For some traffic spam filtering may not be feasible. For example, you may want to exclude traffic between your local mail servers from spam filtering to avoid unnecessary use of resources. To prevent spam filtering for certain destinations, you can create a more specific IPv4 Access rule before a more general one.
Using Spam Filtering
Anti-Spoofing and Anti-Relay Protection
E-mail address spoofing is a technique used by spammers to obtain sensitive information. In e-mail address spoofing parts of the header of an e-e-mail are forged to make the message appear as though it originates from someone other than the original sender. Anti-spoofing and anti-relay options allow you to detect spammer activity and to stop suspicious e-mails. To protect your network from spoofing, you can specify your local network domains in the spam filtering settings. This allows the firewall to detect the messages that contain spoofed e-mail addresses.
The firewall checks the domain information specified in the following parts of an e-mail message:
•Domain information in the HELO/EHLO command.
•Domain information in the MAIL FROM command.
•Domain information in the From field of an e-mail header.
•Relay information in the RCPT TO command.
If an external e-mail contains your local domain information it is considered to be spam. You can adjust the anti-spoofing and anti-relay options to discard, reject or score such messages.
Handling E-mail Address Forgery
You can detect forgery of sender e-mail addresses by using SPF (Sender Policy Framework) and MX (Mail Exchanger) record matching. SPF protects the envelope sender address that is used for delivering e-mail messages. The method allows domain owners to specify in an SPF record a mail sending policy that indicates which mail servers they use to send e-mail from their
domains. The SPF record is then published in the Domain Name System. Mail exchangers use SPF records to check if an e-mail is sent from a legitimate server. An MX record is a type of record published in the Domain Name System that specifies a mail server responsible for accepting e-mail messages for a certain domain. MX records are used to direct a domain’s mail flow to the correct servers. We recommend that SPF and MX record matching is used when traffic is not routed through a proxy or a VPN gateway.
Spam Filter Sensitivity Settings
Each incoming e-mail message that passes spam filter checks is assigned a spam score which determines the likelihood of its being spam. By default, a spam label is added to the headers of all e-mails with the score of 2 and above, and all e-mails with the score of 8 and above are rejected. You can adjust the score values that determine when e-mail messages are marked as spam or rejected in the scoring settings.
170 Chapter 16 Spam Filtering
Spam Filtering Rules
You can define separate spam filtering rules for different parts of an e-mail message:
•An Envelope Rule inspects data in the envelope of an e-mail.
•A Header Rule inspects data in the header of an e-mail.
•A Content Rule inspects content in the body of an e-mail.
The rules allow you to detect specific word patterns and regular expressions in e-mail messages, and to define how such messages are handled. You can create various rules to handle e-mails for different recipients differently. For example, you can create Envelope rules per recipient to have milder rules for marketing or PR divisions, and stricter rules for other
employees. The table below shows an example of an Envelope rule. The rule increases the credibility of all e-mail that is sent to specified recipients. A negative score value decreases the overall spam score of an e-mail and makes the e-mail less likely to be spam.
Spam filtering rules allow you to save system resources because if a message matches a specific rule, further processing may not be necessary. For example, you might create a Header Rule that blacklists e-mail messages if the content in the header is written in simplified Chinese.
DNS-Based Blackhole Lists
DNS-based Blackhole Lists (DNSBLs) are lists of IP addresses of computers or networks that are suspected of sending spam. They are published in the Domain Name System. There are two types of lists that you can define to be checked: RBLs and URI DNSBLs. A Real-Time Blackhole List (RBL) contains URLs of DNSBLs that list IP addresses of servers that are responsible for sending spam or that are hijacked for spam relay. A Uniform Resource Identifier DNSBL (URI DNSBL) contains URLs of DNSBLs that list domain names and IP addresses of links found in the body of spam e-mails.
Table 16.1 Example Envelope Rule
Field Value Action
<Envelope>Rcpt To E-mail addresses of employees
working in marketing or PR divisions. Score - 5
Table 16.2 Example Header Rule
Field Value Action
<Header Rules>Content-type <Regular Expression>/gb2312/i Blacklist
C H A P T E R 1 7
V IRUS S CANNING
A virus scanner compares network traffic against an anti-virus database to search for viruses.
If a virus is found, infected traffic is stopped or infected content is stripped out.
The following sections are included:
Overview to Virus Scanning (page 172)
Configuration of Virus Scanning (page 172)
Using Virus Scanning (page 173)
172 Chapter 17 Virus Scanning
Overview to Virus Scanning
A virus scanner is available as a separately licensed feature on selected platforms. Virus scanning is not supported on Master Engines or Virtual Security Engines.
Virus scanning is a resource-intensive activity and is practical mainly in branch-office-type settings, where there is a need to keep the physical setup as simple as possible with the minimum amount of equipment on-site.
The virus scanner can inspect IPv4 traffic. The supported protocols are HTTP, HTTPS, IMAP, POP3, and SMTP. If the virus scanner detects infected files, it strips them out. If an e-mail attachment is filtered out, a message is added to the e-mail notifying the recipient.
Virus scanning is alternatively available (on all Firewall/VPN engines) when you set up an external virus scanner and integrate it with the Firewall by configuring an external server as a content inspection server (CIS). See External Content Inspection (page 175) for more information.
Configuration of Virus Scanning
Configuration Workflow
The following sections provide an overview of the configuration tasks. Detailed step-by-step instructions can be found in the Management Client Online Help and the McAfee SMC Administrator’s Guide.