Intercept Anti-Spam Quick Start Guide

Transcription

1 Intercept Anti-Spam Quick Start Guide Software Version: Date: 5/24/07

2 PREFACE...3 PRODUCT DOCUMENTATION...3 CONVENTIONS...3 CONTACTING TECHNICAL SUPPORT...4 COPYRIGHT INFORMATION...4 OVERVIEW...5 INTERCEPT ANTI-SPAM SOLUTION...5 SPECIFIC ACCESS PATTERNS...6 PATTERN BASED MESSAGE FILTERS...6 SPAM DICTIONARIES...6 MAIL ANOMALIES...7 BORDERWARE SECURITY NETWORK...8 DNS BLOCK LIST (DNSBL)...8 URL BLOCK LISTS...9 BULK ANALYSIS...9 TOKEN ANALYSIS SPF (SENDER POLICY FRAMEWORK) AND DOMAINKEYS SPAM CATEGORIES AND ACTIONS CERTAINLY SPAM PROBABLY SPAM MAYBE SPAM ANTI-SPAM HEADER INTERCEPT DECISION STRATEGY COMPONENT WEIGHTS MANAGING YOUR INTERCEPT SOLUTION SET UP TRUST RELATIONSHIPS USER FEEDBACK

3 Preface This Quick Start Guide is designed to help the administrator configure and customize the Intercept Anti-Spam components to provide a strong spam protection configuration while minimizing false positives (messages incorrectly marked as spam). Product Documentation The eprism documentation set consists of the following documents: Document Release Notes Installation Guide User Guide Intercept Anti-Spam Quick Start Guide Description Provides up to date information on the product, including new features, improvements, issues fixed, and any known issues. If instructions in the Release Notes differ from the Installation Guide or User Guide, use the instructions in the Release Notes. Provides detailed information on how to install and provide the initial configuration for the eprism Security Appliance. Provides detailed information on how to configure and administer the eprism Security Appliance. Describes the basic configuration details and recommended strategies for eprism s Intercept Anti-Spam features. Conventions The following typographical conventions are used in this guide: Typeface or Symbol Description Example italic Screen name or data field names Activity Screen, or SMTP Port bold Button names, Menu items, and Screen names Select Mail Delivery Anti- Spam on the menu and click the Apply button courier font Text displayed on the screen and File /backup/backup.gzip and Directory names Bold courier Text entered by the user Enter: example.com Information that describes important Please see the following features or instructions Information that alerts you to potential problems and issues section for more details Use caution when enabling this feature 3

4 Contacting Technical Support St. Bernard Software telephone support is available Monday-Friday 07:00am to 4:00pm (Pacific Standard Time) 08:30 to 17:30 (UTC) North America, South America, Pacific Rim (PST) Avenue of Science San Diego, CA Main: FAX: Technical Support: Technical Support Europe, Asia, Africa (UTC) Unit 4, Riverside Way Watchmoor Park, Camberley Surrey, UK GU15 3YQ Main: FAX: Technical Support: Technical Support Copyright Information St. Bernard Software, Inc. All rights reserved. St. Bernard Software is trademark of St. Bernard Software Inc. All other trademarks or registered trademarks are hereby acknowledged. Information in this document is subject to change without notice. 4

5 Overview This guide is designed to help the administrator configure the eprism Intercept Anti-Spam engine to provide a strong spam protection configuration while minimizing false positives (messages incorrectly marked as spam.) eprism provides an easy to use, flexible, and comprehensive Anti- Spam solution designed to defend against sophisticated spam campaigns. The Intercept solution provides the following benefits: An anti-spam approach that combines multiple technologies into a single, unified solution providing a comprehensive approach to fighting spam. Multiple spam categories (Certainly Spam, Probably Spam, and Maybe Spam) allow administrators to classify messages depending on their overall level of "spaminess". These categories allow messages to be handled differently depending on their respective spam scores. Intercept provides the administrator with separate actions for each spam category. For example, messages marked as Certainly Spam can be rejected, Probably Spam messages can be marked in the subject header, and Maybe Spam messages can be just logged. These configurable actions allow administrators to customize the solution to the needs and requirements of their organization. Intercept Anti-Spam Solution Intercept s default Anti-Spam settings provide a strong default configuration to ensure that organizations can deal with a majority of spam messages with little additional configuration. Intercept s improved Anti-Spam technologies require no training to capture a majority of spam when first enabled. As eprism processes messages and the end users provide feedback, the Intercept engine can be tuned to provide optimal spam protection. The eprism Intercept Anti-Spam engine uses multiple filtering technologies that are combined together to provide a definitive spam score. Individual components can be included or excluded in the calculation and each component can be individually weighted to provide a different contribution to the score. Intercept includes the following components: Specific Access Patterns Pattern Based Message Filtering Spam Dictionaries Mail Anomalies BorderWare Security Network DNS Block List URL Block List Bulk Analysis Token Analysis SPF DomainKeys Authentication 5

6 Select Mail Delivery Anti-Spam Intercept on the menu to configure eprism's Intercept Anti-Spam engine. St. Bernard recommends that the following Intercept features be enabled: The "Reject on unknown recipient" feature is an advanced option that is not covered in this document. For more information, see the User Guide. Specific Access Patterns This filter provides SMTP connection and message attribute controls such as "maximum message size" and "maximum number of recipients". This option is always enabled. Specific Access Patterns are primarily used for trusting specific IP addresses or address blocks to prevent them from being scanned by eprism. Pattern Based Message Filters This filter is used to override the Intercept engine for allowing and blocking messages. Messages can be filtered based on any aspect of a mail message, including the envelope, header, body, and any attachments. Spam Dictionaries This filter allows administrators to tune the Intercept engine to the specific needs of an organization by blocking a configurable list of spam words and phrases. St. Bernard provides a Default Spam Words phrase file that contains the most common types of spam words. It is recommended that customers review the Default Spam Words dictionary before enabling the filter to avoid false positives that may occur with certain words that are used in your organization. This dictionary phrase file can be viewed and edited via Mail Delivery Content Management Dictionaries. Customized dictionaries can also be created in the menu for use with the Spam Dictionaries feature. 6

7 Mail Anomalies The Mail Anomalies feature performs checks on incoming messages to help determine whether the message is coming from a known source of spam or is legitimate mail. Systems that send spam have certain characteristics that can give away the nature of the sending system. Many spammers deploy scripts and use spoofed or false information when sending mail. By checking incoming connections for patterns of these behaviours, eprism can help determine whether mail from an incoming system is legitimate or spam. It is recommended that the Mail Anomalies feature be enabled with the following default configuration: 7

8 BorderWare Security Network The BorderWare Security Network (BSN) helps to identify spam by reporting behavior information for a collection of metrics about the sender of a mail message, including their overall reputation, whether the sender is a dial-up, and whether the sender appears to be virus-infected or sends large amounts of spam messages. This reputation is based on information collected from customer eprism systems, and global DNS Block Lists. This information can be used by the eprism Security Appliance to either reject the message immediately or contribute to the overall Intercept score if a message is detected from a source with a poor reputation or numerous virus infections. The following default configuration provides excellent protection from malicious systems. It is also recommended that you set your eprism to share statistics with the BSN network. eprism does not relay any private or sensitive information to the BSN when Share Statistics is enabled. DNS Block List (DNSBL) This filter is used to identify known malicious systems, such as spammers, relay sites, ISP dialups, and so on. St. Bernard provides a predefined hosted DNSBL service available to all eprism systems. It is recommended that DNSBL be enabled using the default configuration. 8

9 URL Block Lists This feature is used to determine if a message is spam by examining any URLs contained in the body of a message to see if they appear on a block list. URL Block Lists contain a list of domains and IP addresses of web addresses that have appeared previously in spam, phishing, or other malicious messages. Similar to DNS Block Lists, the URL Block List will be queried to see if the URL in the message exists on the configured block list server. If a match is found, this information will be used by the Intercept engine to decide whether a message is spam or legitimate mail. It is recommended that URL Block Lists be enabled with the default configuration. Bulk Analysis This filter uses a specialized counting method to determine whether a message has been sent to a large number of users. Spam campaigns are usually sent out to a large amount of users, and counting the number of times a message has been seen is a good indicator of spam. It is recommended that the Bulk Analysis filter be enabled using the default configuration. 9

10 Token Analysis This filter uses Bayesian analysis to determine the likelihood of a message being spam. Token Analysis scans all outbound mail for good keywords and inbound mail marked as spam for bad keywords, and builds its database over a period of time. This filter automatically adapts to an organization's mail flow with increased accuracy over time. It is recommended that the Token Analysis filter be enabled with the default configuration and with the Enable X-STA Headers option enabled. Image Spam Analysis An Image Spam message typically consists of random text or no text body and contains an attachment picture (usually.gif or.jpg format) that supplies the text and graphics of the spam message. These types of spam messages are difficult to detect because the message contains no helpful text or URL characteristics that can be scanned and analyzed. The Image Spam Analysis feature performs advanced analysis of image attachments to help determine if the message is spam or legitimate mail. Similar to eprism's other Anti-Spam features that detect spam characteristics in the text of a message, the Image Analysis feature extracts certain characteristics of the attached image to determine if these characteristics are similar to those seen in actual spam messages. Image Spam detection and analysis is enabled by default in the Advanced menu of Token Analysis. SPF (Sender Policy Framework) and DomainKeys SPF and DomainKeys are sender authentication technologies used to stop phishing attacks and fraudulent mail messages. SPF and DomainKeys are relatively new technologies that have not yet been widely implemented. Only experienced administrators who understand the implications of using SPF and DomainKeys should enable these filters. 10

11 Spam Categories and Actions The Intercept engine provides three spam categories (Certainly Spam, Probably Spam and Maybe Spam) each with its own configurable action. This granularity allows administrators to achieve maximum protection with minimal false positives. Certainly Spam Messages marked as Certainly Spam are definitely spam and can be safely rejected and prevented from entering the network. It is very unlikely that a message marked as Certainly Spam will result in a false positive. Rejecting these messages also eliminates the need to quarantine them for user review. Use the following recommended settings: Threshold: 99 Action: Reject mail Probably Spam Messages marked as Probably Spam are almost certainly spam and will unlikely result in false positives. These messages can have text inserted into the subject header and sent to the user s inbox where they can be placed in a quarantine folder for review. Use the following recommended settings: Threshold: 90 Action: Modify Subject Header Action Data: [SPAM] eprism provides a built-in quarantine server that can be used for quarantining messages for end user review. Otherwise, administrators must create filters in the end user's mailboxes to quarantine locally. 11

12 Maybe Spam Messages marked as Maybe Spam represent a grey area where a message could be spam, but may occasionally be legitimate mail such as a newsletter or bulk mailing list. These messages should be logged by eprism to indicate that they are spam, although no action was taken. Use the following recommended settings: Threshold: 70 Action: Just Log Action Data: none Messages marked as Maybe Spam should be closely monitored, as this provides the administrator with the opportunity to allow legitimate mail such as newsletters and bulk mailing lists that may be marked incorrectly as spam. Administrators can view the Database to search for all messages marked as spam so that these messages can be allowed using a Pattern Based Message Filter. Anti-Spam Header Enable the Anti-Spam header for diagnostic and troubleshooting purposes. This will include special header information in the message to help provide diagnostics to deal with false positives and false negatives, such as the following: X-BTI-AntiSpam: Score:99,sta:99/022,dcc:passed,dnsbl:passed,sw:off,bsn:95 passed,spf:off,dk:off,pbmf:none,ipr:1/5,trusted:no,ts:no,ubl:match ed/1 12

13 Intercept Decision Strategy Intercept can utilize one of many different strategies when making a decision about whether a message is spam or legitimate mail. The option to set the decision strategy is available by selecting the Advanced button on the main Intercept page. These strategies are discussed in greater detail in the eprism User Guide. The following are recommendations based on extensive St. Bernard testing. It is recommended that administrators choose the "Heuristic 2" decision strategy. This is a passive strategy that is effective for most environments providing an excellent spam catch rate with a very low chance of false positives. Advanced administrators should proceed with caution when choosing a different strategy other than "Heuristic 2". Choosing the wrong strategy could result in false positives and a lower spam capture rate. In environments where there is no Token Analysis training on outbound legitimate mail (such as some evaluation scenarios), "Heuristic 2" may result in an increase in false positives. In this case, administrators should use the "Heuristic 1" strategy, which is identical to "Heuristic 2" except that Token Analysis is de-emphasized and additional Anti-Spam features must be triggered for a message to be considered "Probably Spam" or "Certainly Spam". 13

14 Component Weights Administrators can customize the Intercept engine by configuring the weights for each Intercept component that will help determine the final spam score for a message. These values represent the scores that will be used if that component is triggered. Valid weights for each component are from 0 to 100. Set the weight to "0" if you want that feature to have no bearing on the final spam score of a message. Set this value to "100" if you want this component to have a strong weight on the final spam score of a message. The default values are recommended, however, St. Bernard recommends that the Spam Dictionaries weight be decreased to 60. The Token Analysis weight should be decreased if it is causing an increased amount of false positives to occur. Managing Your Intercept Solution After the Intercept Anti-Spam engine is initially configured, it is important that the solution is monitored and managed to ensure optimum spam capture rates and minimal false positives. Set up Trust Relationships For proper spam detection, eprism requires that a Trust relationship be set up for each mail server in the organization. Trusted mail is considered to be any mail from a private, trusted mail source and is not checked for spam. Untrusted mail is considered to be any unknown mail source and is always checked for spam. Create a Specific Access Pattern (via Mail Delivery Anti-Spam Intercept Specific Access Patterns on the menu) as follows, where is the IP address of the organization's mail server to be trusted: 14

15 User Feedback Use the following suggested feedback mechanisms and the diagnostics tools included with eprism to maximize the spam capture rate and minimize false positives. Do not be overzealous in the attempt to fight spam. Use the suggested default configuration for the Intercept engine, then adjust the filters accordingly as feedback is received. Report false positives The administrator should create a feedback account (such as "notspam@example.com") to which end users forward messages incorrectly marked as spam (false positives). This allows the administrator to determine why a message was marked incorrectly and allow the sender or adjust the filters as required. Use Pattern Based Message Filters to allow newsletters and bulk mailing lists to ensure they are not flagged as spam by Intercept. Report missed spam The administrator should create a feedback address (such as "spam@example.com") to which end users forward spam messages that were missed and not marked by the Intercept engine. This allows the administrator to determine why the message was missed and block the sender or adjust the filters as required. 15