The individual stages of the multi-stage filter are perfectly tuned to each other. The procedures determine probabilities as to whether a particular mail is spam. The combined evaluation of the probabilities ensures the reliable identification of spam. E-mail messages that seem to be spam are tagged and delivered to the mailboxes.
The tarpit emulation makes spammers believe they are confronted with a so-called tarpit. Tarpits are used to harm spammers so they abort the transmission when they suspect the receiving mail server could be a tarpit.
Graylisting exploits the fact that spammers endeavor to send out large numbers of E-Mails within a short period of time. Unlike a regular mail server, they do not respond to the request to resend the mail after a few minutes.
Sender addresses frequently used for spam mail are recorded in realtime blackhole lists (RBL) and DNS blacklists (DNSBL). The lists, which are managed centrally and are therefore always up to date, are queried online. The reputation filter uses the classification of a large network of participating users in order to distinguish spam from legitimate E-mail. Based on the properties of an E-Mail, the heuristics check the probability of spam. For this purpose, the mail contents are examined for various criteria, such as entries in header fields, too many HTML tags, or keywords. More than 800 heuristics are included in the assessment.
To circumvent detection methods, spammers often adapt their mails only slightly. The self-learning filter uses the insight from previously examined spam mail for identifying variants.
If staff members are to be enabled to influence the detection of spam, the trainable filter can be used. Mail stored in the "Spam" or "Ham" folders affect the calculated spam probability of future E-mails.
The administrator can configure additional filters for header entries and attachments. In this way, certain file types (MIME and extensions) in attachments and certain header entries can be filtered directly.