Local-List Antispam Filtering
Antispam filtering allows you to use both a third-party server-based spam block list (SBL) and to optionally create your own local allowlists (benign) and blocklists (malicious) for filtering against e-mail messages. The antispam feature is not meant to replace your antispam server, but to complement it. For more information, see the following topics:
Understanding Local List Antispam Filtering
When creating your own local allowlist and blocklist for antispam filtering, you can filter against domain names, e-mail addresses, and/or IP addresses. Pattern matching works a bit differently depending upon the type of matching in question. For example, pattern matching for domain names uses a longest suffix match algorithm. If the sender e-mail address has a domain name of aaa.bbb.ccc, the device tries to match "aaa.bbb.ccc" in the list. If no match is found, it tries to match "bbb.ccc", and then "ccc". IP address matching, however, does not allow for partial matches.
Antispam filtering uses local lists for matching in the following manner:
Sender IP: The sender IP is checked against the local allowlist, then the local blocklist, and then the SBL IP-based server (if enabled).
Sender Domain: The domain name is checked against the local allowlist and then against the local blocklist.
Sender E-mail Address: The sender e-mail address is checked against the local allowlist and then against the local blocklist.
By default, the device first checks incoming e-mail against the local allowlist and blocklist. If the sender is not found on either list, the device proceeds to query the SBL server over the Internet. When both server-based antispam filtering and local list antispam filtering are enabled, checks are done in the following order:
The local allowlist is checked. If there is a match, no further checking is done. If there is no match...
Local blocklist and allowlist matching continues after the antispam license key is expired.
The local blocklist is checked. If there is a match, no further checking is done. If there is no match...
The SBL server list is checked.
See Also
Local List Antispam Filtering Configuration Overview
For each UTM feature, configure feature parameters in the following order:
Example: Configuring Local List Antispam Filtering
This example shows how to configure local list antispam filtering.
Requirements
Before you begin, review how to configure the feature parameters for each UTM feature. See Local List Antispam Filtering Configuration Overview.
Overview
Antispam filtering uses local lists for matching. When creating your own local allowlist and blocklist for antispam filtering, you can filter against domain names, e-mail addresses, and/or IP addresses.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit]
hierarchy
level, and then enter commit
from configuration mode.
set security utm custom-objects url-pattern as-black value [150.61.8.134] set security utm custom-objects url-pattern as-white value [150.1.2.3] set security utm default-configuration anti-spam address-whitelist as-white set security utm feature-profile anti-spam sbl profile localprofile1 set security utm feature-profile anti-spam sbl profile localprofile1 spam-action block set security utm feature-profile anti-spam sbl profile localprofile1 custom-tag-string ***spam*** set security utm utm-policy spampolicy2 anti-spam smtp-profile localprofile1 set security policies from-zone trust to-zone untrust policy utmsecuritypolicy2 match source-address any set security policies from-zone trust to-zone untrust policy utmsecuritypolicy2 match destination-address any set security policies from-zone trust to-zone untrust policy utmsecuritypolicy2 match application junos-smtp set security policies from-zone trust to-zone untrust policy utmsecuritypolicy2 then permit application-services utm-policy spampolicy2
GUI Quick Configuration
Step-by-Step Procedure
To configure local list antispam filtering:
Create local allowlist and blocklist custom objects by configuring a URL pattern list.
Step-by-Step Procedure
Select Configure>Security>UTM>Custom Objects.
In the UTM custom objects configuration window, select the URL Pattern List tab.
Click Add to create URL pattern lists.
Next to URL Pattern Name, type a unique name.
Note:If you are creating a allowlist, it is helpful to indicate this in the list name. The same applies to a blocklist. The name you enter here becomes available in the Address Allowlist and Address Blocklist fields when you are configuring your antispam profiles.
Next to URL Pattern Value, type the URL pattern for allowlist or blocklist antispam filtering.
Configure antispam filtering to use the allowlist and blocklist custom objects.
Step-by-Step Procedure
Select Configure>Security>UTM>Global options.
In the right pane, select the Anti-Spam tab.
Under Anti-Spam, select an Address Allowlist and/or an Address Blocklist from the list for local lists for spam filtering. (These lists are configured as custom objects.)
Click OK.
If the configuration item is saved successfully, you receive a confirmation, and you must click OK again. If it is not saved successfully, click Details in the pop-up window to discover why.
In the left pane under Security, select the Anti-Spam tab.
Click Add to configure an anti-spam profile. The profile configuration pop-up window appears.
In the Profile name box, enter a unique name.
If you are using the default server, select Yes beside Default SBL server. If you are not using the default server, select No.
If you select No, you are disabling server-based spam filtering. You disable it only if you are using local lists or if you do not have a license for server-based spam filtering.
In the Custom tag string box, type a custom string for identifying a message as spam. By default, the device uses ***SPAM***.
In the Actions list, select the action that the device should take when it detects spam. Options include Tag subject, Block email, and Tag header.
Configure a UTM policy for SMTP to which you attach the antispam profile.
Step-by-Step Procedure
Select Configure>Security>Policy>UTM Policies.
In the UTM policy configuration window, click Add to configure a UTM policy. The policy configuration pop-up window appears.
Select the Main tab.
In the Policy name box, type a unique name.
In the Session per client limit box, type a session per client limit. Valid values range from 0 through 2000.
From the Session per client over limit list, select the action that the device should take when the session per client limit for this UTM policy is exceeded. Options include Log and permit and Block.
Select the Anti-Spam profiles tab.
From the SMTP profile list, select the antispam profile that you are attaching to this UTM policy.
Attach the UTM policy to a security policy.
Step-by-Step Procedure
Select Configure>Security>Policy>FW Policies.
In the Security Policy window, click Add to configure a security policy with UTM. The policy configuration pop-up window appears.
In the Policy tab, type a name in the Policy Name box.
Next to From Zone, select a zone from the list.
Next to To Zone, select a zone from the list.
Choose a source address.
Choose a destination address.
Choose an application by selecting junos-smtp (for antispam) in the Application Sets box and move it to the Matched box.
Next to Policy Action, select one of the following: Permit, Deny, or Reject.
When you select Permit for policy action, several additional fields become available in the Applications Services tab, including UTM Policy.
Select the Application Services tab.
Next to UTM Policy, select the appropriate policy from the list. This attaches your UTM policy to the security policy.
Click OK to check your configuration and save it as a candidate configuration.
If the policy is saved successfully, you receive a confirmation, and you must click OK again. If the profile is not saved successfully, click Details in the pop-up window to discover why.
Note:You must activate your new policy to apply it.
If you are done configuring the device, click Commit Options>Commit.
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure local list antispam filtering:
Configure the local list spam blocking by first creating your global local spam lists.
[edit security] user@host# set utm custom-objects url-pattern as-black value [150.61.8.134] user@host# set utm custom-objects url-pattern as-white value [150.1.2.3]
Configure the local list antispam feature profile by first attaching your custom-object blocklist or allowlist or both.
When both the allowlist and the blocklist are in use, the allowlist is checked first. If there is no match, then the blocklist is checked.
[edit security] user@host# set security utm default-configuration anti-spam address-whitelist as-white
Configure a profile for your local list spam blocking.
Although you are not using the SBL for local list spam blocking, you configure your profile from within that command similar to the server-based spam blocking procedure.
[edit security] user@host# set utm feature-profile anti-spam sbl profile localprofile1
Configure the action to be taken by the device when spam is detected (block, tag-header, tag-subject).
[edit security] user@host# set utm feature-profile anti-spam sbl profile localprofile1 spam-action block
Configure a custom string for identifying a message as spam.
[edit security] user@host# set utm feature-profile anti-spam sbl profile localprofile1 custom-tag-string ***spam***
Attach the spam feature profile to the UTM policy.
[edit security] user@host# set utm utm-policy spampolicy2 anti-spam smtp-profile localprofile1
Configure a security policy for UTM, and attach the UTM policy to the security policy.
[edit] user@host# set security policies from-zone trust to-zone untrust policy utmsecuritypolicy2 match source-address any user@host# set security policies from-zone trust to-zone untrust policy utmsecuritypolicy2 match destination-address any user@host# set security policies from-zone trust to-zone untrust policy utmsecuritypolicy2 match application junos-smtp user@host# set security policies from-zone trust to-zone untrust policy utmsecuritypolicy2 then permit application-services utm-policy spampolicy2
Results
From configuration mode, confirm your configuration
by entering the show security utm
and show security
policies
commands. If the output does not display the intended
configuration, repeat the configuration instructions in this example
to correct it.
[edit]
user@host# show security utm
custom-objects {
anti-spam {
url-pattern patternwhite;
sbl {
profile localprofile1 {
spam-action block;
custom-tag-string ***spam***;
}
}
}
default-configuration {
anti-spam {
address-whitelist as-white;
}
}
utm-policy spampolicy2 {
anti-spam {
smtp-profile localprofile1;
}
}
[edit]
user@host# show security policies
from-zone trust to-zone untrust {
policy utmsecuritypolicy2 {
match {
source-address any;
destination-address any;
application junos-smtp;
}
then {
permit {
application-services {
utm-policy spampolicy2;
}
}
}
}
}
If you are done configuring the device, enter commit
from configuration mode.
Verification
Verifying Antispam Statistics
Purpose
Verify the antispam statistics.
Action
From operational mode, enter the show security
utm anti-spam status
and show security utm anti-spam statistics
commands.
The following information appears:
SBL Whitelist Server: SBL Blacklist Server: msgsecurity.example.net DNS Server: Primary : 1.2.3.4, Src Interface: ge-0/0/0 Secondary: 2.3.4.5, Src Interface: ge-0/0/1 Ternary : 0.0.0.0, Src Interface: fe-0/0/2
Total connections: # Denied connections: # Total greetings: # Denied greetings: # Total e-mail scanned: # White list hit: # Black list hit: # Spam total: # Spam tagged: # Spam dropped: # DNS errors: # Timeout errors: # Return errors: # Invalid parameter errors: # Statistics start time: Statistics for the last 10 days.