Detection

Anti-Spam — three classifiers in parallel.

A statistical classifier (classical Bayesian method), a neural model (deep-learning based) and reputation scoring (URL and IP score) decide together. State is synchronised across all cluster nodes in real time — the classifier learns on one node, all others benefit immediately.

Three classifiers, one verdict

Statistical

Classical Bayesian method, learns from operator feedback (spam-mark, ham-mark). Trainable per domain — the tenant's language affects word frequencies. Effective from ~500 trained mails per class.

Neural

Deep-learning model, pre-trained on a large mail corpus. Catches patterns that aren't statistically detectable — e.g. "this text reads like auto-generated marketing copy". Not trainable per tenant, but works immediately without a learning phase.

Reputation

URL- and IP-based scoring. A domain that sent 1,000 spam mails in the last 24 hours gets a bad score. Operator whitelists override automatically — your own business partners are never blocked.

Every mail receives a combined score (typically between -10 and +20). The operator sets thresholds per domain:

  • ≤ 6.0 mail goes through (default threshold, configurable)
  • 6.0 – 12.0 soft flag: header set (X-Spam-Score), subject prefix optional
  • > 12.0 quarantine (default threshold, configurable)
  • > 18.0 reject at SMTP level (5xx response, no quarantine entry, mail never arrives)

Cluster state synchronisation

Spam statistics, reputation scores, greylisting trackers and rate-limit counters are kept clusterwide consistent in a distributed in-memory store. What this means in operations:

  • The classifier learns on node 1 — nodes 2 and 3 benefit within seconds without a separate training pipeline
  • An IP rate-limited on node 1 due to volume is also blocked on nodes 2 and 3 — no "cluster hopping" by spammers
  • Greylisting decisions are consistent on all nodes — the second mail from the same sender within the greylist window is accepted on every node

Greylisting + rate limit

Greylisting returns a 4xx response on the first connection attempt (temporary failure) — legitimate mail servers retry within minutes, primitive spam bots give up. Rate limit applies per sender IP, per sender domain and per recipient address with independently configurable thresholds. Both are standard mail hygiene, in MailGuard with clusterwide consistency.

DNSBL and URIBL lists

Active by default: Spamhaus ZEN, SURBL, ivmsip, ivmuri. The operator can add their own lists. Each list can be enabled per domain — some tenants have specific requirements (false-positive-sensitive industries).

Operator feedback loop

When a recipient releases a quarantined mail (via digest or self-service portal), the classifier is automatically trained with a ham sample. When they mark a delivered mail as spam (move-to-junk over IMAP, or via the admin UI), it is trained as a spam sample. The classifier becomes more accurate with every piece of feedback — without the admin team having to maintain training sets manually.

Three classifiers, one consistent cluster.

Fully included in Free and Pro. Pro from EUR 29/month (10 domains, 1 server) — cluster HA + external threat feeds + DACH phishing keywords included.

See pricing