Teach SecurityGateway to Recognize Spam

Recently, I wrote a post about teaching your MDaemon Inbox to recognize spam using the Bayesian learning feature. This feature helps to train the spam filter to be more accurate over time by feeding it samples of spam and non-spam messages. SecurityGateway also includes Bayesian learning features (in addition to many other security features designed to keep spam, viruses, malware and phishing attacks from hitting your mail server). Today, I’ll be explaining how to use these features to teach SecurityGateway how to get better at recognizing spam (false negatives – spam messages that were not filtered out) and non-spam (false positives – legitimate messages that were marked as spam).

Administrator Instructions

Administrators must first enable and configure Bayesian learning in SecurityGateway before users will be able to use it. Follow these steps to enable and configure Bayesian learning.

  1. Click on the Security tab, and then click on Heuristics & Bayesian under the Anti-Spam section.
  2. Make sure the first box, “Use heuristic rules and Bayesian classification to analyze messages” is checked. This setting basically turns the spam filter on and is enabled by default.
  3. Under “Location (all domains),” click on the link to configure SGSpamD. You can optionally select a domain in the drop-down menu at the top to configure these settings for a specific domain.

    Enable SGSpamD

    Enable SGSpamD

  4. Under the “Bayesian Classification” section, check the first box to enable Bayesian classification.

    Enable Bayesian Classification

    Enable Bayesian Classification

  5. By default, 200 samples of spam and 200 samples of non-spam are needed before Bayesian learning can take place. You can adjust this number in the blanks provided, but in most cases, this will not be necessary.
  6. By default, Bayesian learning takes place at midnight each night. You can select the second option under the “Bayesian Learning” section if you’d like to schedule Bayesian learning more frequently, at regular intervals. This is useful if you have a larger number of messages to learn from. You can also select the third option if you do not want Bayesian learning to run automatically based on a schedule. When this option is selected, you can use the link at the bottom of the Bayesian Learning section to perform Bayesian learning as needed.

    Bayes Schedule

    Bayes Schedule

  7. SecurityGateway needs to know where to find messages to be fed to the Bayesian learning engine. By default, messages are  placed inside the C:/Program Files/Alt-N technologies/SecurityGateway/BayesSpam and BayesHam directories. You can optionally use a different path mapped to a different drive to improve performance.

    Known Spam Directory

    Known Spam Directory

  8. In the following two blanks, enter the Spam and Non-Spam forwarding addresses. The default addresses are spamlearn and hamlearn, so if your domain is example.com, users can forward spam messages (as an attachment) to spamlearn@example.com to feed these messages to the Bayesian learning engine. This procedure is explained in greater detail later when we discuss how end users can submit spam and non-spam messages to the Bayesian learning engine.

    Spam Forwarding Addresses

    Spam Forwarding Addresses

  9. Most spam messages are relatively small, thus, you can place a size limit on messages to learn from by checking the box “Don’t learn from messages larger than” and entering a value (in bytes) in the blank blow. Placing a size limit on messages to learn from helps improve the performance of the Bayesian learning engine.

    Bayes Size Limit

    Bayes Size Limit

  10. You can automate the Bayesian learning process by enabling Automatic Bayesian Learning. By default, messages that score less than 0.1 are considered to be legitimate and only messages that score a 12.0 or above are considered to be spam for purposes of automatic Bayesian learning. Before enabling automatic Bayesian learning, I would recommend reviewing your message logs for false negatives and false positives and use their spam scores as guidelines for populating the spam and non-spam scoring thresholds. You can also optionally check the boxes to only learn non-spam messages from domain mail servers and authenticated sessions, and only learn spam from inbound messages.

    Bayes Automatic Learning

    Bayes Automatic Learning

  11. Before I explain the next setting, I want to explain the concept of “tokens.” When the Bayesian learning feature “learns” from a message, it takes snippets of information from the message, such as words or phrases, and uses this information to create tokens. These tokens are accumulated and when a new message is scanned by Bayesian learning, its contents are compared to these tokens to look for similarities. Under the Bayesian Database section, check the box to enable Bayesian automatic token expiration. This helps to limit the token database to a manageable size, expiring old tokens and replacing them with new ones when the maximum number of Bayesian database tokens (specified in the blank below) has been reached. When this number of tokens is reached, the Bayesian system removes the oldest, reducing the number to 75% of this value or 100,000 tokens, whichever is higher. 150,000 tokens make up about 8MB of data.
  12. Click Save and Close to save your changes.

End User Instructions

Now that SecurityGateway has been configured properly on the server, users can start feeding samples of spam and non-spam to the Bayesian learning engine.

There are two methods users can use to submit samples of spam and non-spam to the Bayesian learning engine in SecurityGateway. The first (and easier) way is to use the thumbs-up and thumbs-down icons in the SecurityGateway interface. The second way is by forwarding spam and non-spam messages (as attachments) to designated email addresses.

To mark messages as spam or non-spam using the SecurityGateway interface, follow these steps:

  1. Log into SecurityGateway.
  2. Click on My Message Log. This brings up a list of all of your inbound and outbound messages.
  3. Click on the message you wish to mark as spam or non-spam, and then click on the Thumbs-up button to mark the message as non-spam, or the thumbs-down button to mark the message as spam.
    Mark Message as Spam

    Mark Message as Spam

    You will receive confirmation that the message was marked as spam.

    Marked as Spam Confirmation

    Marked as Spam Confirmation

To feed messages to the Bayesian learning engine by forwarding them as attachments, simply attach the message to an email addressed to the designated hamlearn@ or spamlearn@ address for your domain (example: spamlearn@example.com). Note: SMTP authentication must be used.

If you are using WorldClient, you can right-click on the message and select “Forward as Attachment.” Then, populate the To: field with the spamlearn@ or hamlearn@ address and simply send the message.

Forward as Attachment

Forward as Attachment

When used properly, Bayesian Learning is a powerful tool for reducing spam and ensuring legitimate messages are not blocked by the spam filter. More information can be found in this knowledge base article.

Don’t let spam ruin your day. These tips can help you keep the bad stuff out of your Inbox so you can focus on your business!

Teach your Inbox to Recognize Spam

MDaemon has many features for fighting spam that, when configured properly, can be very effective at blocking out unwanted junk email.  However, it is possible for the occasional spam message to slip through. Likewise, it is also possible for the occasional non-spam message to be mistakenly identified as spam and blocked from being delivered. This is especially true if you work in finance or the medical industry, where you are more likely to receive legitimate email messages that contain words often found in spam. This presents a challenge: How can administrators and end users improve the accuracy of the spam filter?

An effective solution to the problem is using Bayesian analysis to help MDaemon “learn” what is & is not spam.

You may be thinking, “So what is Bayesian analysis?” Bayesian analysis is based on Bayesian logic, which is a branch of logic that deals with probability inference – predicting future events based on knowledge of prior events. In the context of spam filtering, MDaemon’s Bayesian Learning feature uses Bayesian logic to make inferences about the probability that a message is spam based on the patterns contained within it and how those patterns compare with the patterns found in messages that have been fed to the Bayesian Learning engine.

Bayesian Learning helps train MDaemon’s spam filter to become more accurate over time by feeding it samples of spam and non-spam messages. This is especially useful for the medical and finance industries, where certain keywords are “spammy” to one industry but not the other. This feature also helps reduce false positives (legitimate messages mistakenly marked as spam) or false negatives (spam messages that were not marked as spam).

So how does Bayesian Learning work & how can users use it to train their inboxes to recognize spam? Keep reading to find out!

How to Use Bayesian Learning – The Short Version

Before we get into the details of how to use MDaemon’s Bayesian Learning features, let’s start with a high-level overview of how to use it. First, the administrator enables Bayesian Learning in MDaemon. Then, the administrator creates the Spam and Non-Spam public folders and grants users Lookup/Insert access rights to those folders. Ham/Spam forwarding addresses can also be enabled, so that messages sent to them as attachments can be fed to the Bayesian Learning engine accordingly. Users who receive false-negatives or false-positives can then feed those messages to the Bayesian Learning engine using various methods. By default, after 200 spam and non-spam messages have been collected, Bayesian Learning takes place & the contents of these messages are added to a database of “tokens.”

Instructions for Administrators

The administrator needs to enable Bayesian Learning in MDaemon, and configure Bayes folder access and optionally configure forwarding addresses, as outlined in the following steps.

  1.  In MDaemon, navigate to Security | Spam Filter, and click on Bayesian Classification in the left-hand navigation menu.

    MDaemon Bayesian Learning

    Bayesian Learning in MDaemon

  2. Check the first box to enable Bayesian classification.
  3. By default, the second box (Schedule Bayesian learning for midnight each night) is checked. If you have a lot of spam/non-spam messages to learn from, you may want to schedule Bayesian learning at more frequent intervals by un-checking this box and entering a value in the following blank (Schedule Bayesian learning once every __ hours).
  4. Most spam messages are relatively small, so to improve performance, you can enter a value in the “Do not learn from messages larger than” blank. 50,000 bytes is the default value.
  5. Before we discuss the checkbox to enable spam/ham forwarding addresses, we need to create public folders for spam and non-spam messages. Click on the Create button to populate these fields with the default location for these folders, or use the buttons to the right to specify a different location. By default, access permission to these folders is only granted to local users of local domains and is limited to Lookup and Insert rights. The postmaster’s default permissions are Lookup, Read, Insert, and Delete. To prevent users from placing spam in the non-spam folder and vice-versa, you could remove access to these folders for all users except the administrator (via Setup | Public Folder Manager), and create another pair of spam/non-spam folders, then grant users Lookup and Insert rights to those folders instead. This allows the administrator to review the contents of these folders for improperly placed messages before placing them in the Bayesian Spam and Non-Spam folders.
  6. You can optionally check the box “Enable spam and ham forwarding addresses.” When this box is checked, users can forward false-negatives or false-positives to spamlearn@yourdomain.com or hamlearn@yourdomain.com to feed these messages to the Bayesian Learning engine. This process is explained in greater detail later in this post.
  7. Users who have been granted Lookup & Insert access rights to the Spam and Non-Spam folders can use the thumbs-up & thumbs-down icons in WorldClient to feed spam (false-negatives) and non-spam (false-positives) to the Bayesian Learning engine. Administrators who wish to remove these icons for all users can edit the MDaemon/WorldClient/Domains.ini file and add the following:
    Save the file and restart MDaemon (or IIS, if WorldClient is running on IIS).
  8. Administrators who wish to remove these icons for a specific user can edit the User.ini file for the user (located at MDaemon/Users/example.com/(username)/WC) as follows:

Instructions for End Users

Now that Bayesian Learning is properly configured in MDaemon, users can begin feeding the Bayesian Learning engine samples of spam and non-spam messages to train the spam filter to become more accurate. There are various ways to train the Bayesian Learning engine – using the thumbs-up & thumbs-down icons in WorldClient, using drag & drop to drag messages to the Spam and Non-spam folders (when using IMAP or Outlook Connector), or forwarding messages as attachments to the assigned spamlearn@ or hamlearn@ addresses (useful for POP users).

Using WorldClient

The easiest way to train the Bayesian Learning engine is to select “This is Spam” or “This is Not Spam” (in the WorldClient theme) or the thumbs-up and thumbs-down buttons (in the LookOut and WorldClient themes) in WorldClient. Simply click once on it to highlight it, and then select “This is Spam” or click on the thumbs-down icon. If a legitimate, non-spam message was placed in your Spam folder, you can highlight it, and then select “This is Not Spam” or click on the thumbs-up icon.

Mark as Non-Spam

Mark as Non-Spam

Using Drag & Drop (IMAP & Outlook Connector)

IMAP and Outlook Connector users who have been granted Lookup and Insert access rights to the spam and non-spam folders can use drag & drop to move the message to the appropriate spam/non-spam folder.

Forwarding as Attachments (POP3)

POP3 users can forward these messages (as an attachment from an authenticated session) to the spamlearn@ and hamlearn@ addresses. Messages sent to these addresses must be received via SMTP from a session that is authenticated using SMTP AUTH.


As explained under step 5 above (under Administrator Instructions), when granting users access to the Bayesian Spam and Non-Spam public folders, it’s possible for users to feed samples of spam and non-spam to the wrong folders, making the Bayesian learning process less effective, thus, you may consider creating a separate pair of Spam/Non-Spam public folders and having users place messages in those folders instead for administrative review.


When used properly, Bayesian Learning is a powerful tool for reducing spam and ensuring legitimate messages are not blocked by the spam filter. More information can be found in the following knowledge base articles:

Bayesian Learning Information:

Training the Bayesian Learning Process in MDaemon:

Bayesian Learning Tips & Tricks: