Show Spam Scanner Settings.'

The option on the page above, highlighted in red, will tell you what type of scoring method you are using.  Linux servers are set to the signature method by default.

The signature method is not available on NetWare servers, and is a much more powerful and efficient way to scan for spam.  The signature method uses global signatures, to create definitions of what is spam.  Depending on how GWAVA was setup on the NetWare server, the signature method should significantly decrease the amount of spam received. 

If another 'Score method' is selected, such as Score or Probability, then the 'thresholds' may be too high, and most messages are getting deleted.  Adjusting the spam thresholds is a trial-by-error process, and it is recommended to use the Automatic setting for Antispam configuration mode.

2)  Check if Connection Dropping is enabled.

In GWAVA Management Console, browse to Server/Scanner Management-> [Server Name]-> Manage Scanners-> [scanner]-> Scanning Configuration-> Antispam.

There are three scanning settings, under Antispam, that use 'Connection Dropping.'  Connection Dropping can only be used on a SMTP scanner.  RBL, IP Reputation, and SPF all use Connection Dropping, more information about Connection Dropping can be found here.

If any of these options have Connection Dropping enabled, then messages that trigger that event will have the connection terminated, and the message is no longer in process.  These messages will not be quarantined and notifications will not be sent as well, so you will not see a large portion of the spam hitting your server.

3)  Check the 'Exceptions' lists.

In GWAVA Management Console, browse to Server/Scanner Management-> [server]-> Manage Scanners-> [scanner name]-> Exceptions.

Beware of creating exceptions similar to the one above.  An exception from any of the lists, with a *@*.com, or *@*.org will allow mail from all email addresses that end with .com or .org.  Messages that are spam will get through and won't be tagged or quarantined as spam.  So it may look like there is little spam, but a lot of spam will actually be getting through.

4)  Check the filters.

Browse to, Server/Scanner Management-> [server]-> Manage Scanners-> Scanning Configuration.

Similar to the exceptions, a Source address (from:), or a Destination address (to:) filter with the use of wildcards, as above, will block a large majority of messages.  Reducing a large portion of the spam you would normally get, but at the same time, blocking any other messages that are actually legitimate email. 

Filters and exceptions such as these create a lot of problems, and it is highly recommended to have more specific addresses, like *@abcbank.com or even *@*.abcbank.com.  These at least limit the actions being done, to one domain.

If all of these settings seem normal and you are concerned that legitimate mail is getting blocked, contact GWAVA support to check through the log files to verify whether legitimate senders are being blocked.

This article was originally published in the GWAVA knowledgebase as article ID 1816.