Intercept Anti-Spam Quick Start Guide



Similar documents
eprism Security Appliance 6.0 Intercept Anti-Spam Quick Start Guide

eprism Security Appliance 6.0 Release Notes What's New in 6.0

eprism Security Appliance User Guide

Technical Note. Configuring Outlook Web Access with Secure WebMail Proxy for eprism

GFI Product Comparison. GFI MailEssentials vs Barracuda Spam Firewall

Cloud Services. Anti-Spam. Admin Guide

Using Security to Protect Against Phishing, Spam, and Targeted Attacks: Combining Features for Higher Education

Technical Note. FORTIMAIL Configuration For Enterprise Deployment. Rev 2.1

AntiSpam QuickStart Guide

EFFECTIVE SPAM FILTERING WITH MDAEMON

Comprehensive Anti-Spam Service

COMBATING SPAM. Best Practices OVERVIEW. White Paper. March 2007

SESA Securing with Cisco Security Appliance Parts 1 and 2

BrightVisions Spam Filter User Guide

Mod 08: Exchange Online FOPE

About this documentation

Implementing MDaemon as an Security Gateway to Exchange Server

Security 8.0 User Guide

AntiSpam. Administrator Guide and Spam Manager Deployment Guide

Anti Spam Best Practices

System Compatibility. Enhancements. Operating Systems. Hardware Requirements. Security

Copyright 2011 Sophos Ltd. Copyright strictly reserved. These materials are not to be reproduced, either in whole or in part, without permissions.

eprism Security Suite

Frequently Asked Questions

Why Content Filters Can t Eradicate spam

Admin Guide Boundary Defense for Anti-Virus & Anti-Spam

SurfControl Filter for SMTP

Quick Start Policy Patrol Spam Filter 5

IBM Express Managed Security Services for Security. Anti-Spam Administrator s Guide. Version 5.32

Symantec Hosted Mail Security. Console and Spam Quarantine User Guide

Objective This howto demonstrates and explains the different mechanisms for fending off unwanted spam .

The Network Box Anti-Spam Solution

IMF Tune Opens Exchange to Any Anti-Spam Filter

How To Integrate Hosted Security With Office 365 And Microsoft Mail Flow Security With Microsoft Security (Hes)

Microsoft Exchange 2003

GFI Product Comparison. GFI MailEssentials vs. Trend Micro ScanMail Suite for Microsoft Exchange

Purchase College Barracuda Anti-Spam Firewall User s Guide

Quarantine Central for end users: FAQs

ContentCatcher. Voyant Strategies. Best Practice for Gateway Security and Enterprise-class Spam Filtering

Quick Reference. Administrator Guide

TREND MICRO. InterScan VirusWall 6. SMTP Configuration Guide. Integrated virus and spam protection for your Internet gateway.

Symantec Hosted Mail Security Getting Started Guide

PANDA CLOUD PROTECTION / Administrator s Manual / 1

GFI Product Comparison. GFI MailEssentials vs Symantec Mail Security for Microsoft Exchange 7.0

ModusMail Software Instructions.

K7 Mail Security FOR MICROSOFT EXCHANGE SERVERS. v.109

M1000, M2000, M3000. eprism User Guide

PROOFPOINT - SPAM FILTER

SCORECARD MARKETING. Find Out How Much You Are Really Getting Out of Your Marketing

Anti-Phishing Best Practices for ISPs and Mailbox Providers

Trend Micro Hosted Security Stop Spam. Save Time.

Government of Canada Managed Security Service (GCMSS) Annex A-5: Statement of Work - Antispam

Avira Managed Security AMES FAQ.

Mail Sentinel. Feature Guide. Mail Sentinel Anti-Spam & Mail Sentinel Anti-Virus

How To Filter From A Spam Filter

SPAM FILTER Service Data Sheet

Trend Micro Hosted Security Stop Spam. Save Time.

WatchGuard QMS End User Guide

Overview An Evolution. Improving Trust, Confidence & Safety working together to fight the beast. Microsoft's online safety strategy

FortiMail Filtering Course 221-v2.0. Course Overview. Course Objectives

Configuring Your Gateman Server

Guardian Digital Secure Mail Suite Quick Start Guide

User Guide. ThreatTrack Security Product Manual

Mailwall Remote Features Tour Datasheet

Websense Security Transition Guide

Service Launch Guide (US Customer) SEG Filtering

FortiMail Filtering Course 221-v2.2 Course Overview

MDaemon configuration recommendations for dealing with spam related issues

Technical Note. ISP Protection against BlackListing. FORTIMAIL Deployment for Outbound Spam Filtering. Rev 2.2

Overview. Accessing the User Interface. Logging In. Resetting your Password

Antispam Security Best Practices

Comprehensive Filtering. Whitepaper

Configuring MDaemon for Centralized Spam Blocking and Filtering

How to Use Red Condor Spam Filtering

eprism Security Suite

How To Ensure Your Is Delivered

Advanced Settings. Help Documentation

The Leading Security Suites

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

Global Reputation Monitoring The FortiGuard Security Intelligence Database WHITE PAPER

Getting Started Guide Unix Platform

eprism Enterprise Tech Notes

ANTI-SPAM SOLUTIONS TECHNOLOGY REPORT FEBRUARY SurfControl Filter.

Security. Help Documentation

Spam Filtering Methods for Filtering

Reputation Metrics Troubleshooter. Share it!

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Transcription:

Intercept Anti-Spam Quick Start Guide Software Version: 6.5.2 Date: 5/24/07

PREFACE...3 PRODUCT DOCUMENTATION...3 CONVENTIONS...3 CONTACTING TECHNICAL SUPPORT...4 COPYRIGHT INFORMATION...4 OVERVIEW...5 INTERCEPT ANTI-SPAM SOLUTION...5 SPECIFIC ACCESS PATTERNS...6 PATTERN BASED MESSAGE FILTERS...6 SPAM DICTIONARIES...6 MAIL ANOMALIES...7 BORDERWARE SECURITY NETWORK...8 DNS BLOCK LIST (DNSBL)...8 URL BLOCK LISTS...9 BULK ANALYSIS...9 TOKEN ANALYSIS... 10 SPF (SENDER POLICY FRAMEWORK) AND DOMAINKEYS... 10 SPAM CATEGORIES AND ACTIONS... 11 CERTAINLY SPAM... 11 PROBABLY SPAM... 11 MAYBE SPAM... 12 ANTI-SPAM HEADER... 12 INTERCEPT DECISION STRATEGY... 13 COMPONENT WEIGHTS... 14 MANAGING YOUR INTERCEPT SOLUTION... 14 SET UP TRUST RELATIONSHIPS... 14 USER FEEDBACK... 15 2

Preface This Quick Start Guide is designed to help the administrator configure and customize the Intercept Anti-Spam components to provide a strong spam protection configuration while minimizing false positives (messages incorrectly marked as spam). Product Documentation The eprism documentation set consists of the following documents: Document Release Notes Installation Guide User Guide Intercept Anti-Spam Quick Start Guide Description Provides up to date information on the product, including new features, improvements, issues fixed, and any known issues. If instructions in the Release Notes differ from the Installation Guide or User Guide, use the instructions in the Release Notes. Provides detailed information on how to install and provide the initial configuration for the eprism Email Security Appliance. Provides detailed information on how to configure and administer the eprism Email Security Appliance. Describes the basic configuration details and recommended strategies for eprism s Intercept Anti-Spam features. Conventions The following typographical conventions are used in this guide: Typeface or Symbol Description Example italic Screen name or data field names Activity Screen, or SMTP Port bold Button names, Menu items, and Screen names Select Mail Delivery Anti- Spam on the menu and click the Apply button courier font Text displayed on the screen and File /backup/backup.gzip and Directory names Bold courier Text entered by the user Enter: example.com Information that describes important Please see the following features or instructions Information that alerts you to potential problems and issues section for more details Use caution when enabling this feature 3

Contacting Technical Support St. Bernard Software telephone support is available Monday-Friday 07:00am to 4:00pm (Pacific Standard Time) 08:30 to 17:30 (UTC) North America, South America, Pacific Rim (PST) 15015 Avenue of Science San Diego, CA 92128 Main: 858.676.2277 FAX: 858.676.2299 Technical Support: 858.676.5050 Technical Support Email: eprism-support@stbernard.com Europe, Asia, Africa (UTC) Unit 4, Riverside Way Watchmoor Park, Camberley Surrey, UK GU15 3YQ Main: 44.1276.401.640 FAX: 44.1276.684.479 Technical Support: 44.1276.401.642 Technical Support Email: support@uk.stbernard.com Copyright Information 2003-2007 St. Bernard Software, Inc. All rights reserved. St. Bernard Software is trademark of St. Bernard Software Inc. All other trademarks or registered trademarks are hereby acknowledged. Information in this document is subject to change without notice. 4

Overview This guide is designed to help the administrator configure the eprism Intercept Anti-Spam engine to provide a strong spam protection configuration while minimizing false positives (messages incorrectly marked as spam.) eprism provides an easy to use, flexible, and comprehensive Anti- Spam solution designed to defend against sophisticated spam campaigns. The Intercept solution provides the following benefits: An anti-spam approach that combines multiple technologies into a single, unified solution providing a comprehensive approach to fighting spam. Multiple spam categories (Certainly Spam, Probably Spam, and Maybe Spam) allow administrators to classify messages depending on their overall level of "spaminess". These categories allow messages to be handled differently depending on their respective spam scores. Intercept provides the administrator with separate actions for each spam category. For example, messages marked as Certainly Spam can be rejected, Probably Spam messages can be marked in the subject header, and Maybe Spam messages can be just logged. These configurable actions allow administrators to customize the solution to the needs and requirements of their organization. Intercept Anti-Spam Solution Intercept s default Anti-Spam settings provide a strong default configuration to ensure that organizations can deal with a majority of spam messages with little additional configuration. Intercept s improved Anti-Spam technologies require no training to capture a majority of spam when first enabled. As eprism processes messages and the end users provide feedback, the Intercept engine can be tuned to provide optimal spam protection. The eprism Intercept Anti-Spam engine uses multiple filtering technologies that are combined together to provide a definitive spam score. Individual components can be included or excluded in the calculation and each component can be individually weighted to provide a different contribution to the score. Intercept includes the following components: Specific Access Patterns Pattern Based Message Filtering Spam Dictionaries Mail Anomalies BorderWare Security Network DNS Block List URL Block List Bulk Analysis Token Analysis SPF DomainKeys Authentication 5

Select Mail Delivery Anti-Spam Intercept on the menu to configure eprism's Intercept Anti-Spam engine. St. Bernard recommends that the following Intercept features be enabled: The "Reject on unknown recipient" feature is an advanced option that is not covered in this document. For more information, see the User Guide. Specific Access Patterns This filter provides SMTP connection and message attribute controls such as "maximum message size" and "maximum number of recipients". This option is always enabled. Specific Access Patterns are primarily used for trusting specific IP addresses or address blocks to prevent them from being scanned by eprism. Pattern Based Message Filters This filter is used to override the Intercept engine for allowing and blocking messages. Messages can be filtered based on any aspect of a mail message, including the envelope, header, body, and any attachments. Spam Dictionaries This filter allows administrators to tune the Intercept engine to the specific needs of an organization by blocking a configurable list of spam words and phrases. St. Bernard provides a Default Spam Words phrase file that contains the most common types of spam words. It is recommended that customers review the Default Spam Words dictionary before enabling the filter to avoid false positives that may occur with certain words that are used in your organization. This dictionary phrase file can be viewed and edited via Mail Delivery Content Management Dictionaries. Customized dictionaries can also be created in the menu for use with the Spam Dictionaries feature. 6

Mail Anomalies The Mail Anomalies feature performs checks on incoming messages to help determine whether the message is coming from a known source of spam or is legitimate mail. Systems that send spam have certain characteristics that can give away the nature of the sending system. Many spammers deploy scripts and use spoofed or false information when sending mail. By checking incoming connections for patterns of these behaviours, eprism can help determine whether mail from an incoming system is legitimate or spam. It is recommended that the Mail Anomalies feature be enabled with the following default configuration: 7

BorderWare Security Network The BorderWare Security Network (BSN) helps to identify spam by reporting behavior information for a collection of metrics about the sender of a mail message, including their overall reputation, whether the sender is a dial-up, and whether the sender appears to be virus-infected or sends large amounts of spam messages. This reputation is based on information collected from customer eprism systems, and global DNS Block Lists. This information can be used by the eprism Email Security Appliance to either reject the message immediately or contribute to the overall Intercept score if a message is detected from a source with a poor reputation or numerous virus infections. The following default configuration provides excellent protection from malicious systems. It is also recommended that you set your eprism to share statistics with the BSN network. eprism does not relay any private or sensitive information to the BSN when Share Statistics is enabled. DNS Block List (DNSBL) This filter is used to identify known malicious systems, such as spammers, relay sites, ISP dialups, and so on. St. Bernard provides a predefined hosted DNSBL service available to all eprism systems. It is recommended that DNSBL be enabled using the default configuration. 8

URL Block Lists This feature is used to determine if a message is spam by examining any URLs contained in the body of a message to see if they appear on a block list. URL Block Lists contain a list of domains and IP addresses of web addresses that have appeared previously in spam, phishing, or other malicious messages. Similar to DNS Block Lists, the URL Block List will be queried to see if the URL in the message exists on the configured block list server. If a match is found, this information will be used by the Intercept engine to decide whether a message is spam or legitimate mail. It is recommended that URL Block Lists be enabled with the default configuration. Bulk Analysis This filter uses a specialized counting method to determine whether a message has been sent to a large number of users. Spam campaigns are usually sent out to a large amount of users, and counting the number of times a message has been seen is a good indicator of spam. It is recommended that the Bulk Analysis filter be enabled using the default configuration. 9

Token Analysis This filter uses Bayesian analysis to determine the likelihood of a message being spam. Token Analysis scans all outbound mail for good keywords and inbound mail marked as spam for bad keywords, and builds its database over a period of time. This filter automatically adapts to an organization's mail flow with increased accuracy over time. It is recommended that the Token Analysis filter be enabled with the default configuration and with the Enable X-STA Headers option enabled. Image Spam Analysis An Image Spam email message typically consists of random text or no text body and contains an attachment picture (usually.gif or.jpg format) that supplies the text and graphics of the spam message. These types of spam messages are difficult to detect because the message contains no helpful text or URL characteristics that can be scanned and analyzed. The Image Spam Analysis feature performs advanced analysis of image attachments to help determine if the message is spam or legitimate mail. Similar to eprism's other Anti-Spam features that detect spam characteristics in the text of a message, the Image Analysis feature extracts certain characteristics of the attached image to determine if these characteristics are similar to those seen in actual spam messages. Image Spam detection and analysis is enabled by default in the Advanced menu of Token Analysis. SPF (Sender Policy Framework) and DomainKeys SPF and DomainKeys are sender authentication technologies used to stop phishing attacks and fraudulent mail messages. SPF and DomainKeys are relatively new technologies that have not yet been widely implemented. Only experienced administrators who understand the implications of using SPF and DomainKeys should enable these filters. 10

Spam Categories and Actions The Intercept engine provides three spam categories (Certainly Spam, Probably Spam and Maybe Spam) each with its own configurable action. This granularity allows administrators to achieve maximum protection with minimal false positives. Certainly Spam Messages marked as Certainly Spam are definitely spam and can be safely rejected and prevented from entering the network. It is very unlikely that a message marked as Certainly Spam will result in a false positive. Rejecting these messages also eliminates the need to quarantine them for user review. Use the following recommended settings: Threshold: 99 Action: Reject mail Probably Spam Messages marked as Probably Spam are almost certainly spam and will unlikely result in false positives. These messages can have text inserted into the subject header and sent to the user s inbox where they can be placed in a quarantine folder for review. Use the following recommended settings: Threshold: 90 Action: Modify Subject Header Action Data: [SPAM] eprism provides a built-in quarantine server that can be used for quarantining messages for end user review. Otherwise, administrators must create filters in the end user's mailboxes to quarantine locally. 11

Maybe Spam Messages marked as Maybe Spam represent a grey area where a message could be spam, but may occasionally be legitimate mail such as a newsletter or bulk mailing list. These messages should be logged by eprism to indicate that they are spam, although no action was taken. Use the following recommended settings: Threshold: 70 Action: Just Log Action Data: none Messages marked as Maybe Spam should be closely monitored, as this provides the administrator with the opportunity to allow legitimate mail such as newsletters and bulk mailing lists that may be marked incorrectly as spam. Administrators can view the Email Database to search for all messages marked as spam so that these messages can be allowed using a Pattern Based Message Filter. Anti-Spam Header Enable the Anti-Spam header for diagnostic and troubleshooting purposes. This will include special header information in the message to help provide diagnostics to deal with false positives and false negatives, such as the following: X-BTI-AntiSpam: Score:99,sta:99/022,dcc:passed,dnsbl:passed,sw:off,bsn:95 passed,spf:off,dk:off,pbmf:none,ipr:1/5,trusted:no,ts:no,ubl:match ed/1 12

Intercept Decision Strategy Intercept can utilize one of many different strategies when making a decision about whether a message is spam or legitimate mail. The option to set the decision strategy is available by selecting the Advanced button on the main Intercept page. These strategies are discussed in greater detail in the eprism User Guide. The following are recommendations based on extensive St. Bernard testing. It is recommended that administrators choose the "Heuristic 2" decision strategy. This is a passive strategy that is effective for most environments providing an excellent spam catch rate with a very low chance of false positives. Advanced administrators should proceed with caution when choosing a different strategy other than "Heuristic 2". Choosing the wrong strategy could result in false positives and a lower spam capture rate. In environments where there is no Token Analysis training on outbound legitimate mail (such as some evaluation scenarios), "Heuristic 2" may result in an increase in false positives. In this case, administrators should use the "Heuristic 1" strategy, which is identical to "Heuristic 2" except that Token Analysis is de-emphasized and additional Anti-Spam features must be triggered for a message to be considered "Probably Spam" or "Certainly Spam". 13

Component Weights Administrators can customize the Intercept engine by configuring the weights for each Intercept component that will help determine the final spam score for a message. These values represent the scores that will be used if that component is triggered. Valid weights for each component are from 0 to 100. Set the weight to "0" if you want that feature to have no bearing on the final spam score of a message. Set this value to "100" if you want this component to have a strong weight on the final spam score of a message. The default values are recommended, however, St. Bernard recommends that the Spam Dictionaries weight be decreased to 60. The Token Analysis weight should be decreased if it is causing an increased amount of false positives to occur. Managing Your Intercept Solution After the Intercept Anti-Spam engine is initially configured, it is important that the solution is monitored and managed to ensure optimum spam capture rates and minimal false positives. Set up Trust Relationships For proper spam detection, eprism requires that a Trust relationship be set up for each mail server in the organization. Trusted mail is considered to be any mail from a private, trusted mail source and is not checked for spam. Untrusted mail is considered to be any unknown mail source and is always checked for spam. Create a Specific Access Pattern (via Mail Delivery Anti-Spam Intercept Specific Access Patterns on the menu) as follows, where 172.16.43.25 is the IP address of the organization's mail server to be trusted: 14

User Feedback Use the following suggested feedback mechanisms and the diagnostics tools included with eprism to maximize the spam capture rate and minimize false positives. Do not be overzealous in the attempt to fight spam. Use the suggested default configuration for the Intercept engine, then adjust the filters accordingly as feedback is received. Report false positives The administrator should create a feedback account (such as "notspam@example.com") to which end users forward messages incorrectly marked as spam (false positives). This allows the administrator to determine why a message was marked incorrectly and allow the sender or adjust the filters as required. Use Pattern Based Message Filters to allow newsletters and bulk mailing lists to ensure they are not flagged as spam by Intercept. Report missed spam The administrator should create a feedback email address (such as "spam@example.com") to which end users forward spam messages that were missed and not marked by the Intercept engine. This allows the administrator to determine why the message was missed and block the sender or adjust the filters as required. 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information