Server-Based Antispam Filtering
Server-based spam filtering supports only IP-based spam blocklist lookup. Server-based antispam filtering requires Internet connectivity with the spam block list (SBL) server. For more information, see the following topics:
Understanding Server-Based Antispam Filtering
Server-based antispam filtering requires Internet connectivity with the spam block list (SBL) server. Domain Name Service (DNS) is required to access the SBL server. The firewall performs SBL lookups through the DNS protocol. The lookups are against the IP address of the sender (or relaying agent) of the e-mail, adding the name of the SBL server as the authoritative domain. The DNS server then forwards each request to the SBL server, which returns a DNS response to the device. The device then interprets the DNS response to determine if the e-mail sender is a spammer.
IP addresses that are included in the block lists are generally considered to be invalid addresses for mail servers or easily compromised addresses. Criteria for listing an IP address as a spammer on the SBL can include:
Running an SMTP open relay service
Running open proxy servers (of various kinds)
Being a zombie host possibly compromised by a virus, worm, Trojan, or spyware
Using a dynamic IP range
Being a confirmed spam source with a known IP address
By default, the device first checks incoming e-mail against local allowlists and blocklists. If there are no local lists, or if the sender is not found on local lists, the device proceeds to query the SBL server over the Internet. When both server-based spam filtering and local list spam filtering are enabled, checks are done in the following order:
The local allowlist is checked. If there is a match, no further checking is done. If there is no match...
The local blocklist is checked. If there is a match, no further checking is done. If there is no match...
The SBL server list is checked.
SBL server matching stops when the antispam license key is expired.
Server-based spam filtering supports only IP-based spam blocklist lookup. Sophos updates and maintains the IP-based spam block list. Server-based antispam filtering is a separately licensed subscription service. When your antispam license key expires, you can continue to use locally defined blocklists and allowlists.
When you delete or deactivate a feature profile created for server based antispam filtering for SBL server, the default SBL server configuration is applied automatically. When a default SBL server configuration is applied, the default SBL server lookup is enabled. If you want to disable the default SBL server lookup, that is, you want to configure the
no-sbl-default-server
option as a default value, then you must use theset security utm default-configuration anti-spam sbl no-sbl-default-server
command.
See Also
Server-Based Antispam Filtering Configuration Overview
For each Content Security feature, configure feature parameters in the following order:
Example: Configuring Server-Based Antispam Filtering
This example shows how to configure server-based antispam filtering.
Requirements
Before you begin, review how to configure the feature parameters for each Content Security feature. See Server-Based Antispam Filtering Configuration Overview.
Overview
Server-based antispam filtering requires Internet connectivity with the spam block list (SBL) server. Domain Name Service (DNS) is required to access the SBL server.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit]
hierarchy
level, and then enter commit
from configuration mode.
set security utm feature-profile anti-spam sbl profile sblprofile1 sbl-default-server set security utm feature-profile anti-spam sbl profile sblprofile1 sbl-default-server spam-action block set security utm feature-profile anti-spam sbl profile sblprofile1 sbl-default-server custom-tag-string ***spam*** set security utm utm-policy spampolicy1 anti-spam smtp-profile sblprofile1 set security policies from-zone trust to-zone untrust policy utmsecuritypolicy1 match source-address any set security policies from-zone trust to-zone untrust policy utmsecuritypolicy1 match destination-address any set security policies from-zone trust to-zone untrust policy utmsecuritypolicy1 match application junos-smtp set security policies from-zone trust to-zone untrust policy utmsecuritypolicy1 then permit application-services utm-policy spampolicy1
GUI Quick Configuration
Step-by-Step Procedure
To configure server-based antispam filtering:
Configure a profile and enable/disable the SBL server lookup. Select Configure>Security>UTM>Anti-Spam.
Step-by-Step Procedure
In the Anti-Spam profiles configuration window, click Add to configure a profile for the SBL server, or click Edit to modify an existing item.
In the Profile name box, enter a unique name for the antispam profile that you are creating.
If you are using the default server, select Yes next to Default SBL server. If you are not using the default server, select No.
The SBL server is predefined on the device. The device comes preconfigured with the name and address of the SBL server. If you do not select Yes, you are disabling server-based spam filtering. You should disable it only if you are using only local lists or if you do not have a license for server-based spam filtering.
In the Custom tag string box, enter a custom string for identifying a message as spam. By default, the devices uses ***SPAM***.
From the antispam action list, select the action that the device should take when it detects spam. Options include Tag subject, Block email, and Tag header.
-
Configure a Content Security policy for SMTP to which you attach the antispam profile.
Step-by-Step Procedure
-
Select Configure>Security>Policy>UTM Policies.
-
In the Content Security policy configuration window, click Add.
-
In the policy configuration window, select the Main tab.
-
In the Policy name box, type a unique name for the Content Security policy.
-
In the Session per client limit box, type a session per client limit. Valid values range from 0 to 2000.
-
From the Session per client over limit list, select the action that the device should take when the session per client limit for this Content Security policy is exceeded. Options include Log and permit and Block.
-
Select the Anti-Spam profiles tab in the pop-up window.
-
From the SMTP profile list, select an antispam profile to attach to this Content Security policy.
-
-
Attach the Content Security policy to a security policy.
Step-by-Step Procedure
-
Select Configure>Security>Policy>FW Policies.
-
In the Security Policy window, click Add to configure a security policy with Content Security or click Edit to modify an existing policy.
-
In the Policy tab, type a name in the Policy Name box.
-
Next to From Zone, select a zone from the list.
-
Next to To Zone, select a zone from the list.
-
Choose a source address.
-
Choose a destination address.
-
Choose an application by selecting junos-smtp (for antispam) in the Application Sets box and move it to the Matched box.
-
Next to Policy Action, select one of the following: Permit, Deny, or Reject.
When you select Permit for Policy Action, several additional fields become available in the Applications Services tab, including Content Security Policy.
-
Select the Application Services tab.
-
Next to Content Security Policy, select the appropriate policy from the list. This attaches your Content Security policy to the security policy.
-
Click OK to check your configuration and save it as a candidate configuration.
-
If the policy is saved successfully, you receive a confirmation, and you must click OK again. If the profile is not saved successfully, click Details in the pop-up window to discover why.
Note:-
You must activate your new policy to apply it.
-
In SRX Series Firewalls the confirmation window that notifies you that the policy is saved successfully disappears automatically.
-
-
If you are done configuring the device, click Commit Options>Commit.
-
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure server-based antispam filtering:
Create a profile.
[edit security] user@host# set utm feature-profile anti-spam sbl profile sblprofile1
Enable or disable the default SBL server lookup.
[edit security] user@host# set utm feature-profile anti-spam sbl profile sblprofile1 sbl-default-server
If you are using server-based antispam filtering, you should type
sbl-default-server
to enable the default SBL server. (The SBL server is predefined on the device. The device comes preconfigured with the name and address of the SBL server.) You should disable server-based antispam filtering using theno-sbl-default-server
option only if you are using only local lists or if you do not have a license for server-based spam filtering.Configure the action to be taken by the device when spam is detected (block, tag-header, or tag-subject).
[edit security] user@host# set utm feature-profile anti-spam sbl profile sblprofile1sbl-default-server spam-action block
Configure a custom string for identifying a message as spam.
[edit security] user@host# set utm feature-profile anti-spam sbl profile sblprofile1 sbl-default-server custom-tag-string ***spam***
-
Attach the spam feature profile to the Content Security policy.
[edit security] user@host# set utm utm-policy spampolicy1 anti-spam smtp-profile sblprofile1
-
Configure a security policy for Content Security to which to attach the Content Security policy.
[edit] user@host# set security policies from-zone trust to-zone untrust policy utmsecuritypolicy1 match source-address any user@host# set security policies from-zone trust to-zone untrust policy utmsecuritypolicy1 match destination-address any user@host# set security policies from-zone trust to-zone untrust policy utmsecuritypolicy1 match application junos-smtp user@host# set security policies from-zone trust to-zone untrust policy utmsecuritypolicy1 then permit application-services utm-policy spampolicy1
Note:The device comes preconfigured with a default antispam policy. The policy is called junos-as-defaults. It contains the following configuration parameters:
anti-spam { sbl { profile junos-as-defaults { sbl-default-server; spam-action block; custom-tag-string "***SPAM***"; } } }
Results
From configuration mode, confirm your configuration
by entering the show security utm
and show security
policies
commands. If the output does not display the intended
configuration, repeat the configuration instructions in this example
to correct it.
[edit]
user@host# show security utm
feature-profile {
anti-spam {
sbl {
profile sblprofile1 {
sbl-default-server;
spam-action block;
custom-tag-string ***spam***;
}
}
}
utm-policy spampolicy1 {
anti-spam {
smtp-profile sblprofile1;
}
}
[edit]
user@host# show security policies
from-zone trust to-zone untrust {
policy utmsecuritypolicy1 {
match {
source-address any;
destination-address any;
application junos-smtp;
}
then {
permit {
application-services {
utm-policy spampolicy1;
}
}
}
}
}
If you are done configuring the device, enter commit
from configuration mode.
Verification
Verifying Antispam Statistics
Purpose
Verify the antispam statistics.
Action
From operational mode, enter the show security
utm anti-spam status
and show security utm anti-spam statistics
commands.
The following information appears:
SBL Whitelist Server: SBL Blacklist Server: msgsecurity.example.net DNS Server: Primary : 1.2.3.4, Src Interface: ge-0/0/0 Secondary: 2.3.4.5, Src Interface: ge-0/0/1 Ternary : 0.0.0.0, Src Interface: fe-0/0/2
Total connections: # Denied connections: # Total greetings: # Denied greetings: # Total e-mail scanned: # White list hit: # Black list hit: # Spam total: # Spam tagged: # Spam dropped: # DNS errors: # Timeout errors: # Return errors: # Invalid parameter errors: # Statistics start time: Statistics for the last 10 days.