Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Server-Based Antispam Filtering

Server-based spam filtering supports only IP-based spam blocklist lookup. Server-based antispam filtering requires Internet connectivity with the spam block list (SBL) server. For more information, see the following topics:

Understanding Server-Based Antispam Filtering

Server-based antispam filtering requires Internet connectivity with the spam block list (SBL) server. Domain Name Service (DNS) is required to access the SBL server. The firewall performs SBL lookups through the DNS protocol. The lookups are against the IP address of the sender (or relaying agent) of the e-mail, adding the name of the SBL server as the authoritative domain. The DNS server then forwards each request to the SBL server, which returns a DNS response to the device. The device then interprets the DNS response to determine if the e-mail sender is a spammer.

IP addresses that are included in the block lists are generally considered to be invalid addresses for mail servers or easily compromised addresses. Criteria for listing an IP address as a spammer on the SBL can include:

  • Running an SMTP open relay service

  • Running open proxy servers (of various kinds)

  • Being a zombie host possibly compromised by a virus, worm, Trojan, or spyware

  • Using a dynamic IP range

  • Being a confirmed spam source with a known IP address

By default, the device first checks incoming e-mail against local allowlists and blocklists. If there are no local lists, or if the sender is not found on local lists, the device proceeds to query the SBL server over the Internet. When both server-based spam filtering and local list spam filtering are enabled, checks are done in the following order:

  1. The local allowlist is checked. If there is a match, no further checking is done. If there is no match...

  2. The local blocklist is checked. If there is a match, no further checking is done. If there is no match...

  3. The SBL server list is checked.

Note:
  • SBL server matching stops when the antispam license key is expired.

  • Server-based spam filtering supports only IP-based spam blocklist lookup. Sophos updates and maintains the IP-based spam block list. Server-based antispam filtering is a separately licensed subscription service. When your antispam license key expires, you can continue to use locally defined blocklists and allowlists.

    When you delete or deactivate a feature profile created for server based antispam filtering for SBL server, the default SBL server configuration is applied automatically. When a default SBL server configuration is applied, the default SBL server lookup is enabled. If you want to disable the default SBL server lookup, that is, you want to configure the no-sbl-default-server option as a default value, then you must use the set security utm default-configuration anti-spam sbl no-sbl-default-server command.

Server-Based Antispam Filtering Configuration Overview

For each Content Security feature, configure feature parameters in the following order:

  1. Configure Content Security custom objects for the feature:
  2. Configure the main feature parameters, using feature profiles.
  3. Configure a Content Security policy for each protocol, and attach this policy to a profile.
    Note:

    Antispam filtering is only supported for the SMTP protocol.

  4. Attach the Content Security policy to a security policy.

Example: Configuring Server-Based Antispam Filtering

This example shows how to configure server-based antispam filtering.

Requirements

Before you begin, review how to configure the feature parameters for each Content Security feature. See Server-Based Antispam Filtering Configuration Overview.

Overview

Server-based antispam filtering requires Internet connectivity with the spam block list (SBL) server. Domain Name Service (DNS) is required to access the SBL server.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

GUI Quick Configuration
Step-by-Step Procedure

To configure server-based antispam filtering:

  1. Configure a profile and enable/disable the SBL server lookup. Select Configure>Security>UTM>Anti-Spam.

    Step-by-Step Procedure

    1. In the Anti-Spam profiles configuration window, click Add to configure a profile for the SBL server, or click Edit to modify an existing item.

    2. In the Profile name box, enter a unique name for the antispam profile that you are creating.

    3. If you are using the default server, select Yes next to Default SBL server. If you are not using the default server, select No.

      The SBL server is predefined on the device. The device comes preconfigured with the name and address of the SBL server. If you do not select Yes, you are disabling server-based spam filtering. You should disable it only if you are using only local lists or if you do not have a license for server-based spam filtering.

    4. In the Custom tag string box, enter a custom string for identifying a message as spam. By default, the devices uses ***SPAM***.

    5. From the antispam action list, select the action that the device should take when it detects spam. Options include Tag subject, Block email, and Tag header.

  2. Configure a Content Security policy for SMTP to which you attach the antispam profile.

    Step-by-Step Procedure
    1. Select Configure>Security>Policy>UTM Policies.

    2. In the Content Security policy configuration window, click Add.

    3. In the policy configuration window, select the Main tab.

    4. In the Policy name box, type a unique name for the Content Security policy.

    5. In the Session per client limit box, type a session per client limit. Valid values range from 0 to 2000.

    6. From the Session per client over limit list, select the action that the device should take when the session per client limit for this Content Security policy is exceeded. Options include Log and permit and Block.

    7. Select the Anti-Spam profiles tab in the pop-up window.

    8. From the SMTP profile list, select an antispam profile to attach to this Content Security policy.

  3. Attach the Content Security policy to a security policy.

    Step-by-Step Procedure
    1. Select Configure>Security>Policy>FW Policies.

    2. In the Security Policy window, click Add to configure a security policy with Content Security or click Edit to modify an existing policy.

    3. In the Policy tab, type a name in the Policy Name box.

    4. Next to From Zone, select a zone from the list.

    5. Next to To Zone, select a zone from the list.

    6. Choose a source address.

    7. Choose a destination address.

    8. Choose an application by selecting junos-smtp (for antispam) in the Application Sets box and move it to the Matched box.

    9. Next to Policy Action, select one of the following: Permit, Deny, or Reject.

      When you select Permit for Policy Action, several additional fields become available in the Applications Services tab, including Content Security Policy.

    10. Select the Application Services tab.

    11. Next to Content Security Policy, select the appropriate policy from the list. This attaches your Content Security policy to the security policy.

    12. Click OK to check your configuration and save it as a candidate configuration.

    13. If the policy is saved successfully, you receive a confirmation, and you must click OK again. If the profile is not saved successfully, click Details in the pop-up window to discover why.

      Note:
      • You must activate your new policy to apply it.

      • In SRX Series Firewalls the confirmation window that notifies you that the policy is saved successfully disappears automatically.

    14. If you are done configuring the device, click Commit Options>Commit.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure server-based antispam filtering:

  1. Create a profile.

  2. Enable or disable the default SBL server lookup.

    If you are using server-based antispam filtering, you should type sbl-default-server to enable the default SBL server. (The SBL server is predefined on the device. The device comes preconfigured with the name and address of the SBL server.) You should disable server-based antispam filtering using the no-sbl-default-server option only if you are using only local lists or if you do not have a license for server-based spam filtering.

  3. Configure the action to be taken by the device when spam is detected (block, tag-header, or tag-subject).

  4. Configure a custom string for identifying a message as spam.

  5. Attach the spam feature profile to the Content Security policy.

  6. Configure a security policy for Content Security to which to attach the Content Security policy.

    Note:

    The device comes preconfigured with a default antispam policy. The policy is called junos-as-defaults. It contains the following configuration parameters:

Results

From configuration mode, confirm your configuration by entering the show security utm and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying Antispam Statistics

Purpose

Verify the antispam statistics.

Action

From operational mode, enter the show security utm anti-spam status and show security utm anti-spam statistics commands.

The following information appears: