Securepoint Security Systems

HowTo: Configuration of the spam filter Securepoint Security Systems Version 2007nx Release 3

Contents 1 Configuration of the spam filter with the Securepoint Security Manager... 3 2 Spam filter configuration interface... 4 2.1 General... 4 2.2 Bayes Filter... 6 2.3 Regular Expressions... 7 2.4 Friends... 8 3 Way of an e-mail through the spam filter... 9 4 The spam filter web interface...10 4.1 Requirements...10 4.2 Access the spam filter web interface...12 4.3 Spam filter interface overview...13 4.4 Column of the table...14 4.5 Actions in the tab Ham...15 4.6 Actions in the tab Spam...16 4.7 Actions in the section Deleted...17 4.8 The section Statistics...18 2

1 Configuration of the spam filter with the Securepoint Security Manager The integrated Securepoint anti spam solution filters unrequested e-mails (spam). Therefore it uses a combination of different methods to detect as much as possible undesired e-mails. The Securepoint spam filter analyzes every e-mail on the basis of different criteria and classifies it as spam depending of the weighting. Assessment criterions are for example: obviously invalid sender address, known spam text passages, HTML content, future dated sender data, Self adaptive spam filter The system recognizes independently spam e-mails with a ratio over 95% by using the Bayes filter. The Bayes filter can be trained when the spam administrator resorts wrong classified e-mails. This increases the hit ratio of the filter. This method is superior to conventional methods which using Blacklists. This also is an early detection of virus e-mails. With a high probability the Securepoint spam filter detects a virus mail, even before a virus pattern is available. In this way the virus doesn t even reach your inbox. Further methods Relay blocking lists: In these tables hosts are listed which are knows as spam sender. If the sender uses an IP which are listed in this table the mail will be refused. The following lists will be used. They are located in the template /etc/mail/sendmail.mc bl.spamcop.net dialups.mail-abuse.org dnsbl.sorbs.net cn-kr.blackholes.us Relaying: E-mail validation: E-mails will be only accepted, if they are sent from the given Domain. You can validate the e-mail addresses against following lists: ActiveDirectory Address list 3

2 Spam filter configuration interface To enter the spam filter setting interface in the Securepoint Security Manager click the icon Applications and change to the tab Spam Filter or click the item Applications in the menu and select Spam Filter from the dropdown menu. The configuration is divided into the sections: General Bayes Filter Regular Expressions Friends 2.1 General fig. 1 Spam filter - general settings and greylisting Section Mail configuration field Keep e-mails not longer than E-mail body invisible for spam administrator Only mark spam e-mails for SMTP, no blocking description The e-mails will be kept in the database for the selected number of days. The content of the e-mails are not visible for the administrator. Note: Consider the respective privacy regulations. You can mark spam e-mails with a tag and deliver it or you can block it. 4

Section Greylisting If you use Greylisting an e-mail from unknown senders will be refused at the first receiving. The SMTP-Client of the sender will attempt to send the e-mail a second time. E-mails sent by automatic spam programs mostly only sent once. You can exempt e-mails from the Greylisting by putting the sender IP into the Whitelist. The Whitelist has only effects to the Greylisting and not to mistake for the Friendslist. If the Greylisting is activated the firewall will check the Sender Policy Framework (SPF), if received messages are sent by valid e-mail servers. This only works, when the domain has set SPF entries. field Activate Greylisting Auto Whitelisting Greylisting delay Whitelist Delete / New description Activates the Greylisting method. Activates an automatically list that contains the successful delivered e-mails. This sender will avoid the Greylisting for the given number of days. In this interval the refused e-mail must reach the firewall the second time. E-mails sent by the listed IP-addresses in the Whitelist will be exempted from Greylisting. Delete or add IP-addresses to the static Whitelist. 5

2.2 Bayes Filter The Bayes filter checks on the basis of classified/evaluated words, if an e-mail is a Spam- or Ham-E-Mail. In order that the filter works properly, it must be trained by the spam administrator. The administrator has to resort the misclassified mail into Spam and Ham. Thereby the filter learns which words are typical for a spam e-mail. fig. 2 Spam filter - Bayes filter setting field description Number of examined This number of words will be checked in the e-mail. The result tokens will be considered by the threshold calculation. Threshold value for spam The calculated value lies in the range between 1 and 99. mail 1 shows a high probability for Ham and 99 shows a high probability for Spam. The value to divide Spam from Ham should be near the median. Bias to define no spam Multiplier for words in the Ham database. If there is much more Spam than Ham the values should be set to 1. Threshold value number How many times the word must be appeared in the mail to be for spam calculation considered in the calculation. Minimum length of a token Minimal number of characters a word must have to be considered in the calculation. Default values Set back to default values. 6

2.3 Regular Expressions Regular expressions are used to search text based on patterns. Regular expressions are a powerful instrument to identify words or patterns of characters in a text. The filter searches for the given pattern in different sections of the e-mail. If a match is found, the relevant email is classified as spam. fig. 3 spam filter - regular expression settings 7

2.4 Friends In this section you set e-mails which should be excluded by the Bayes filter. If the virus scanning is activated they will be check for viruses anyway. You can also import a list with includes desired sender. fig. 4 spam filter - fill friends list You can define desired e-mail in four ways. field Sender Recipient IP address Mailserver Hostname desired e-mail from sender with the given e-mail address for the recipient with the given e- mail address from this IP address from this mail server or host 8

3 Way of an e-mail through the spam filter MAIL Relay-Blocking-List included in Blocking-List block e-mail-vaidation no valid recipient address Relaying Whitelist not included in the Whitelist Greylisting Spam Milter repeated delivery included in Friendslist Friendslist Regular Expressions regular expression matches Bayes-Filter Ham virus found Spam virus checking block attachment checking forbidden attachment deliver fig. 5 checking an e-mail 9

4 The spam filter web interface The spam administrator can take a look at the spam filter web interface, to check which e- mail was classified as spam or ham by the system. If he find e-mails which are misclassified as spam, he can mark is as ham and resend it. It is important to move not identified spam mails form the ham section into the spam section to train the adaptive Bayes filter. 4.1 Requirements The web interface is only available when the web server service is activated. For checking the status of the web server, start the Securepoint Security Manager and click on the icon Applications and change to the tab Status of services. If the SERVICE_WEBSERVER is marked with an X the service is not active. Activate the service by double clicking on the X or make a right click on the X and choose Start service from the context menu. fig. 6 checking the status of services 10

You can access the spam filter web interface only from the internal net. If you want to grant the access from other networks, you have to create a rule for this. Start the Securepoint Security Manager and click on the icon Firewall. The firewall rules are listed on the tab Portfilter. Click on the icon New and create a new rule for access to the web interface from other networks. The required service is part of the services group administration. fig. 7 Create a new rule to grant the access to the web interface form other networks The web interface is only accessible for users who are members of the group spam filter administrator. Start the Securepoint Security Manager and click on the icon Authentication. To create a new user click on the icon New. To modify the membership of an existing user, mark the user and click on the icon Modify. Switch to the tab Group Membership and activate the checkbox Spam filter administrator. fig. 8 activate the group membership spam filter administrator 11

4.2 Access the spam filter web interface You can access the spam filter web interface by typing following address into your web browser: https://internal_ip_of_the_firewall:11115/spamfilter/ for example: https://192.168.175.1:11115/spamfilter/ At the first connection you will be asked, if you accept the certificate. Verify this question. Log on to the web interface with your user name and your password. fig. 9 login dialog Mozilla Firefox fig. 10 login dialog MS Internet Explorer 12

4.3 Spam filter interface overview The e-mail are listed in order of time (the newest one first). 3 1 2 4 6 fig. 11 sections of the web interface 5 section description 1 filter With the filter you can sort the list by: Sender; Recipient, Subject, Country, Virus, Send, Unsent For some criterion a pattern is needed. Insert the pattern in the input field. Execute the filter by clicking on Search. You can reset the selection by clicking on Reset. 2 lines The display shows 10 entries per side. You can vary the number of shown entries between 10 and 200. Enter the desired number in to the input filed and click on Apply. 3 tabs The display is divided in different sections. Ham shows desired e-mails. Spam shows undesired e-mails. Deleted shows e-mails that are deleted by the spam administrator. Statistics shows a diagram of ham and spam e-mails in dependence on the country of origin. Click on the tabs to change the view. 4 action You can choose an action (move, delete, resend) for all checked e-mails. With the checkbox all data on this page you can check or uncheck all e- mails shown on this page. The action will be executed when you click on Execute. 5 navigation With the insert field and the button Execute you can jump directly to the entered site. With the button with the double arrows you can scroll through the pages. With the skip buttons you can jump to the first or to the last side. 13

6 delete With the button Delete you can delete all entries of the section. They will be moved to the Deleted tab. 4.4 Column of the table name first column ID Type Date Bay CNTR Sender Recipient Subject Virus Action Delete description Clicking into the square marks the e-mail. Already marked e-mails will be unchecked if you click on the square again. Consecutive number of the e-mails. A click on the number shows details of the mail in a new dialog (fig. 12). Type of the e-mail. Date and time of the e-mail. Probability of spam. Calculated by the Bayes filter. Country of origin of the e-mail. Sender of the e-mail. Recipient of the e-mail. Subject of the e-mail. Shows if the e-mail includes a virus. Action you can execute to the respective mail. Deletes the mail and moves it into the deleted folder. If you execute this commando in the tan Deleted, the e-mail will be deleted irrevocably. fig. 12 details dialog 14

4.5 Actions in the tab Ham In the columns Action and Delete you can execute following actions: Resends the e-mail. Moves the e-mail into the tab Spam. Moves the e-mail into the tab Deleted. You can execute following actions on checked mails: Resend (only SMTP) Classify as spam and delete Classify as spam Resend the e-mail. Classifies the e-mail as spam und moves it into the tab Deleted. Classifies the e-mails as spam and moves it into the tab Spam. fig. 13 web interface - section Ham 15

4.6 Actions in the tab Spam In the columns Action and Delete you can execute following actions: Moves the e-mail into the tab Ham. Moves the e-mail into the tab Deleted. You can execute following actions on checked mails: Classify as ham Classify as ham and resend (only SMTP) Delete Classifies e-mail as ham and moves it into the tab Ham. Classifies e-mail as ham, resends it and moves it into the tab Ham. Moves the e-mail into the tab Deleted. fig. 14 web interface - section Spam 16

4.7 Actions in the section Deleted In the columns Action and Delete you can execute following actions: Restores the e-mail and moves it into the respective tab. Deletes the e-mail irrevocably. You can execute following actions on checked mails: Restore Irrevocable delete Restores the e-mail and moves it into the respective tab. Deletes the e-mail irrevocably. fig. 15 web interface - section Deleted 17

4.8 The section Statistics In this section are diagrams generated which show from which country the most spam e- mails and ham e-mails were received. The third diagram shows from which country virus e-mails were received. In the section Period you can set an interval. The smallest value is one day. The generating of the diagram will be executed when you click on Execute. With the button Reset you reset the interval. fig. 16 web interface - section Statistics 18