Securepoint Security Systems

(1)

Securepoint Security Systems

(2)

1 Configuration of the spam filter with the Securepoint Security

Manager

The integrated Securepoint anti spam solution filters unrequested e-mails (spam). Therefore it uses a combination of different methods to detect as much as possible undesired e-mails. The Securepoint spam filter analyzes every e-mail on the basis of different criteria and classifies it as spam depending of the weighting. Assessment criterions are for example: obviously invalid sender address, known spam text passages, HTML content, future dated sender data, …

Self adaptive spam filter

The system recognizes independently spam e-mails with a ratio over 95% by using the Bayes filter. The Bayes filter can be trained when the spam administrator resorts wrong classified e-mails. This increases the hit ratio of the filter.

This method is superior to conventional methods which using Blacklists.

This also is an early detection of virus e-mails. With a high probability the Securepoint spam filter detects a virus mail, even before a virus pattern is available. In this way the virus doesn’t even reach your inbox.

Further methods

Relay blocking lists: In these tables hosts are listed which are knows as spam sender. If the sender uses an IP which are listed in this table the mail will be refused. The following lists will be used. They are located in the template

/etc/mail/sendmail.mc

 bl.spamcop.net

 dialups.mail-abuse.org  dnsbl.sorbs.net

 cn-kr.blackholes.us

Relaying: E-mails will be only accepted, if they are sent from the given Domain. E-mail validation: You can validate the e-mail addresses against following lists:

(4)

2 Spam filter configuration interface

To enter the spam filter setting interface in the Securepoint Security Manager click the icon Applications and change to the tab Spam Filter or click the item Applications in the menu and select Spam Filter from the dropdown menu.

The configuration is divided into the sections: General

Bayes Filter

Regular Expressions Friends

2.1 General

fig. 1 Spam filter - general settings and greylisting

Section Mail configuration

field description

Keep e-mails not longer than

The e-mails will be kept in the database for the selected number of days.

E-mail body invisible for spam administrator

The content of the e-mails are not visible for the administrator.

Note: Consider the respective privacy regulations.

Only mark spam e-mails for SMTP, no blocking

(5)

5

Section Greylisting

If you use Greylisting an e-mail from unknown senders will be refused at the first receiving. The SMTP-Client of the sender will attempt to send the e-mail a second time. E-mails sent by automatic spam programs mostly only sent once.

You can exempt e-mails from the Greylisting by putting the sender IP into the Whitelist. The Whitelist has only effects to the Greylisting and not to mistake for the Friendslist.

If the Greylisting is activated the firewall will check the Sender Policy Framework (SPF), if received messages are sent by valid e-mail servers. This only works, when the domain has set SPF entries.

Activate Greylisting Activates the Greylisting method.

Auto Whitelisting Activates an automatically list that contains the successful delivered e-mails. This sender will avoid the Greylisting for the given number of days.

Greylisting delay In this interval the refused e-mail must reach the firewall the second time.

Whitelist E-mails sent by the listed IP-addresses in the Whitelist will be

exempted from Greylisting.

(6)

2.2 Bayes Filter

The Bayes filter checks on the basis of classified/evaluated words, if an e-mail is a Spam- or Ham-E-Mail.

In order that the filter works properly, it must be trained by the spam administrator. The administrator has to resort the misclassified mail into Spam and Ham. Thereby the filter learns which words are typical for a spam e-mail.

fig. 2 Spam filter - Bayes filter setting

Number of examined tokens

This number of words will be checked in the e-mail. The result will be considered by the threshold calculation.

Threshold value for spam mail

The calculated value lies in the range between 1 and 99. 1 shows a high probability for Ham and 99 shows a high probability for Spam.

The value to divide Spam from Ham should be near the median.

Bias to define no spam Multiplier for words in the Ham database.

If there is much more Spam than Ham the values should be set to 1.

Threshold value number for spam calculation

How many times the word must be appeared in the mail to be considered in the calculation.

Minimum length of a token Minimal number of characters a word must have to be considered in the calculation.

(7)

7

2.3 Regular Expressions

Regular expressions are used to search text based on patterns. Regular expressions are a powerful instrument to identify words or patterns of characters in a text.

The filter searches for the given pattern in different sections of the e-mail. If a match is found, the relevant email is classified as spam.

(8)

2.4 Friends

In this section you set e-mails which should be excluded by the Bayes filter. If the virus scanning is activated they will be check for viruses anyway. You can also import a list with includes desired sender.

fig. 4 spam filter - fill friends list

You can define desired e-mail in four ways.

field desired e-mail …

Sender … from sender with the given e-mail address

Recipient … for the recipient with the given e- mail address

IP address … from this IP address

Mailserver Hostname

(9)

9

3 Way of an e-mail through the spam filter

MAIL Relay-Blocking-List Relaying e-mail-vaidation Greylisting Whitelist Spam Milter Bayes-Filter Spam Ham block virus checking attachment checking deliver Friendslist Regular Expressions included in Blocking-List

no valid recipient address

not included in the Whitelist

repeated delivery

block

included in Friendslist

regular expression matches

virus found

forbidden attachment

(10)

4 The spam filter web interface

The spam administrator can take a look at the spam filter web interface, to check which e-mail was classified as spam or ham by the system. If he find e-e-mails which are misclassified as spam, he can mark is as ham and resend it.

It is important to move not identified spam mails form the ham section into the spam section to train the adaptive Bayes filter.

4.1 Requirements

The web interface is only available when the web server service is activated.

 For checking the status of the web server, start the Securepoint Security Manager and click on the icon Applications and change to the tab Status of services.  If the SERVICE_WEBSERVER is marked with an X the service is not active.  Activate the service by double clicking on the X or make a right click on the X and

choose Start service from the context menu.

(11)

11

You can access the spam filter web interface only from the internal net. If you want to grant the access from other networks, you have to create a rule for this.

 Start the Securepoint Security Manager and click on the icon Firewall. The firewall rules are listed on the tab Portfilter.

 Click on the icon New and create a new rule for access to the web interface from other networks.

 The required service is part of the services group administration.

fig. 7 Create a new rule to grant the access to the web interface form other networks

The web interface is only accessible for users who are members of the group spam filter administrator.

 Start the Securepoint Security Manager and click on the icon Authentication.  To create a new user click on the icon New.

To modify the membership of an existing user, mark the user and click on the icon Modify.

 Switch to the tab Group Membership and activate the checkbox Spam filter administrator.

(12)

4.2 Access the spam filter web interface

You can access the spam filter web interface by typing following address into your web browser:

https://internal_IP_of_the_firewall:11115/spamfilter/ for example: https://192.168.175.1:11115/spamfilter/

At the first connection you will be asked, if you accept the certificate. Verify this question.

Log on to the web interface with your user name and your password.

fig. 9 login dialog Mozilla Firefox

(13)

13

4.3 Spam filter interface overview

The e-mail are listed in order of time (the newest one first).

fig. 11 sections of the web interface

section description

1 filter With the filter you can sort the list by: Sender; Recipient, Subject, Country, Virus, Send, Unsent

For some criterion a pattern is needed. Insert the pattern in the input field. Execute the filter by clicking on Search.

You can reset the selection by clicking on Reset.

2 lines The display shows 10 entries per side. You can vary the number of shown entries between 10 and 200.

Enter the desired number in to the input filed and click on Apply. 3 tabs The display is divided in different sections.

Ham shows desired e-mails. Spam shows undesired e-mails.

Deleted shows e-mails that are deleted by the spam administrator.

Statistics shows a diagram of ham and spam e-mails in dependence on the country of origin.

Click on the tabs to change the view.

4 action You can choose an action (move, delete, resend) for all checked e-mails. With the checkbox all data on this page you can check or uncheck all e-mails shown on this page.

The action will be executed when you click on Execute.

5 navigation With the insert field and the button Execute you can jump directly to the entered site.

With the button with the double arrows you can scroll through the pages. With the skip buttons you can jump to the first or to the last side.

1 2

3

4

5

(14)

6 delete With the button Delete you can delete all entries of the section. They will be moved to the Deleted tab.

4.4 Column of the table

name description

first column Clicking into the square marks the e-mail.

Already marked e-mails will be unchecked if you click on the square again.

ID Consecutive number of the e-mails.

A click on the number shows details of the mail in a new dialog (fig. 12).

Type Type of the e-mail.

Date Date and time of the e-mail.

Bay Probability of spam. Calculated by the Bayes filter.

CNTR Country of origin of the e-mail.

Sender Sender of the e-mail.

Recipient Recipient of the e-mail. Subject Subject of the e-mail.

Virus Shows if the e-mail includes a virus.

Action Action you can execute to the respective mail. Delete Deletes the mail and moves it into the deleted folder.

If you execute this commando in the tan Deleted, the e-mail will be deleted irrevocably.

(15)

15

4.5 Actions in the tab Ham

In the columns Action and Delete you can execute following actions:

Resends the e-mail.

Moves the e-mail into the tab Spam.

Moves the e-mail into the tab Deleted. You can execute following actions on checked mails:

Resend (only SMTP) Resend the e-mail.

Classify as spam and delete Classifies the e-mail as spam und moves it into the tab Deleted.

Classify as spam Classifies the e-mails as spam and moves

it into the tab Spam.

(16)

4.6 Actions in the tab Spam

Moves the e-mail into the tab Ham.

Moves the e-mail into the tab Deleted.

You can execute following actions on checked mails:

Classify as ham Classifies e-mail as ham and

moves it into the tab Ham.

Classify as ham and resend (only SMTP) Classifies e-mail as ham, resends it and moves it into the tab Ham.

Delete Moves the e-mail into the tab Deleted.

(17)

17

4.7 Actions in the section Deleted

Restores the e-mail and moves it into the respective tab.

Deletes the e-mail irrevocably.

You can execute following actions on checked mails:

Restore Restores the e-mail and moves it into the

respective tab.

Irrevocable delete Deletes the e-mail irrevocably.

(18)

4.8 The section Statistics

In this section are diagrams generated which show from which country the most spam e-mails and ham e-e-mails were received.

The third diagram shows from which country virus e-mails were received. In the section Period you can set an interval. The smallest value is one day. The generating of the diagram will be executed when you click on Execute. With the button Reset you reset the interval.

Securepoint Security Systems