This one is a bit tricky, as the behavior (disconnect before/after the DATA command) depends on the filter configuration. As a rule of thumb, if the Bayesian filter is disabled, and the filter that is triggered has the associated "Do not quarantine" option checked, the SMTP session will be disconnected after the RCPT TO command (thus before the DATA command). IF the Bayesian filter is enabled, then SpamFilter must allow the Bayesian filter learn about the new incoming spam, thus the email must be received in full.

Of course when the SMTP session is dropped, an SMTP error code is sent to the sender before disconnecting them, so the remote server should see it, and thus the remote server then is in charge of sending an NDR (non-delivery receipt) back to the sender.

Amir,

First of all, whenever *any* kind of email is blocked, we have, since our first release in 2002, designed SpamFilter so that it is always the remote server (the originating SMTP server) that sends an NDR, never SpamFilter. So when an email is blocked/quarantined/deleted, not a single NDR email will ever be generated from within your network to the internet. We truly do not understand why some of our competitors do not do the same thing, as if this weren't the case, your own network would become a source of spam if the antispam software was to send NDRs back out to the internet...

For your question, as a rule of thumb (there are sometimes exception with multiple recipients), only if the Bayesian filter is *disabled* and the "do not quarantine" option is enabled, the SMTP session will be dropped before the DATA command is accepted (thus preventing the email itself to be transmitted). If the Bayesian filter is *enabled* however the email will be received.

To the remote server, whether an email is quarantined or not will make no difference. In both cases, the SMTP error code sent to the remote server will be the same, and the descriptive text contained in the email that the *remote server** will send back via the NDR to the sender will inform them that the email was blocked. Please note that even if an email is quarantined, it is very, very unlikely a user will ever see it (don't know about the others, but I personally check my quarantine only about once a month) , so it essentially not delivered and thus the NDR will state so.

To be noted that there is an option suffix :NULL that can be added to some blacklists. This was added to stop "repeated offenders", that is spammers who will keep sending the same email over and over if it gets blocked. This suffix causes SpamFilter to let the spammer know that the spam email was received and accepted (so they shouldn't retry to send it), but in reality SpamFilter will simply drop (send to NULL) the email without forwarding/quarantining it.

Amir,

On average, the bayesian filter is rather ineffective compared to the other filters, as we usually see it catching between 0.1% and 1% of the total spam blocked by SpamFilter. You can verify this yourself on your own installation by going to the "Statistics" tab in SpamFilter, and look at the "Emails by filter" sub-tab, which will give you the count of spam emails in your quarantine database being blocked by the various filters.