Version 6.0 SurfControl Filter for SMTP

(1)

(2)

N

OTICES

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior permission of the copyright owner.

SurfControl is a registered trademark, and SurfControl and the SurfControl logo are trademarks of SurfControl plc. All other trademarks are property of their respective owners.

RSA MD5 by RSA Data Security (Open Source) Portions of this product contain or are derived from:

• MD5C.C – RSA Data Security, Inc., MD5 message-digest algorithm. • MDDRIVER.C – test driver for MD2, MD4 and MD5

License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function.

License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing the derived work.

RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind.

These notices must be retained in any copies of any part of this documentation and/or software. The Apache Software License, Version 1.1

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

3. The end-user documentation included with the redistribution, if any, must include the following acknowledgment: "This product includes software developed by the Apache Software Foundation (http://www.apache.org/)."

Alternately, this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally appear.

(3)

TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,

INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The Apache Software License, Version 2.0

The following LICENSE file terms are associated with the XERCES-C-SRC_2_6_0 code of E-mail Filter for SMTP Apache License

Version 2.0, January 2004 http://www.apache.org/licenses/

TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions.

"License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document.

"Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License.

"Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.

"You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License.

"Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files.

"Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types.

"Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below).

"Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof.

(4)

worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form.

3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or

counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.

4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions:

(a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and

(c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License.

You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License.

5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions.

6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file.

(5)

charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability.

END OF TERMS AND CONDITIONS

APPENDIX: How to apply the Apache License to your work.

To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives.

Copyright [yyyy] [name of copyright owner]

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

OpenSSL

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

3. All advertising materials mentioning features or use of this software must display the following acknowledgment:

"This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected].

5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project.

6. Redistributions of any form whatsoever must retain the following acknowledgment:

(6)

INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes cryptographic software written by Eric Young ([email protected]). This product includes software written by Tim Hudson ([email protected]).

SSLeay

This package is an SSL implementation written by Eric Young ([email protected]). The implementation was written so as to conform with Netscape’s SSL.

This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson ([email protected]).

Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.

1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.

3. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes cryptographic software written by Eric Young ([email protected])"

4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement:

"This product includes software written by Tim Hudson ([email protected])"

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,

(7)

The contents of this file are subject to the Artistic License (the "License"). You may not use this file except in compliance with the License. You may obtain a copy of the License at:

http://www.opensource.org/licenses/artistic-license.html

THIS PACKAGE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.

You can download a copy of the unmodified code from

http://www.codeproject.com/buttonctrl/oddbutton.asp

ICU License - ICU 1.8.1 and later COPYRIGHT AND PERMISSION NOTICE

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, provided that the above copyright notice(s) and this permission notice appear in all copies of the Software and that both the above copyright notice(s) and this permission notice appear in supporting documentation.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR HOLDERS INCLUDED IN THIS NOTICE BE LIABLE FOR ANY CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder.

(8)

C

OMMENTS

ON

THIS

G

UIDE

?

You can view updated documentation and support information at http://www.surfcontrol.com

Was this guide helpful? E-mail us at [email protected] to suggest changes or make a correction.

T

ECHNICAL

S

UPPORT

For the latest support information on SurfControl products, visit http://www.surfcontrol.com/support

You can find the following information on the Technical Support Web pages:

• Read the Top Issues – This page has a quick list that covers the most common support issues encountered with SurfControl products.

• Search our Knowledge Base – Our constantly updated Knowledge Base contains articles, FAQs and glossary items to answer your questions about all SurfControl products.

http://kb.surfcontrol.com

• If your question or problem cannot be answered by the Top Issues or is not in the Knowledge Base, complete an On-line Support Request Form.

• Telephone Support numbers – If you would like to speak with a Technical Support Representative, our excellent SurfControl Technical Support is just a phone call away.

S

URF

C

ONTROL

S

ALES

For product and pricing information, or to place an order, contact SurfControl. To find your nearest SurfControl office, please visit our Web site.

(9)

(10)

Technical Support ...vii

SurfControl Sales ...vii

I

NTRODUCTION In This Chapter ... 2

About SurfControl E-mail Filter ... 2

E-mail Filter Reporting... 2

New Features in Version 6.0 ... 3

F

INDING

Y

OUR

W

AY

A

ROUND

E-

MAIL

F

ILTER In This Chapter ... 6

How E-mail Filter Works ... 7

E-mail Filter Services ... 8

E-mail Filter Components ... 9

E-mail Filter Additional Components... 9

Opening E-mail Filter Components ...10

From the Start Menu...10

System Tray Icon Right-Click Menu ...11

Opening E-mail Filter Components From Within Other Components...12

S

ETTING

U

P

E-

MAIL

F

ILTER In This Chapter ...14

Connecting to a Different E-mail Filter Server ...14

Adding an E-mail Filter Server...14

Editing E-mail Server Details ...15

Selecting an E-mail Server...16

Disconnecting From an E-mail Filter Server ...16

Opening Server Configuration ...17

Configuration Workflow ...18

Configuring the Receive Service ...19

Receive Service - General Settings...20

SMTP Properties...21

Connections...23

(11)

Reputation/DNS Blacklist ...46

Directory Harvest Detection ...49

Denial of Service (DoS) Detection ...53

Remote User Authentication ...56

SPF Check...58

Configuring the Rules Service ...59

Rules Service - General Settings...60

Rules Service Configuration...62

Queue Management ...64

Configuring the Send Service ...71

Send Service - General Settings...71

SMTP Properties...73

Connections...74

Routing ...76

Smart Host Routing ...83

Requeuing ...87

Configuring the Administration Service ...89

Administration Settings - General...89

Configuring Administrators ...91

Certificate Management...96

Configuration Complete ...99

Backing Up Your Server Configuration...99

T

HE

E-

MAIL

M

ONITOR In This Chapter ...102

Opening the Monitor ...102

Parts of the Monitor Window ...102

Service Panels ...103

The Server Status Panels...105

Queue Statistics and Status Bar ...107

QueueView ...107

Opening QueueView...107

QueueView Window ...108

Re-Sending Queued or Dead Messages ...110

Deleting a Queued or Dead E-mail ...111

T

HE

R

ULES

A

DMINISTRATOR In This Chapter ...114

Opening the Rules Administrator ...114

Rules Administrator Window ...115

(12)

Positioning of Rules ...124

Moving Rules...125

Pre-defined Rules ...125

The Rule Configuration Wizard ...125

Editing Pre-defined Rules ...126

Rule Groups ...128

Creating a Rule Group...129

Moving a Rule into a Group ...129

Working with Groups of Rules ...130

Exporting Rules ...131

Importing Rules ...132

Configuring the Rules Administrator ...133

Configuring Dictionary Scanning...134

Configuring Password Protected Archives...135

Configuring Document Decomposition...138

Configuring HTML Parsing...141

R

ULES

O

BJECTS In This Chapter ...144

Who Objects ...144

From Users and Groups Object...145

Inbound/Outbound Mail Object...146

To Users and Groups Object ...149

Retrieving User Information From a Data Source...150

Configuring an LDAP Connection...152

Testing the LDAP Connection...155

What Objects ...160

Anti-Spam Agent Object...161

Anti-Virus Malware Scanning (AVMS) Object...165

Dictionary Threshold Object...172

External Program PlugIn Object ...174

File Attachment Object ...177

Illegal MIME Format Object...180

Internet Threat Database Object ...182

LexiMatch Object ...183

(13)

HTML Stripper ...211

Routing Object...212

Strip Attachments Object...214

Notify Objects ...216

Blind Copy Object...216

E-mail Notification Object ...218

Actions Objects ...222

Allow Message Object ...223

Delay Message Object...224

Discard Message Object ...225

Isolate Message Object ...226

M

ESSAGE

A

DMINISTRATOR In This Chapter ...230

Opening the Message Administrator ...230

The Message Administrator Window...230

Configuring Message Administrator ...231

Opening Message Administrator Options...231

General Tab...231

Messages Tab...232

File Types Tab...233

HTML Viewer Tab...234

Columns Tab...234

Using Message Administrator ...236

Message Search Panel...236

Queues Panel...238

Logs Panel...239

Message List Panel...240

Message Parts Panel ...244

Message Contents Panel ...245

Working with Queues ...245

The Queues Toolbar ...246

Viewing E-mail Properties ...247

Analyzing E-mails...248

Forwarding a Copy of the Selected E-mail...249

Replying to the Sender of an E-mail...250

Submitting an E-mail to the Anti-Spam Agent Database ...251

Releasing E-mails...251

Moving E-mails...251

Saving Copies of E-mails...251

Deleting E-mails ...252

(14)

Opening Dictionary Management ...256

The Dictionary Management Window ...256

Adding a Dictionary ...257

Adding Words or Phrases to a Dictionary ...258

Editing Dictionary Words ...261

Deleting Words from a Dictionary ...262

Deleting a Dictionary ...263

Importing Dictionaries ...264

Importing a SurfControl Dictionary Pack ...264

Importing a Unicode Text File...267

Exporting Dictionaries ...269

Exporting a Dictionary as a Dictionary Pack ...270

Exporting a Dictionary as a Unicode File...272

S

CHEDULER In This Chapter ...274

Opening the Scheduler ...274

Scheduler Window ...274

Scheduled Events ...275

Options for Scheduled Events ...276

Scheduling Anti-Spam Agent Updates ...276

Scheduling Anti-Virus Agent Updates ...279

Scheduling Anti-Virus Malware Scanning Updates ...281

Scheduling Database Management Tasks ...283

Purging a Database ...284

Archiving a Database ...288

Shrinking a Database ...291

Scheduling Internet Threat Database Updates ...293

Scheduling Queue Synchronization ...295

R

EMOTE

A

DMINISTRATION In This Chapter ...300

Administration Client ...300

(15)

P

ERFORMANCE

M

ONITORING

In This Chapter ...314

Windows Performance Monitoring ...314

V

IRTUAL

L

EARNING

A

GENT In This Chapter ...318

Workflow ...318

Before You Begin ...319

Opening the VLA Training Wizard ...319

VLA Tutorial ...320

Training File Keywords ...329

VLA Accuracy...330

Counter Category ...330

Trivial Words ...331

D

ATABASE

T

OOLS In This Chapter ...334

Opening Database Tools ...334

Configuration Database Management ...335

Backing Up the Configuration Database ...335

Restoring the Configuration Database ...338

Log Database Management ...340

Creating a New Log Database ...340

Archiving the Log Database ...343

Restoring an Archived Log Database...346

Deleting a Log Database ...349

Truncating the Log Database Transaction Log ...351

SQL User Management ...353

Creating a New SQL User Account ...353

Changing the Password on a SQL User Account...356

Deleting a SQL/MSDE Account...359

Managing Database Authentication...362

A

PPENDIX

A

Anti-Spam Agent Categories and Criteria ...370

Core/Liability Categories ...371

(16)

A

PPENDIX

C

Anti-Virus Return Codes ...396

A

PPENDIX

D

Editing Autoreply.txt ...400

A

PPENDIX

E

Reporting Using the STEMLog Database ...402

MessageDetails Relationships ...402

ReceiveLog and DeniedConnection Relationships ...403

(17)

(18)

Introduction

(19)

I

N

T

HIS

C

HAPTER

This chapter introduces SurfControl E-mail Filter and its features.

A

BOUT

S

URF

C

ONTROL

E-

MAIL

F

ILTER

SurfControl E-mail Filter is a server-based software solution that enables you to implement an Acceptable Use Policy (AUP) for e-mail within your organization by:

1 Scanning the content, sender, destination, attachments and size of all e-mails to and from the Internet. 2 Applying rules that you have established to support your AUP.

For further information about developing an AUP, visit http://www.surfcontrol.com SurfControl E-mail Filter comprises the following core components:

• Monitor – The Monitor shows the progress of e-mails through SurfControl E-mail Filter in real time,

and also server status and the number of e-mails in each queue.

• Rules Administrator – Use the Rules Administrator to set up rules to meet the needs of your AUP.

Configuring rules requires careful planning initially, but is then easy to set up and apply.

If an e-mail triggers a rule, E-mail Filter uses the actions specified in the rule to delay, discard or isolate the e-mail. Delayed or isolated e-mails are placed in dedicated queue folders. If an e-mail does not trigger a rule, it is placed in a folder for delivery to its destination.

• Message Administrator – Use the Message Administrator to review, manage and analyze e-mails

that have been placed in queue folders, and view logs of E-mail Filter activity.

E-mail Filter also contains additional components that enhance the capabilities of the E-mail Filter core components. For more information, see E-mail Filter Additional Components on page 9.

E-

MAIL

F

ILTER

R

EPORTING

You can also create reports for E-mail Filter v6.0 data by using SurfControl Report Central (SRC). See the

(20)

N

EW

F

EATURES

IN

V

ERSION

6.0

Table 1-1 describe the advances in functionality that version 6.0 delivers.

Table 1-1 New features in version 6.0

Feature Description

Multiple Anti-Virus Scanning Rules Object

The new Multiple Anti-Virus Scanning rules object in the Rules Administrator enables you to use multiple supplied anti-virus scanners within a rule to protect your network from viruses contained in e-mails. Zero-Hour Virus Protection This latest version of SurfControl E-mail Filter includes new Zero-Hour

Virus Protection technology, protecting your network from viruses as they emerge.

Document Decomposition This enhances the existing feature by enabling you to decompose a greatly enhanced set of documents, including Microsoft Office 2007.

Image Spam Filtering You can now block e-mails that contain spam text within attached images. Reputation Service Incoming e-mails are automatically checked against SurfControl’s on-line Reputation service. This determines whether a sender’s IP address can be trusted.

Compliance Dictionaries New compliance dictionaries and associated default rules, including HIPAA, GLBA and Personal Identifiers, will help you to manage regulatory compliance and good corporate governance.

Identification of True Source IP Address

Organisations choosing to deploy SurfControl E-mail Filter behind a firewall can now take full advantage of E-mail Filter's Connection Management. The original source IP address of the inbound e-mail connection can now be identified, allowing all E-mail Filter users to benefit from this highly effective protection layer, including the additional security offered by the new SurfControl Reputation Service.

Support for VMWare This latest release of SurfControl E-mail Filter will be supported on a VMware platform, offering greater deployment flexibility and reduced total cost of ownership of security infrastructure.

(21)

(22)

Finding Your Way Around E-mail Filter

(23)

I

N

T

HIS

C

HAPTER

(24)

H

OW

E-

MAIL

F

ILTER

W

ORKS

Figure 2-1 shows how an e-mail is processed by E-mail Filter.

(25)

E-

MAIL

F

ILTER

S

ERVICES

SurfControl E-mail Filter’s functionality is managed by four software services: • Receive service

• Rules service • Send service

• Administration service.

Figure 2-2 shows how the services fit together.

Figure 2-2 Flow of E-mail through E-mail Filter services

(26)

E-

MAIL

F

ILTER

C

OMPONENTS

There are three core components in E-mail Filter that you will use to manage e-mail.

E-

MAIL

F

ILTER

A

DDITIONAL

C

OMPONENTS

E-mail Filter also contains the following additional components, which enhance the capabilities of the E-mail Filter core components.

Table 2-1 E-mail Filter core components

Component Description Find out more

Monitor The Monitor shows the progress of e-mails through SurfControl E-mail Filter in real time.

The E-mail Monitor on page 101

Rules Administrator Use the Rules Administrator to set up rules to meet the needs of your Acceptable Use Policy (AUP).

The Rules Administrator on page 113

and

Rules Objects on page 143

Message Administrator Use Message Administrator to review, manage and analyze e-mails that have been placed in queues, and view logs of E-mail Filter activity.

You can also search for inbound and/or outbound e-mails within supplied, selectable date ranges, or your own custom date range.

Message Administrator on page 229.

Table 2-2 E-mail Filter additional components

Component Description Find out more

QueueView Use QueueView to display information about e-mails that are queued, pending or dead.

QueueView on page 107

Dictionary Management You can use dictionaries in rules to detect particular types of content in e-mails, for example, adult, offensive, and so on. Use the Dictionary Management component to configure the supplied dictionaries or create and configure your own dictionaries.

(27)

O

PENING

E-

MAIL

F

ILTER

C

OMPONENTS

You can open E-mail Filter components from:

• The Start menu

• The system tray right-click menu • Within other open components.

F

ROM

THE

S

TART

M

ENU

To open E-mail Filter from the Start menu, select

Start > All Programs > SurfControl E-mail Filter

and then select the component.

Scheduler Use the Scheduler to automate tasks such as:

• Anti-Spam Agent, Internet Threat Database, Virus Agent and Anti-Virus Malware Scanning updates. • Database Maintenance

• Queue Synchronization

Scheduler on page 273

Web Administrator The Web Administrator component enables you to access the following E-mail Filter functions from a remote computer: • Message Administrator • Dictionary Management • View logs.

Web Administrator on page 300

Virtual Learning Agent

(VLA) The VLA enables you to train E-mail _{Filter to identify specific types of content}

in e-mails, for example, confidential information that is specific to your organization.

Virtual Learning Agent on page 317

Table 2-2 E-mail Filter additional components (Continued)

(28)

Figure 2-3 Opening E-mail Filter from the Start menu

S

YSTEM

T

RAY

I

CON

R

IGHT

-C

LICK

M

ENU

When E-mail Filter is running, the following icon is displayed in the system tray.

Right-click the icon to display the following menu. You can use this menu to open E-mail Filter components, configure the server, and stop and start the services.

(29)

O

PENING

E-

MAIL

F

ILTER

C

OMPONENTS

F

ROM

W

ITHIN

O

THER

C

OMPONENTS

When you open one E-mail Filter component, you can open some other components from within that component. If you are able to open another component, its icon is shown on the toolbar of the open component.

Table 2-3 E-mail Filter component icons

Component Icon Dictionary Management Message Administrator Monitor Queue View Rules Administrator Scheduler

Virtual Learning Agent (VLA)

(30)

Setting Up E-mail Filter

(31)

I

N

T

HIS

C

HAPTER

This chapter explains how to connect to SurfControl E-mail Filter, and how to configure E-mail Connection Management, the Receive, Rules, Send and Administration services so that e-mail is filtered correctly.

C

ONNECTING

TO

A

D

IFFERENT

E-

MAIL

F

ILTER

S

ERVER

If you have more than one server running E-mail Filter, you can select the server that the Monitor connects to.

For example, you can view the e-mail activity taking place on server A using an installation of E-mail Filter on server B. Server B can be running either a full installation or just the E-mail Filter Administration Client. You can manage your E-mail Filter server connections from any of the following E-mail Filter components: • Monitor

• Message Administrator • Rules Administrator • Dictionary Management.

A

DDING

AN

E-

MAIL

F

ILTER

S

ERVER

To monitor e-mail activity taking place on another server, you need to add its connection details to the list of available servers.

To add a new server to the list:

1 From any of the E-mail Filter components, select

File > Select Server > Add New

(32)

2 In the Server Name: field, enter or browse to the name of the server whose e-mail traffic you want to monitor.

3 Enter the user name and password for accessing the server.

4 Enter the connection port for the mail server you want to add. This is the port used by the Administration Service.

5 Click OK to confirm your changes.

E-mail Filter will automatically try to monitor e-mail activity on the server that you have added. If it fails to do this, check that you have entered the server details correctly.

E

DITING

E-

MAIL

S

ERVER

D

ETAILS

You can change the details of a mail server that you have added to the list. To edit server details: 1 From any of the E-mail Filter components, select

File > Select Server > Edit

The Select Server dialog box is displayed.

(33)

3 Change the details as needed, and then click OK.

S

ELECTING

AN

E-

MAIL

S

ERVER

When you add an e-mail server, it is displayed on the Select Server drop-down menu. To select a server:

1 From any of the E-mail Filter components, select

File > Select Server.

The available servers are displayed on the Select Server menu. The current server is marked.

2 Select the server to connect to.

If the connection fails, check that the server details are correct.

D

ISCONNECTING

F

ROM

AN

E-

MAIL

F

ILTER

S

ERVER

To disconnect from the server you are currently connected to, select

File > Disconnect from Server

(34)

O

PENING

S

ERVER

C

ONFIGURATION

To open the Server Configuration console, open the Monitor, and then select

File > Server Configuration

Alternative: On the Monitor toolbar, click .

Figure 3-1 Server Configuration console – typical

Each function controls a group of Server Configuration settings

(35)

C

ONFIGURATION

W

ORKFLOW

To set up E-mail Filter correctly, you need to configure each of the services. Some of the services have more than one group of configuration settings in a series of dialog boxes. Table 3-1 details the functions in the Server Configuration console, and where to find out more information about each function.

Table 3-1 Configuration tasks

Service Function Find out more

Receive service General Settings page 20

SMTP Properties page 21

Connections page 23

ESMTP Commands page 24

E-mail Connection Management

Protected Domains page 27

Mail Relays page 31

Blacklist page 38

Reverse DNS Lookup page 43

Reputation/DNS Blacklist page 46

Directory Harvest Detection page 49

Denial of Service Detection page 53

Remote User Authentication page 56

SPF Check page 58

Rules service General settings page 60

Configuration page 62

(36)

C

ONFIGURING

THE

R

ECEIVE

S

ERVICE

The Receive service accepts SMTP traffic on port 25 and checks each e-mail against a series of E-mail Connection Management criteria. If the e-mail passes these checks, E-mail Filter accepts the e-mail and passes it to the Rules service for further processing. It is important to configure the Receive service correctly to keep your e-mail system running efficiently and securely, and to maintain the flow of legitimate e-mail.

The Receive service has general settings and these functions: • SMTP Properties

• Connections

• ESMTP Commands.

Send service General Settings page 71

SMTP Properties page 73

Connections page 74

Routing page 76

Smart Host Routing page 83

Requeuing scheme page 87

Administration Properties page 89

Configuration page 91

Certificate Management page 96

Table 3-1 Configuration tasks (Continued)

(37)

R

ECEIVE

S

ERVICE

- G

ENERAL

S

ETTINGS

In the Service Configuration dialog box navigation panel, select Receive Service. The Receive Service dialog box is displayed in the right-hand panel. Figure 3-2 shows a typical Receive Service dialog box.

Figure 3-2 Receive service – general settings

Received Mail Drop-off Folder

When an e-mail has passed the E-mail Connection Management checks, E-mail Filter accepts the e-mail and deposits it in the Received mail drop-off folder (the \In folder). The default path is:

C:\Program Files\SurfControl E-mail Filter\In

You can enter a different path, or click Browse... to select another location.

Enabling Administrator Alerts

You can select to notify the e-mail administrator if a set number of e-mails in the \In folder is reached. When the limit is reached, an entry is logged in the Windows Event Viewer (Control Panel >

Administrative Tools > Event Viewer > Application).

(38)

Logging

The Logging options control where details of e-mails handled by the Receive service are recorded. Select one or more check boxes for the required type of logging. Table 3-2 describes the logging options.

SMTP P

ROPERTIES

The SMTP properties affect how E-mail Filter receives incoming e-mail for filtering. Figure 3-3 shows a typical SMTP Properties dialog box.

Figure 3-3 SMTP Properties dialog box

Table 3-2 Logging options

Logging option What it does

Real-time console Details of inbound e-mails are displayed in the Receive panel of the Monitor. For more information about the Monitor consoles, see Service Panels on page 103.

System log System events related to inbound mail, such as the sending of notification e-mails are displayed in the System log in Message Administrator. See Working with Logs on page 253.

Connection log/Receive log

Information about connections from the host servers to E-mail Filter and e-mails that have been received by Receive service. This information is displayed in the

(39)

Table 3-3 describes the options for SMTP Properties.

Table 3-3 SMTP Properties settings

Field Description

Receive Service SMTP Port The port used by E-mail Filter to receive SMTP traffic. This is displayed in the Receive Service SMTP Port. You can change the port by entering a different port number here.

Enable Secure SMTP over SSL (SMTPS) Select this to secure the entire SMTP conversation, that is, from connection to receiving the e-mail, through secure connection over SSL (Secure Socket Layer).

Default (recommended) port = 465

If this is selected and an SMTP port specified, the sending mail clients must send e-mails that are encrypted using SSL.

Computer Name You can specify which computer name the Receive service uses in its greeting when it receives a connection:

• Windows Computer Name

The Receive service will use the fully-qualified primary domain name of the computer where E-mail Filter is installed.

• Specify Computer Name

The Receive service will use the computer name you specify. You can use any commonly accepted form of host name, for example the domain name or the IP address.

By default E-mail Filter will use the Windows Computer Name. SMTP greeting text The SMTP greeting is the greeting which is sent to a remote computer

when it initiates a connection by sending a HELO or EHLO command. By default, the SMTP greeting is:

220 [server name].[domain name]

If this text is added, the SMTP greeting consists of the default text plus any additions.

You can use the SMTP greeting text to communicate your organization’s policy on how that mail server can be used. For example if you do not allow the mail server to be used as a relay host you can warn mail clients not to try to relay mail through your server. To change greeting, click Customize. The Customize Greeting Text dialog box is displayed.

Note: You cannot delete or edit the default greeting text. When a

(40)

C

ONNECTIONS

The Connections settings affect how many connections the Receive service can accept, and how much incoming e-mails it can process at any one time. It is important to set these limits at appropriate levels for your system’s capacity; network performance can be reduced if too many connections are accepted. Figure 3-4 shows a typical Connections dialog box.

Figure 3-4 Connections dialog box

Table 3-4 describes the connections that you can limit. Select the check boxes of the limits you want to set. If a check box is cleared, E-mail Filter does not limit the number of connections.

Table 3-4 Connection options

Option Description Default Maximum

Connection Settings

Maximum active inbound connections

The total number of incoming connections that E-mail Filter will accept at any one time.

1500 9999

(41)

ESMTP C

OMMANDS

The ESMTP Commands options enable you to select the ESMTP commands to be used by the Receive service in the response to the SMTP EHLO command.

Figure 3-5 shows a typical ESMTP Commands dialog box.

Limit maximum connections for each non-trusted IP address

Limit the number of connections from IP addresses not on the trusted IP addresses list. If you set a limit here, the number must be less than or equal to the maximum number of active inbound connections.

100 9999

Idle connection timeout The number of seconds the receive service will wait to receive data before terminating the connection.

300 3600

Data Size

Limit maximum message size Limit the size (in MB) of inbound e-mails that E-mail Filter will accept.

20 500MB

Limit maximum data per connection

Limit the total amount (in MB) of data that E-mail Filter will accept in a single connection.

70 700MB

SMTP Options

Limit maximum messages per connection

Limit the total number of e-mails that E-mail Filter will accept in a single connection.

10 9999

Table 3-4 Connection options (Continued)

(42)

Figure 3-5 Receive service - ESMTP Commands dialog box

Table 3-5 describes the ESMTP commands that are available. Select the check boxes of the commands to be used.

Table 3-5 ESMTP options

Setting What it does

Authentication Options

Enable AUTH-LOGIN To enable or disable the ESMTP AUTH-LOGIN function. Enable AUTH-PLAIN To enable or disable the ESMTP AUTH-PLAIN function. Enable AUTH-CRAM-MDS To enable or disable the ESMTP AUTH-CRAM-MDS

function.

These functions are used by remote users. To add details of remote users, see Remote User Authentication on page 56.

Transmission Optimizations

(43)

C

ONFIGURING

E-

MAIL

C

ONNECTION

M

ANAGEMENT

You can add an extra layer of protection against unwanted e-mails by setting up E-mail Connection Management. This means you can automatically drop connections from untrustworthy sources and control incoming e-mail before e-mails are filtered.

E-mail Connection Management has these functions: • Protected Domains

• Mail Relays • Blacklist

• Reverse DNS Lookup • Reputation/DNS Blacklist • Directory Harvest detection • Denial of Service detection • Remote user authentication • SPF Check.

Secure SMTP over TLS

Enable STARTTLS To enable a secure SMTP connection over Transport Layer Security (TLS).

Table 3-5 ESMTP options (Continued)

(44)

P

ROTECTED

D

OMAINS

Use Protected Domains to identify the domains for which e-mail is to be filtered, and for which E-mail Filter will accept e-mail. When you installed E-mail Filter, you entered the primary domain name, but if your network has more than one domain, for example mycompany.co.uk and mycompany.com, you must enter the other domains so that they can send and receive e-mail.

Adding Protected Domains

To add a protected domain:

1 In the Server Configuration console, select

E-mail Connection Management > Protected Domains

The Protected Domains dialog box is displayed.

Note: There must always be at least one domain in the Protected Domains list.

(45)

2 Click Add…

The Protected Domain Properties dialog box is displayed.

3 In the Domain name: field enter the name of the domain you want E-mail Filter to accept e-mail for, for example

mycompany.co.uk

The Administrator e-mail address: field is completed automatically as Postmaster@ the domain you specify. For example, [email protected]

You can edit this address – for example, you could change it to [email protected]

4 Click OK.

Editing a Protected Domain

To edit a protected domain:

1 In the Protected Domains dialog box, select the domain to change. 2 Click Edit…

The Protected Domain Properties dialog box is displayed.

(46)

Deleting a Protected Domain

You can also delete a domain from the protected domain list so that E-mail Filter will no longer accept e-mail for that domain.

To delete a protected domain:

1 In the Protected Domains dialog box, select the domain to change. 2 Click Delete. You will be asked to confirm your choice.

3 Click OK. The domain is removed from the list and E-mail Filter does not accept e-mail for that domain.

Anti-Spoofing

Sometimes spammers use a technique called ‘spoofing’ to fake their From: address so that their e-mails appear to be from a protected domain. By default SurfControl E-mail Filter will block these e-mails. E-mail Filter can examine and authenticate the IP address of all incoming mail, and reject e-mails that cannot be authenticated. If you do not enable this function, e-mails from the protected domain will be accepted, without examining the From: address.

If your organization includes users who send mail from the protected domain from an unlisted IP address, for example dial-up users, you should set up SurfControl E-mail Filter to authenticate addresses using

Receive Service Remote User Authentication. This will allow legitimate mail from these users to get

through, while still denying e-mails from fraudulent addresses.

See Remote User Authentication on page 56 for information about how to set up remote users.

Anti-Relay Protection

Spammers may attempt to relay e-mails through your mail server using ‘old-style’ routing techniques. These routing techniques are not commonly used any more but may still be recognized by your mail server.

SurfControl E-mail Filter can detect various routing relay techniques and deny e-mails that have been forwarded or routed using one of the routing methods in Table 3-6.

Caution: Disabling Anti-Spoofing makes it possible for spammers to send spoofed e-mails into your organization. By default, Anti-Spoofing is enabled. SurfControl recommend that you keep it enabled.

(47)

If you do not deny Source routing, SurfControl E-mail Filter will strip any additional routing information from the incoming e-mail, so an e-mail from

@hotmail.com:[email protected]

would be delivered as

[email protected]

To change the Anti-Spoof/Anti-Relay settings: 1 In the Server Configuration console, select

E-mail Connection Management > Protected Domains

Source routing @domain1.com:[email protected] Percent hack routing user%@[email protected]

Table 3-6 Routing relay techniques (Continued)

(48)

2 Click Advanced…

The Anti-Spoof settings dialog box is displayed.

3 By default, all anti-spoofing and anti-relay protection options are enabled. To disable an option, clear the check box.

SurfControl recommends you keep all options selected to protect your system. 4 Click OK.

M

AIL

R

ELAYS

Mail Relays are IP addresses of mail servers that are allowed to send e-mail to and/or from the protected domain. You should include details of all the mail servers for which you want to filter e-mail.

The purpose of this list is to identify:

• The IP addresses of the protected domains.

• The IP addresses of any other nodes that need to access the protected domains from outside the network.

When you add or edit a Mail Relay, you need to specify what e-mail can be relayed through that server by choosing a relay type, and also whether e-mail received from this IP address must be through an

encrypted connection. You can select from the following options.

Table 3-7 Relay options

Option Description

(49)

To specify that E-mail Filter will accept e-mail only from the mail relays in the list, select the Deny

connections from all IP addresses not listed below check box.

Inbound The mail server can send e-mail only to IP addresses inside the protected domain.

Message sender: must be outside the protected domain Message recipient: must be inside the protected domain. Outbound and inbound The mail server is allowed to send e-mail to any IP

addresses (other than blacklisted ones).

Message sender: can be inside or outside the protected domain.

Message recipient: can be inside or outside the protected domain.

One of these, either the sender or the recipient, must be inside the protected domain.

Open relay The mail server is allowed to send e-mail to any other domain (including blacklisted domains) without any relay restrictions. E-mail Filter will accept any e-mail from the supplied IP address regardless of the domain name.

Caution: Use with caution. E-mail received from this IP address must be via an

encrypted connection

Default = Cleared

If selected, the sending mail server from this relay must send encrypted e-mails to the Receive service using STARTTLS. If the mail server does not support TLS, the connection is dropped.

Note: If selected, this overrides the Enable STARTTLS

option in the ESMTP Commands dialog box. See

ESMTP Commands on page 24.

Table 3-7 Relay options

(50)

Adding a Mail Relay

To add a mail relay, you must:

• Define the direct mail relays – These are the mail relays that communicate directly with E-mail Filter by using SMTP both inside and outside the network perimeter.

• Define the outlying mail relays – These are the mail relays that exist within the network perimeter, but do not communicate directly with E-mail Filter by using SMTP. These relays cannot be marked as trusted, but are treated as such when determining True Source IP.

Defining Direct Mail Relays.

To define direct mail relays: 1 In the Server Configuration console, select

E-mail Connection Management > Mail Relays > Direct tab

(51)

3 Enter the IP address or a range of IP addresses of the mail servers for which you want e-mail to be filtered.

If you enter a range of IP addresses, it must be in Classless Inter-Domain Routing (CIDR) format. For example, for a 24-bit mask, enter

200.0.0.1/24, not 200.0.0.1-200.0.0.255

4 You can also enter a description for the mail relay. This name is shown in the ‘hostname’ field of the logging database (LogDB) and is very useful for identifying the mail server in reports.

5 Select a relay type and whether the e-mail should be through an encrypted connection. See Table 3-7 on page 31 for more information.

6 Click OK.

Defining Outlying Mail Relays.

To define outlying mail relays: 1 In the Server Configuration console, select

E-mail Connection Management > Mail Relays > Outlying tab

2 Click Add… to open the Outlying Mail Relay Properties dialog box.

Note: You cannot enter the same IP address twice. If you enter an IP address that is already on the list you will see the following error message

(52)

3 Enter the IP address or a range of IP addresses of the mail servers for which you want e-mail to be filtered.

If you enter a range of IP addresses, it must be in Classless Inter-Domain Routing (CIDR) format. For example, for a 24-bit mask, enter

200.0.0.1/24, not 200.0.0.1-200.0.0.255

4 You can also enter a description for the mail relay. This name is shown in the ‘hostname’ field of the logging database (LogDB) and is very useful for identifying the mail server in reports.

5 Click OK.

Importing Mail Relays

When you import an IP address or range of addresses for mail relays, the data in the file must have the following format:

<ip address range>;<description>;<type>;<encrypted>[;<untrusted>]

• IP address range – This can be a single IP address or a range of IPs in CIDR format. • Description – This description cannot contain a semicolon (;)

• Type – A number that represents the type of connection: Valid ‘Direct’ connection types

– 0 = Outbound – 1 = Inbound

– 2 = Outbound/Inbound – 3 = Open

Valid ‘Outlying’ connection type – 4 = Outlying

• Encrypted – Yes or no

• Untrusted – For a trusted connection you can leave this field empty, or enter ‘no’. For an untrusted connection you must enter ‘yes’.

Note: You cannot enter the same IP address twice. If you enter an IP address that is already on the list you will see the following error message

(53)

Examples of correct formats: 192.168.1.5;inbound;1;yes;yes 192.168.1.4;outbound;0;yes 192.168.1.2;open relay; 3; no 192.168.1.1;outlying;4;yes 192.168.1.10/24;outbound/inbound;2;yes To import the details of mail relays:

E-mail Connection Management > Mail Relays

2 Select either the Direct tab or the Outlying tab. 3 Click Import.

4 Select the text (.txt) file, and then click Open. The entries are added to the list.

Editing a Mail Relay

To edit the details of a mail relay:

2 Select the IP address to edit.

3 Click Edit… to open the Edit Relay Source dialog box. 4 Change the options needed.

5 Click OK.

Deleting a Mail Relay

To delete a mail relay:

2 Select the IP address to delete. 3 Click Delete.

(54)

Receive Service Status Messages

When a mail client attempts to connect to E-mail Filter, a status message is displayed in the Receive panel of the Monitor. Table 3-8 describes some common status messages and examples.

Table 3-8 Receive service status messages

Message Description

The sender must be from a protected domain as its IP is in the Trusted Outbound list.

The mail client’s IP address has been added to the Trusted IPs list with a setting of Outbound. The Receive service has rejected the connection because the sender is not in the protected domain.

The recipient must not be to a protected domain as the sender’s IP is in the Trusted Outbound list.

The mail client’s IP address has been added to the Trusted IPs list with a setting of Outbound. The Receive service has rejected the connection because the recipient is inside the protected domain.

The sender must not be from a protected domain as the sender’s IP is in the Trusted Inbound list.

The mail client’s IP address has been added to the Trusted IPs list with a setting of Inbound. The Receive service has rejected the connection because the sender is inside the protected domain, or is spoofed to appear to be from inside the protected domain.

The recipient must be to a protected domain as the sender’s IP is in the trusted Inbound list.

The mail client’s IP address has been added to the Trusted IPs list with a setting of Inbound. The Receive service has rejected the connection because the sender has attempted to send an e-mail to an IP address outside the protected domain.

Connection rejected – deny connection for unknown [n.n.n.n] (sender in Deny Connection list).

The IP address has been added to the Trusted IP list with a setting of Denied.

(55)

B

LACKLIST

If there are domains, e-mail addresses or IP addresses from which you do not want to receive e-mails, you can add them to the Blacklist. This is an important step in preventing unwanted e-mail content because: • The Receive service will reject the e-mail before the e-mail content is transferred to your mail server. • No hard disk space is wasted storing unwanted e-mails.

• Fewer e-mails have to be processed by the Rules service, which conserves system resources. To add an item to the Blacklist:

E-mail Connection Management > Blacklist

2 Click Add…

3 The Add/Edit deny list entry dialog box is displayed.

(56)

4 Enter the domain, e-mail address or IP address to be blacklisted. In the Comment field you can enter a brief description of the item, or an explanation of why it is blacklisted.

You can blacklist an entire range of IP addresses by entering only the first three number sets in the IP address. For example:

To blacklist all IPs from 172.22.5.0 to 172.22.5.99, you could add 172.22.5 to the Blacklist.

5 Click OK.

The blacklisted item is displayed in the list.

When an e-mail has been added to the Blacklist, an “Update Now” message is displayed in the Monitor. If you click Yes, a status message “Receive service configuration reloaded” is displayed in the Receive panel of the Monitor.

The Receive service will reject any mail client trying to send an e-mail from any of the set domains, e-mail addresses or IP addresses, unless the mail client’s IP is added to the Trusted IP list with a setting of Open Relay.

Note: You cannot blacklist a partial range of numbers, for example IPs from 172.22.5.10 – 172.22.5.25.

(57)

If you have added a domain to the Blacklist, but want E-mail filter to accept e-mail from individuals within that domain, you can exclude individuals from the Blacklist. For example, if your organization was pursuing a grievance with another organization, you might want to block all e-mail from that organization except for their legal department.

Excluding an Item from the Blacklist

To exclude an item from the Blacklist:

2 Click Exclude…

3 The Exclusions from the Blacklist dialog box is displayed.

(58)

4 Click Add… The SMTP List Entry dialog box is displayed.

5 Enter the e-mail address to exclude from the Blacklist.

You can specify that the address is for a Sender, Receiver, or Both.

6 Click OK.

Editing an Item on the Exclude List

To edit an item on the Exclude list:

2 Click Exclude…. The Exclusions from the Blacklist dialog box is displayed.

3 Select the item to edit, and then click Edit… The SMTP List Entry dialog box is displayed. 4 Make your changes to the item, and then click OK.

Deleting an Item from the Exclude List

To delete an item from the Exclude list:

2 Click Exclude…. The Exclusions from the Blacklist dialog box is displayed. 3 Click Delete. You will be asked to confirm your choice.

(59)

Importing a Blacklist

If there are a large number of domains, e-mail addresses or IP addresses that you want to blacklist or exclude, you can create a text file containing all the items, and import it into E-mail Filter. The text file can contain the items to blacklist, and the items to be excluded from the Blacklist.

To import a blacklist

1 Create a new .txt file using any text editor.

2 In the .txt file, enter the domains, e-mail addresses or IP addresses to be blacklisted. Each item on the list must follow this format:

type;domain, e-mail address or IP address;comment

Each item on the list must begin on a new line.

If you do not want to add a comment, leave a blank after the final semicolon.

‘type’ is a numerical code to identify whether the item is a domain, an e-mail address or an IP address: 0 = domain

1 = e-mail address

2 = e-mail address to be excluded from the Blacklist 3 = IP address.

Example blacklist entries are:

0;yahoo.co.uk;internet mail

1;mailinglist.org.uk; known spammer

2;[email protected]; legitimate newsletter

3 When you have finished editing the file, save it to any location that is accessible to the server where E-mail Filter is installed. However, saving it within the SurfControl E-mail Filter folder will save time, as the import facility automatically looks there first.

5 Select Import.

6 Select your saved blacklist file, and then click Open.

If the blacklist file has been imported successfully, a confirmation message is displayed, and the blacklisted domains, e-mail addresses and/or IP addresses are displayed in the list.