Frequently asked questions

A key aspect in the development of NoSpamProxy Cloud is the aim of minimising the configuration effort for customers. The default settings and options available in NoSpamProxy Cloud are based on best practices that have proven to be particularly effective and secure. Migrating your own data and settings would run counter to the idea of NoSpamProxy Cloud, which is why only the existing certificates can be migrated.

Please also note the following FAQ: What does the temporary rejection with the error "4.7.4 The TLS configuration on the server is incomplete or faulty. The message cannot currently be delivered. Try again later." mean?

NoSpamProxy does without a classic quarantine due to Level of Trust. This means: If NoSpamProxy rejects an email because of suspected spam or viruses, the sender of the email is informed of the rejection by its own email server. The email must then be delivered again. The recipient has no way of getting at the content of the rejected email because it was not fully accepted at any point.

This makes NoSpamProxy Cloud one of the few products on the market that offer full compliance with the demanding German law (especially according to §206 StGB, §88 Telekommunikationsgesetz). With NoSpamProxy Cloud, you avoid the possible legal consequences that can arise for companies and private individuals from accepting an email alone. Messages in emails have legal effect even if they are sorted out and moved to the spam folder.

Read more in our blog article Emails in the spam folder are considered delivered.

Unfortunately, the architecture of NoSpamProxy does not currently allow filtering on the Header-From. Corresponding feature requests have already reached us, but the conversion requires very far-reaching changes that are currently not feasible.

Currently, only servers on behalf of their own domains can submit emails to NoSpamProxy Cloud if they either originate from Office 365 or come via a server that has authenticated itself via SMTP Auth. In addition, authentication via SPF is possible.

Technically, Unable to relay means that NoSpamProxy Cloud has not found a suitable rule for the email to be processed. In the vast majority of cases, the reason is an invalid recipient email address. NoSpamProxy Cloud only accepts emails for known recipient addresses. The known email addresses can be found under https://portal.nospamproxy.com/identities/users. Office 365 customers or customers who have already synchronised their user information with Azure AD can synchronise the valid recipient addresses with the Office 365 connector of NoSpamProxy Cloud. The settings for this are made under https://portal.nospamproxy.com/configuration/office365. All other clients must maintain the information manually.

The good news is that NoSpamProxy Cloud will not reject any emails due to a licence violation. Only Managed Certificates will not request further certificates in case of a licence overrun.

In any case, we as the manufacturer are informed about the licence overrun and discuss the next steps with the respective specialised trade partner if the overrun persists.

After the validation token has been entered in the respective DNS zone, it may take a few minutes until the domain is shown in the user interface as successfully validated. NoSpamProxy Cloud automatically checks the values every two minutes. The DNS caches involved may cause the check time to increase slightly. The check of the corresponding DKIM entries is also carried out automatically every two minutes.

Currently, NoSpamProxy Cloud processes emails up to a size of 150MB. Customers who wish to receive larger emails can purchase the NoSpamProxy Large Files and thus significantly extend the receiving limit.

Flow Guard makes it possible to control the volume of outbound emails. In this way, unwanted mass emails, whether generated by inexperienced users or triggered by malware, can be recognised before they are sent and the reputation of your own domain can be protected. Flow Guard assigns quotas for outbound emails to NoSpamProxy users. If the set threshold is exceeded, any further outbound email is rejected.

The thresholds per user are as follows:

• 800 recipient addresses addressed within emails per hour

• 8000 addressed recipient addresses within emails per day

You will find all information on this under Level of Trust .

De-Mail or other "besonderel" mailboxes are not currently supported by NoSpamProxy Cloud and will not be supported in the future. This includes:

• De-Mail
• Das elektronische Behördenpostfach (beBPo)
• Das besondere elektronische Anwaltspostfach (beA)
• Das besondere elektronische Notarpostfach (beN)
• Das elektronische Bürger- und Organisationen-Postfach (eBO)

NoSpamProxy does not support public folders, as these are also no longer supported by Azure Active Directory.

If no public certificate is available for the recipient of an email, NoSpamProxy Cloud falls back on PDF Mail. The entire email content and all attachments are embedded in a protected PDF document. Before the recipient can download the PDF file, he or she must set a password. To change this password at a later date, proceed as follows:

1. Go to the Web Portal.
   

   NOTE: The address of your Web Portal is usually the registered MX record without .mail.

2. Click Forgot your password?
3. Follow the instructions on the screen.

You can release the licences by removing the respective Azure AD users from the user import. It is not sufficient to only remove these users from the Managed Certificates group. As long as Managed Certificates can be assigned to the respective users, we also count these certificates as an active Managed Certificate licence.

If only the certificates and the corresponding licences are to be revoked from the users, but they can still receive and send emails, you must remove these users from the Managed Certificates group. This is necessary because otherwise potentially more certificates will be issued for these users.

Once you have done this, contact our support team and submit the thumbprints of the certificates and the email addresses of the staff members who have left. Our support team then revokes and removes the certificates you mentioned.

Upgrading and removing certificates can currently only be carried out by our support team. You can import the certificates you want to upgrade via the certificate interface (see Your certificates). Then contact support with the thumbprint of the certificate; they will upgrade the certificate for you.

Yes. Details can be found under Subject flags.

In most cases, there is a problem with the key management of the communication partner. We recommend contacting the responsible administrator of the partner. Helpful for the analysis are all the certificate details available in the message tracking on the tab Activities of the corresponding email.

If it becomes necessary to revoke the partner's S/MIME certificate, the partner must have the certificate revoked by the issuing CA (Certificate Authority). NoSpamProxy will then no longer use this S/MIME certificate.

As a temporary workaround, it is also possible to use the rule Plain text email for the communication partner.

Large files are stored in NoSpamProxy Cloud for 30 days. If you need the files beyond this period, you will need to download them.

See How do I report a problem?

Further information about our support can be found under Support.

What is Backscatterer/UCEprotect?

Backscatter emails are automatic responses in the form of "Delivery Status Notifications" informing the supposed sender of a failed delivery attempt. Spammers use this technique for two main reasons. Firstly, they pose as false senders, causing uninvolved people to suddenly receive notifications even though they have not sent an email to the actual recipient. Secondly, they try to identify valid email addresses in order to send them real spam. Neither the alleged sender nor the actual recipient is at fault in this case. As a matter of principle, we do not accept e-mails whose recipient is not known to us, which makes the sending of non-delivery reports (NDRs) superfluous.

Delisting of the gateways

We delist immediately on sovereign blocklists. However, delisting of these blocklists is always associated with a fee. No distinction is made as to whether the backscattering is legitimate or not. For this reason, we consider this business practice to be dubious and do not support it.

What can I do to deliver emails to the receiving system despite using the Backscatterer list?

In order to deliver emails to recipients despite the use of the backscatterer list, you must contact your corresponding partner and ask for an entry in the allowlist as long as the entry on the list exists. We recommend not using blocklists with a dubious reputation, especially as the main criterion for rejecting legitimate emails. Experience shows that an automatic delisting takes place within seven days. However, a new listing is not unlikely.

Articles worth reading that will help you better understand our decision:

https://www.heise.de/hintergrund/Spam-Golem-291396.html

NDR Backscatter (msxfaq.de)

What does backscatter mean? Simple explanation (giga.de)

Backscatter in EOP (Microsoft)

General

• Executable files
  • Executable files for Windows
• Microsoft Office
  • Microsoft Excel (all)
  • Microsoft PowerPoint (all)
  • Microsoft Word (all)
• Text
  • HTML
  • PDF document
  • PDF document with URLs
  • Rich text format
  • Rich text format with OLE objects
• Scripts
  • .js
  • .vbs
  • .ps1

• Archives and compressed files

  • 7Zip-compressed file

  • ACE-compressed files

  • AR-compressed files

  • ARJ-compressed file

  • BZIP2-compressed files

  • GZIP-compressed file

  • RAR-compressed files

  • TAR-compressed files

  • Windows Installer file

  • ZIP-compressed file

  • *.alz

  • *.cab

  • *.z

  • *.zoo

In these cases, emails cannot be sent to the local Exchange server because the configured SMTP-Auth user or the notification address for local recipients has an Exchange account, but does not have the required "SendAs" authorisation in Exchange. Use one of the following options to solve the problem:

• In NoSpamProxy, use a notification address for local recipients that is not assigned to an Exchange account.

• Within the account with the affected address, give the "SendAs" authorisation to the account that is used for SMTP authentication by NoSpamProxy.

This indicates that the TLS certificate for authentication for your Office 365 has not been issued successfully.

The most common reason for this is that the certificate has already been claimed by another NoSpamProxy instance. This is possible if a test environment was previously used or if you have switched from an on-premises version to a cloud version or vice versa.

This security mechanism can only be checked and reset by the NoSpamProxy team. All you need to do is send us a message track from the message tracking and name the Office 365 tenant concerned.

See How do I report a problem?

In these cases, check under Corporate domains > Default domain settings whether you have set addresses for administrative notifications. These are mandatory. This may be due to the removal of a domain.

This is currently not supported and is therefore not possible.

The inbound Office 365 connector that accepted the email contains a security restriction that was not met and was therefore rejected.

This error message indicates a temporary rejection caused, for example, by the necessary processing of different rules. The delivering system is informed of this temporary rejection and resubmits the emails at a self-defined interval.

An unnamed attachment is an embedded element in the body of an email that is not declared as a classic attachment and has no name or file extension.

For example, this can occur when an email is sent from an Apple device with attachments. The attachments are not declared directly in the body, but in a second HTML body that contains the attachments.

To avoid this problem, the content filter entry, which prohibits HTML files, can be supplemented by the file name "?*". This ensures that this entry only applies to attachments that have a file name.

If the content filter is based on the allowlist principle, two content filter entries must be added:

• A content filter entry must be created that filters for the file type "HTML" and the file name "?*"; this entry must then be assigned the appropriate action (e.g. "Reject entire mail").

• Directly below this, another content filter entry must be created that only filters for the file type "HTML" and is assigned an action that allows the attachment (e.g. Allow attachment).