The BorderWare Security Network (BSN) helps to identify spam by reporting behavior
information for a collection of metrics about the sender of a mail message, including their overall reputation, whether the sender is a dial-up, and whether the sender appears to be virus-infected or sends large amounts of spam messages, based on information collected from customer ePrism systems and global DNS Block Lists.
This information can be used by the ePrism Email Security Appliance to either reject the message immediately or contribute to the Intercept score if a message is detected from a source with a poor reputation or numerous virus infections.
If this option is enabled, ePrism will ask for statistics from the BSN Domain service for the sender IP of each message received, excluding those from trusted and known networks. Using the information returned from BSN, ePrism can make a decision about whether a message is spam or legitimate mail. A reputation of "0" indicates the sender is extremely reliable and rarely sends spam or viruses. A reputation of "100" indicates the sender is extremely unreliable and often sends spam or viruses. An IP address with no previous information from any source is assigned a value "50".
BSN Statistics Sharing
Statistics from your ePrism can also be shared with BSN by selecting the share statistics option.
The following message count statistics and the upstream client IP are sent to the BSN network when Share Statistics is enabled on ePrism:
• Total mail
BSN Domain service queries use the DNS protocol on UDP port 53. BSN statistics sharing uploads to the BSN network using HTTPS on port 443. These ports must be opened up on your network firewall if ePrism is located behind the firewall.
Note the following considerations when using BSN:
• If the BSN server is not available, the DNS request times out. This may affect performance and requires monitoring for timed-out connections. Remove any servers which you do not use to prevent time-outs.
• If a message that you want to receive from a client is blocked by BSN, add a Specific Access Pattern to "Trust" messages from that client. Pattern Based Message Filtering can also be used to "Bypass" (skip anti-spam and content checks), "Trust" (to accept and train as valid mail) or "Accept" (just accept without training) the message, however, this may interfere with later ePrism processing and using SAPs is recommended.
149 BSN Trusting for Relays
Administrators can trust friendly local networks or addresses of known mail servers in their environment that relay mail via ePrism. These specific networks and servers can be added to the "relays" IP Address list in the Threat Prevention feature to prevent them from being blocked by Threat Prevention and BSN, as well as ensuring that reputation statistics for these
addresses will not be reported to BSN.
For example, it is possible that in ePrism environments with a backup MTA (Mail Transfer Agent) system, the backup system may be misclassified by BSN. If ePrism is offline, mail will be collected by the backup MTA as specified in the organization's MX records. When ePrism comes back online, this mail (which may include spam, viruses, and other types of infected mail) from the backup MTA will be forwarded to ePrism for processing. If BSN is enabled, this backup system may receive a low reputation score by BSN.
To add a system to the relays list:
1. Click the internal hosts and friendly mail relays link on the BSN menu.
2. The relays static IP/CIDR list screen will appear:
3. Add the address of any internal relays and a description, and then click the Add button.
Intercept Anti-Spam
150
Configuring BSN Checks
Select Mail Delivery ➝ Anti-Spam ➝ Intercept, and then BorderWare Security Network on the menu.
• Enable — When BSN is enabled, incoming messages will be checked against the spam information gathered by the BSN network.
• BSN Domain — Enter the BSN domain to query. The default (ipdns.borderware.com) is the primary BSN domain, and should not be modified.
• Share Statistics — Enable BSN information, such as spam and virus statistics for connecting client IP addresses, from this ePrism to be shared with the BSN network.
Port 443 must be enabled outbound to allow statistics to be uploaded to the BSN server. There are no security risks associated with sharing statistics. ePrism does not relay any private or sensitive information to the BorderWare Security Network.
• Check Relays — When this option is enabled, the configured amount of received headers will be checked with BSN. For example, an email message may have been relayed by four mail servers before it reached ePrism. Use this field to specify how many relay points, starting from the latest headers to the earliest, should have their reputation checked via BSN. Acceptable values are between "0" and "ALL". Recommended values are "0" (off), "1"
or "2". The default is "0" (off).
Check Relays should be enabled if ePrism is installed behind another MTA or mail gateway. This ensures the relay before the intermediary MTA is checked.
• Exclude Relays — This option specifies how many received headers to exclude from BSN checks, starting from the earliest header to the most recent. For example, if Check Relays is enabled, setting this value to 1 means that the first relay point will not be checked. Note that some ISPs include the originating dial-up IP as the first relay point which can lead to legitimate mail being classified as spam by BSN. Recommended values are "0" (off) or "1".
The default is "0" (off).
This setting will only be enabled if Check Relays is also enabled.
As an example of using the Check Relays and Exclude Relays options, consider the following scenario:
Server A -> Server B -> Server C -> Server D -> ePrism
With the mail relayed via four previous servers (A-D), the received headers of a message will appear in the following order:
151 Received: D
Received: C Received: B Received: A
Setting the Check Relays option tells ePrism to start with server "D" and check the configured number of received headers. If Check Relays is set to "3", it will check "D", "C", and "B".
Use the Exclude Relays option to tell ePrism to ignore the configured number of received headers starting at the end of the header list regardless of what the Check Relays option is set to. If Exclude Relays is set to "1", then server "A" will be excluded from the checks.
BSN Connection Rejects
By default, ePrism uses BSN feedback as part of the Intercept decision. To override this default behavior, ePrism can use BSN information for connection level rejects. When overriding the default behavior with BSN, ePrism provides the following options:
• Reject on BSN Reputation — If enabled, the ePrism Email Security Appliance will reject messages from senders whose reputation is above the configured Reputation Threshold. A reputation of "0" indicates the sender is extremely reliable and rarely sends spam or viruses. A reputation of "100" indicates the sender is extremely unreliable and often sends spam or viruses. An IP address with no previous information from any source is assigned a value "50".
BSN rejects can be overridden by creating a Specific Access Pattern to "Trust" the rejected address. BSN rejects cannot be overridden by a policy. Pattern Based Message Filtering can also be used to "Bypass" (to bypass all Anti-Spam and content checks), "Trust" (to accept and train as valid mail) or "Accept" (just accept without training) the message, however, this may interfere with later ePrism processing and using SAPs is recommended.
• Reputation Threshold — Enter a reputation threshold over which a message will be rejected. Generally, a rejection threshold of "70" to "75" will reject at least 60% of spam messages. If desired, this threshold can be set to a less aggressive value of "90" which results in about 40% of spam messages being rejected via this feature.
• Reject on Infection — If enabled, the ePrism Email Security Appliance will reject
messages from senders whose infection score is above the configured Infection Threshold.
• Infection Threshold — Indicates the criteria for rejecting messages based on whether the sending host is Currently infected (received in last hour), or Recently infected (received in last day). This is setting is only valid when Reject on Infection is enabled.
• Reject Connection From Dial-ups — If enabled, the ePrism Email Security Appliance will reject messages sent directly from dial-up connections.
Intercept Anti-Spam
152
If a message is not rejected because it violates a BSN threshold, the reputation score and
information about whether the sender is a dial-up can be incorporated into the overall Intercept Anti-Spam decision.
• BSN Reject Message — This option allows the administrator to customize the reject message for BSN. Use "%s" to specify the IP address of the rejected sender, such as:
go to http://intercept.borderware.com/lookup?ip=%s
BSN rejection, infection, and dial-up log messages will include a URL similar to the following:
BSN 450: blocked by Intercept: go to http://
intercept.borderware.com/ lookup?ip=[client_ip]
where the client_IP is the connecting system that was rejected. Clicking the URL will open up a web page displaying BSN reputation statistics on the specified IP address.
153